Chat with us, powered by LiveChat

Business Associate Management Strategies

Post Contributed by Alan Davis, Proteus Consulting

business associate

Business Associate (BA) management is an important facet of a Covered Entity (CE) HIPAA security program.  Yet many BAs are playing “catch up” to comply with the HIPAA Security Rule updates brought about by the HITECH Act.  CEs are now challenging themselves to properly manage their BA relationships as they begin to realize that both parties are directly liable to comply with the HIPAA Security Rule, Breach Notification Rule, and applicable portions of the Privacy Rule.

Accurately identifying BAs is the first step to an effective BA management strategy. CFR 45, §160.103, defines what constitutes a BA relationship and provides examples of when a BA relationship is not necessary. Companies subcontracted by a BA that create, receive, maintain, or transmit protected health information are also BAs, and must comply with the HIPAA Rules. The work being performed, and not the contract or agreement, defines whether a BA relationship exists.

The BA contract, also known as a Business Associate Agreement, is the proper means to articulate the permitted use of protected health information and ensure a BA’s compliance with the HIPAA Rules.  We recommend a “lifecycle” approach to ensure compliance during the contract process.  Pre-contract due diligence should include a security questionnaire to the BA and include proof that the BA has completed a current and proper security risk assessment (a BA requirement as of September 23, 2013 per the HIPAA Omnibus Rule).  Post-contract controls should articulate how contract compliance will be monitored and include event management procedures.  Lastly, the contract should include termination processes and procedures.

Although privacy and security are not a checklist, here are some thoughts to help manage BA relationships:

◦ Evaluate who is and who is not a Business Associate (include BA subcontractors);

◦ Keep track of individual contract dates and formally assign a person to manage the process.  Review each contract at least annually;

◦ Ensure that your contract stipulates in writing that subcontractors will agree to the same data use controls;

◦ All BA contracts need to be updated if not compliant with current HIPAA Rules;

◦ CEs are accountable to report all BA breaches to Health and Human Services (HHS) (including subcontractors to the BA);

◦ Technologies (encryption, firewalls, etc.) do not relieve BAs of compliance with the HIPAA Rules;

◦ BAs may be inspected during a CE Office of Civil Rights (OCR) audit;

◦ 2014 was a record year for HHS collections from non-compliant CEs and BAs.

Breaches are expensive, sometimes even enough to close a practice or supporting company.  BAs are responsible for ~25 percent of all incidents and have affected millions of patients; some CEs are uncomfortable becoming more intrusive and some BAs remain slow to engage the HIPAA Rules.  Both business’ reputations and revenue is based on patient trust, and all should agree that a formal, compliant BA contract is a responsible part of HIPAA compliance and electronic protected health information security.





– Alan is the Principal of Proteus Consulting, LLC, of Hayden, Idaho.  

Think PCI Can Replace HIPAA? 6 Points That Will Change Your Mind


  1. Health records are to be secured, exchanged and portable ,while credit card numbers are to be secured.
  2. Covered entities and their business associates (receiving any government reimbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.
  3. Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.
  4. HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.
  5. Meaningful Use helps address the most serious health care threats to electronic personal health information: theft, unauthorized access and loss.
  6. A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.

Steven Marco ( is the founder & CEO of Modern Compliance Solutions & HIPAA One® in Lindon, UT.

This is one of the questions that comes to mind when reading recent breaches in businesses that are PCI-compliant and HIPAA covered entities. According to a recent Identity Theft Resource Center data breach report for 2013, there were approximately 47,260,237 breaches for the business category and 4,659,965 breaches for the medical/healthcare category. Assuming the business category processes credit cards and the medical/healthcare category maintains protected health information, we have a case of PCI-compliant firms vs. organizations addressing HIPAA security compliance.

data breach chart

1. Health records are to be secured, exchanged and portable while credit card numbers are to be secured.

Health care covered entities (CE) and their business associates (BA) handle personal/protected health information (PHI) as part of an initiative to have a portable, secured and available electronic health record (EHR). PHI must be protected from unauthorized disclosure, yet be available on demand by the individual and shared (in some cases with and without the individual’s authorization such as treatment, payment and healthcare operations) appropriately but also restricted upon the individual’s request.

If hospitals and clinics adopt electronic PHI and shred their paper records, vast amounts of uniquely identifiable health records accumulate. According to the HIPAA One® security risk analysis database, even small clinics can acquire more than 10,000 patient records within 3 years.

The focus of the electronic health record revolution has traditionally been changing healthcare workflows using computers instead of paper charts. Now, information is freely exchanged between clinics, health plans, clearinghouses and health exchanges. Security has not been a focus. The top threat facing healthcare is loss and theft of ePHI, which is the No. 1 cause of breaches over 500 (according to the OCR’s current breach data reports as of July 2014).

Much like the example above referencing the number of patient records, aggregated data stemming from PHI can be used for valuable research improving health and raising ePHI security awareness.

If business and commerce — the exchange of goods and services for monetary enumeration — had adopted technology earlier, it would have more personal identifiable information (PII). The use of credit cards is globally adopted as a quick way to receive money electronically. As more merchants (businesses that accept credit cards) adopt e-commerce websites and connect their payment- processing systems (i.e. processors) to the Internet with growing consumer comfort with online purchasing, fraudsters are capitalizing on poorly protected systems to steal payment data, making payment care fraud more prevalent than ever before.

Unlike aggregated, de-identified PHI data, the approach to secure credit card numbers is to limit storage of credit card elements and make this information unavailable except in the event of a payment transaction.


Source: Payment Card Industry (PCI) Data Security Standard, November 2013

2. Covered entities and their business associates (receiving any government imbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.

Covered entities (i.e. hospitals, clinics, doctors, health plans and healthcare clearinghouses that use ePHI) and business associates (i.e. vendors providing services to covered entities that access [even incidentally]), as of September 13, 2013, store, modify or transmit ePHI under the enforcement jurisdiction of Health and Human Services.

In summary, any organization that receives reimbursements from Centers for Medicaid and Medicare Services is a covered entity. And any vendor that provides services to covered entities are business associates. Accountants, legal counsel and consultants are examples of groups that may encounter PHI while working with covered entities and fall into the business associate category.

To help define who is covered under HIPAA, guidance from CMS provides charts to help define most scenarios and to determine qualification, per the below image:

covered entity charts

Source: CMS Covered Entity Charts

Fines under HIPAA typically come in two forms: the Office of Civil Rights (OCR — the enforcement division of CMS) fines through self-reported breaches or through HIPAA violations found as a result of a patient complaint registered on the HHS website. The OCR, under the HITECH Act, may use proceeds from fines (called Civil Money Penalties – or CMPs) to fund further enforcement. OCR fines and settlements start at $50,000 and can easily exceed $1.5 million per investigation where willful neglect to comply with HIPAA is determined. Some forgiveness in terms of reduced fines is allocated for actions taken during the OCR audit, and all settlements are public domain according to the Freedom of Information Act.

Organizations that process credit cards, even a single transaction per year, must become compliant with the PCI Data Security Standard. Covered entities that process credit cards also become merchants under Payment Card Industry and must comply with the Data Security Standard, or PCI DSS.

Merchants are required to, at a minimum, provide an annual attestation of PCI compliance statement through their processor. Failure to pass all the requirements will result in monthly fines that are proportional to the volume of credit card transactions processed annually. They start at about $50 per month for small companies, and we have seen non-compliance fines in upwards of $3,000 per month for larger covered entities providing healthcare services.

PCI enforcement audits are typically triggered by self-reported breaches. Fines stemming from breach investigations are not typically applied to merchants but are applied for other non-compliance factors. See the PCI Standard website for a more detailed guide.

3. Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.

The PCI Security Standards Council has released an updated standard, called v. 3.0, to the PCI DSS requirements, which emphasizes the need for in-house vulnerability assessments, adds flexibility to password requirements and highlights the growing importance of provider compliance, as well as many other notable changes.

PCI was pioneered in the late 1990s, as Visa became the first credit card company to develop security standards for merchants conducting online transactions. The need stemmed from vast amounts of credit card fraud, which would need to be paid for by the credit card companies.

According to SearchSecurity, Visa and MasterCard reported credit card fraud losses totaling $750 million between 1988 and 1998.

Per the PCI website, “The major credit card issuers created PCI (Payment Card Industry) compliance standards to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This set of requirements is called the Payment Card Industry Data Security Standard (PCI DSS). All merchants (any entity that accepts payment cards from American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or services) must comply with these standards. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards. The payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

The Payment Card Industry Security Standards Council (PCI SSC) manages the PCI security standards.”

HIPAA was formed because of the following reasons:

  1. Growing numbers of uninsured
  2. Lack of rights for patients to obtain,review,amend and correct(if needed) their own health information (imagine mistakenly having an STD in your medical history entered by someone’s mistake)
  3. Rise of the Internet threatened privacy and confidentially
  1. Medical information could be used against individuals for non-medical reasons
  2. Healthcare dollars lost to fraud and waste
  3. Genetic information becoming available
  4. Different standards for medical record format sand PHI

It is also important to note that HIPAA has evolved and developed in many waves over the past 18 years to address the above concerns and is still very much a work in progress.

In terms of our ePHI data, there are 18+ elements that identify an individual which can be stored, shared and must be secured. Per 45 CFR 164.514 of the HIPAA Privacy Rule, they are:

(i) The following identifiers of the individual or of relatives, employers, or household members of the individual:

(A) Names;

(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses; (G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section

4. HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.

We don’t want to jump in too deep in this area, as compliance and security are subjective topics that need to stay relevant to the size and complexity of each organization.

HIPAA Compliance

For compliance, follow the Office for Civil Rights (OCR) as they are responsible for issuing periodic guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.). For security, follow the National Institute of Standards and Technology (NIST) Special Publications. The OCR suggests methodology in their guidance materials is the NIST SP800-30.

Checklists that have workflows attached to each item are available in the form of spreadsheets, the OCR’s “SRAT” tool and, for more advanced collaboration, web-based solutions.

Based on our observations of the OCR, we have found, in summary, they look for the following in their audits:

  1. (Easy*)Performance of these checklists covering the 78 HIPAA Security Citations and provide the 9 steps identified in conducting a risk analysis in NIST SP800-30.
  2. (Difficult*)Ongoing updates to the results of the risk analysis conclusions (i.e. what risks were found, who is going to do what, by when to address the risk found) and risks results (i.e. tracking what activities have been performed since the risk analysis was performed)

*It is easier to identify HIPAA gaps in compliance and risk items to the organization. It is more difficult for organizations to react to the gaps and risks found as this requires resources, changes in process and increased administrative, technical and physical safeguards.

HIPAA Security

Like any other security assessment (gaps identified against an industry guidance) and risk analysis (calculating risk for the organization for any said gaps), security encompasses authorization (who is granted authorized access to

what data and reducing unauthorized access), integrity (timely and complete data), and availability (ability to restore damaged or lost ePHI and ability to continue operations during emergency scenarios).

To address common vulnerabilities and exploits (CVE), we recommend all security risk analysis include, as a base-requirement, the performance of an automated vulnerability analysis scan 164.308(a)(1)(ii)(A) from the Internet against any of the organization’s Internet-accessible systems.

The next level of this type of effort would include internal vulnerability scanning, which is like the external vulnerability scan but against all internal computers, servers and systems. We find most environments are like M&M candies — hard on the outside, but soft and easy to melt on the inside.

  1. a)  ePHI discovery and mapping (what databases, purpose and who is responsible)
  2. b)  Firewall configuration review (ensure only minimum ports are open, see if IPS/IDS is appropriate to detect malicious software communicating to the Internet from breached systems)
  3. c)  Penetration testing of all Internet-facing applications (especially if software is developed in-house)
  4. d)  Ethical hacking (such as testing various ways to gain administrative access to systems and firewalls)
  5. e)  Ongoing remediation consulting (having an external firm remind assignees of tasks to deadlines and update results documentation for potential audit response)

5. Meaningful Use helps address the most serious healthcare threats to electronic personal health information: theft, unauthorized access and loss.

The healthcare industry stores patient information for the treatment, payment and healthcare operations of medicine. This industry has historically been slow to adopt technology and computer systems. As such, the migration of our protected health information (PHI) from paper to electronic (ePHI) has been largely fueled by the Meaningful Use (MU) incentive program. To qualify for these MU funds, covered entities must adopt a certified electronic health record technology (CEHRT), or as the industry calls it, an “EMR program”, and use it in a meaningful way (e.g. complete demographics, allergy and prescription drug checks, make patient visits available to the patients, etc.).

Stage 1 of Meaningful Use was extended in December 2014, and stage 2 is being adopted for continued incentive payments. Part of the increased security measures for stage 2 includes the following CEHRT/EMR software features: additional audit logging capabilities (to combat unauthorized access), mandatory encryption/no temporary files being written that may contain ePHI and patient amendment tracking.

6. A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.

Dell SecureWorks recently uncovered numerous underground marketplaces where hackers are selling information packages that include bank account numbers and logins, social security numbers, health information and other PII. In the underground world, these electronic packages put together for identity theft and fraud are referred to as “fullz”. When “fullz” are sold along with counterfeit or custom manufactured physical documents relating to identity data, the packages are called “kitz”.

Below are the average fees for these packages:

“Kitz” — $1,200 – $1,300, which includes PII and faked papers

“Fullz” — $500, which includes PII faked documents

There are additional fees for health insurance credentials and U.S. credit cards with CVV codes.

Health insurance credentials cost $20 each, while credit cards are only $1 – $2 each. This tells us that people are willing to pay more for your health insurance information than for your credit card information — about 10-20 times more. Therefore, your health information is way more valuable than your credit card information, and it’s extremely important that your health information is kept safe and secure from hackers.

So what is the motivation of enforcing PCI and HIPAA? In the case of PCI – it is clearly the credit card companies suffering financial loss from fraud. In the case of HIPAA – the motivation is to ensure our rights to protect and have our health information secured, reduce waste and hold covered entities, as well as their business associates, accountable for providing basic security, privacy and breach notification requirements.

At the end of the day, after conducting thousands of risk analysis and security projects, a new question pops up from this discussion, “If security and compliance are too difficult for organizations, then why does it seem so easy for hackers to get into their systems?”

Is a Covered Entity Liable For, or Required to Monitor The Actions of Its Business Associates?

Luckily, the answer to this question is a good one for covered entities. Business associates are liable for their own actions and every piece of protected information they are given. The important thing that covered entities need to be sure of is to properly enter into a contract that protects the privacy of protected information.

Monitoring or overseeing the work or actions of business associates is not required nor is it expected. Business associates are wholly responsible for complying with the privacy safety measures spelled out in the contract between the covered entity and the business associate.

The biggest concern a covered entity has when it comes to its business associates is acting upon the information or evidence that their business associates are not doing or complying with the contract. If a covered entity neglects to act on evidence found, or discovered, that indicates the business associates are not in compliance with the precautions in place in the contract, then the covered entity can be charged for neglect.

The actions that a covered entity is expected to take when a breach or violation is discovered are: take appropriate action to secure the breach or end the violation, if it is not possible to secure the breach or end the violation the entity is expected to terminate the contract.

There are several details that can’t be succinctly explained in a short summary, therefore, it is up to the covered entity to make sure they are operating within the policies of the HIPAA laws.

Weren’t Business Associates Already Subject to HIPAA Before September 2013?

Before September 23rd, 2013, business associates were subject to upholding the provisions in the contracts by which they were governed. That meant that the contracts controlled the type, amount, and use of protected information a business associate was able to handle. Now through the new HIPAA policy changes, covered entities no longer determine the liability of a business associate.

Business associates, through the new policies enforced in September 2013, are now held accountable for all the actions they take that affect protected health information. That means that apart from entering into a contract that is compliant with the new HIPAA policies, a covered entity has no liability when it comes to what a business associate does with protected health information in the course of fulfilling their contractual obligations.

This is good news and bad news for covered entities. It means that covered entities don’t need to monitor or dictate a business associate’s every move. This makes for a much less labor intensive management of business associates.

It also means that there is greater responsibility placed on the covered entity for the violations and breaches of security that are discovered by covered entities. A covered entity can be charged with neglect if they discover or find evidence suggesting a violation or breach and do not take the appropriate steps in reporting it.

The largest change that both business associates and covered entities must be aware of is that business associates are now liable for being compliant in all their actions with protected health information.

If you don’t know where to start, we suggest learning more about our HIPAA compliance software which will help you conduct a HIPAA Security Risk Analysis and is the cornerstone of a good HIPAA Risk Management plan. This effort should identify gaps in compliance, identify vulnerabilities and provide reasonable suggestions to remedy any remediation items.  This is the expectation for Business Associates in addition to signing appropriate agreements with their healthcare clients.

Google – A HIPAA Compliant Business Associate?

google logo

Last month, Google announced that they will sign a HIPAA Business associate agreement (BAA) with organizations who are using their Google Apps services: Gmail, Calendar, Drive, and Google Apps Vault.

HIPAA (Health Insurance Portability and Accountability Act) is a set of laws requiring secure access to identifiable healthcare information. All organizations must comply in protecting specific information including name, address, health information and payment records (referred to as “protected health information” or PHI).

The BAA is required when two or more entities share PHI in order to outline the responsibilities between the parties as to the security of the information as well as outline accountability in case of a breach.

To sign up for the BAA with Google, an administrator must answer the following three questions online:

  1. Are you a Covered Entity (or Business Associate of a Covered Entity) under HIPAA?
  2. Will you be using Google Apps in connection with Personal Health Information?
  3. Are you authorized to request and agree to a Business Associate Agreement with Google for your Google Apps domain?

After responding, the administrator will be taken to the BAA for review and signature.

If your organization is looking for email, calendar, and document storage that is HIPAA compliant, Google is a great place to start.