Chat with us, powered by LiveChat

Business Associate Management Strategies

Post Contributed by Alan Davis, Proteus Consulting

business associate

Business Associate (BA) management is an important facet of a Covered Entity (CE) HIPAA security program.  Yet many BAs are playing “catch up” to comply with the HIPAA Security Rule updates brought about by the HITECH Act.  CEs are now challenging themselves to properly manage their BA relationships as they begin to realize that both parties are directly liable to comply with the HIPAA Security Rule, Breach Notification Rule, and applicable portions of the Privacy Rule.

Accurately identifying BAs is the first step to an effective BA management strategy. CFR 45, §160.103, defines what constitutes a BA relationship and provides examples of when a BA relationship is not necessary. Companies subcontracted by a BA that create, receive, maintain, or transmit protected health information are also BAs, and must comply with the HIPAA Rules. The work being performed, and not the contract or agreement, defines whether a BA relationship exists.

The BA contract, also known as a Business Associate Agreement, is the proper means to articulate the permitted use of protected health information and ensure a BA’s compliance with the HIPAA Rules.  We recommend a “lifecycle” approach to ensure compliance during the contract process.  Pre-contract due diligence should include a security questionnaire to the BA and include proof that the BA has completed a current and proper security risk assessment (a BA requirement as of September 23, 2013 per the HIPAA Omnibus Rule).  Post-contract controls should articulate how contract compliance will be monitored and include event management procedures.  Lastly, the contract should include termination processes and procedures.

Although privacy and security are not a checklist, here are some thoughts to help manage BA relationships:

◦ Evaluate who is and who is not a Business Associate (include BA subcontractors);

◦ Keep track of individual contract dates and formally assign a person to manage the process.  Review each contract at least annually;

◦ Ensure that your contract stipulates in writing that subcontractors will agree to the same data use controls;

◦ All BA contracts need to be updated if not compliant with current HIPAA Rules;

◦ CEs are accountable to report all BA breaches to Health and Human Services (HHS) (including subcontractors to the BA);

◦ Technologies (encryption, firewalls, etc.) do not relieve BAs of compliance with the HIPAA Rules;

◦ BAs may be inspected during a CE Office of Civil Rights (OCR) audit;

◦ 2014 was a record year for HHS collections from non-compliant CEs and BAs.

Breaches are expensive, sometimes even enough to close a practice or supporting company.  BAs are responsible for ~25 percent of all incidents and have affected millions of patients; some CEs are uncomfortable becoming more intrusive and some BAs remain slow to engage the HIPAA Rules.  Both business’ reputations and revenue is based on patient trust, and all should agree that a formal, compliant BA contract is a responsible part of HIPAA compliance and electronic protected health information security.





– Alan is the Principal of Proteus Consulting, LLC, of Hayden, Idaho.  

HIPAAOne statement on Heartbleed

HIPAA One Heartbleed update:

You are probably aware of the Heartbleed Bug. This vulnerability is in the OpenSSL cryptographic software library (CVE-2014-0346 / CVE-2014-0160).  There has been a tremendous amount of media coverage due to the severity of this bug.

This bug enables someone to read the memory of systems protected by vulnerable versions of OpenSSL software

. More details can be found here:  In summary, an information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys. (CVE-2014-0160)

HeartbleedAfter analyzing our cloud infrastructure at, we found that no production servers were impacted by this bug.

We conduct regular vulnerability scans and are commencing with periodic ethical hacking.  This helps provide assurances we are current with vulnerabilities and managing risk in our production platforms.
Thank you for your attention to this matter.

For anyone else who is running Linux, and and are running OpenSSL it internally, we recommend you apply the security patch issued by RedHat or equivalent against affected servers and restart the OpenSSL service. For example, you can issue “openssl version” from the command line to determine if it is running a version susceptible to the bug. The RedHat security advisory is included here for your reference.

Steven Marco

HIPAA One® President

What’s The Difference Between A Covered Entity & Business Associate?

Knowing the distinction between a covered entity and a business associate is essential because the Health Insurance Portability and Accountability Act Privacy Rule is administered differently between the two. If you understand the difference, then you understand who has access to your medical data and what authority they possess to do with that medical information.

The HIPAA Privacy Rule protects a person’s medical records and their other personal health information, as well as gives that patient rights to their health information. But it also applies to covered entities and business associates, in that it requires each to follow specific rules and sets restrictions and conditions on the use and disclosure of certain patient information.

Legally, the HIPAA Privacy Rule just applies to covered entities. A covered entity can be health plans, health care clearinghouses or health care providers that electronically transmit any type of health information. Examples of these are your doctor, hospital, insurance company and health insurance plan — no matter if it’s a private, employee, state or federal plan.

But it’s common for a lot of health care providers and health plans to use the services of other individuals or a business to help carry out their health care functions. Thus we get business associates.

More specifically, a business associate is an individual or entity that executes particular responsibilities that include the use or disclosure of protected health information in support of, or as a service to, a covered entity. A health plan, health care clearinghouse or covered health care provider could be a business associate for another covered entity, but a member of the covered entity’s personnel is not considered a business associate.

Possible business associates are an attorney, a CPA firm, an independent medical transcriptionist or a pharmacy benefits manager. Services provided by business associates can be accounting, billing, claims processing or data management. And of course, these are just a few examples of each.

Covered entities hold the responsibility for guaranteeing its business associates are safeguarding protected health information. The contract between a covered entity and its business associate must be HIPAA compliant, and if a business associate breaches its contract, then it’s up to the covered entity to correct that breach or terminate the contract.