Who, What, and Now What? Business Associate HIPAA Obligations

It’s likely you’ve seen post after post discussing the Office for Civil Right’s (“OCR”) recent guidance for Business Associates (“BA”) listing scenarios when BA may be directly liable for breaches of electronic Protected Health Information (“ePHI”).

This is not one of those posts; instead, let’s discuss actions BA may take as a result of this guidance.

You may still access the OCR’s guidance via its Fact Sheet or review the Resolution Agreement between OCR and Medical Informatics Engineering, Inc. (“MEI”) for details; MEI is a HIPAA business associate that maintains electronic medical records and offers software services to health care providers. Because MEI failed to properly protect PHI, a hacker used a compromised username and password to access PHI of 3.5 million individuals. MEI must now: pay a $100,000 penalty to the Department of Health and Human Services; pay an additional $900,000 dollars over the course of three years to Attorneys General of sixteen states; conduct a security risk assessment; and develop and maintain a risk management plan.

Bottom Line: HIPAA BA of covered entities are directly liable for complying with certain HIPAA regulations.

Let’s boil this down to the basics: who, what, and now what?


  1. Covered entities (“CE”) MUST protect PHI (and if transmitted electronically, as ePHI). CE are health plans, health care providers, and health care clearinghouses;
  2. CE MUST conduct and document a security risk assessment and maintain a risk management plan in accordance with HIPAA;
  3. CE’s MUST oversee BA with whom they share ePHI; and
  4. Since HITECH’s enactment in 2009, BA who receive, maintain, and transmit ePHI on behalf of a CE MUST ALSO protect ePHI and abide by HIPAA regulations lest they become directly liable for failures to do so (and the OCR comes knocking on the door). This means BA must also conduct security risk assessments, among additional requirements.


  1. The OCR’s Fact Sheet is likely welcomed by both CE and BA as the “Wild West” of health data management needs structure and guidance to practically implement HIPAA’s rules.
  2. It’s common for CE to use multiple BA to manage ePHI; each BA relationship should be reflected by an agreement (with a few exceptions, all agreements must reflect elements of 45 CFR 164.504(e)).
  3. It’s imperative that both CE and BA carefully craft and review agreements to ensure alignment with HIPAA’s ePHI management requirements.

Now What?

  1. BA are directly liable for some violations of HIPAA; therefore, BA may wish to review each of the ten items on the Fact Sheet, take their own temperature, and begin immediate remediation if necessary.
  2. CE and BA must ensure the integrity of ePHI; this means, in light of yet another breach, it’s good business practice to conduct a security risk assessment and update written documents.
  3. CE should review agreements with BA to verify inclusion of HIPAA’s regulatory language.
  4. CE and BA can “phone a friend!” Talk with an adviser, lawyer, broker, software, or IT specialist (better yet, consult each of them!) as needed to “get your ducks in a row” so that preventable errors don’t end up in the headlines.

Leave a Reply

Your email address will not be published. Required fields are marked *