HIPAA Business Associates Security Requirements—What You Need To Know

Updated on June 10, 2013

By Angie Singer Keating

Can your company afford to lose up to a million and a half dollars a year? That’s what a company can potentially be fined by the government for violating HIPAA security and privacy requirements. That’s a big dent in your wallet. So, how do you know if you could be affected, and if so, what can you do about it?

HIPAA stands for Health Insurance Portability and Accountability Act. Despite its name, it actually has to do with more than just insurance. Basically, this is the law that governs the protection of health information. It’s this law that prevents just anyone from off the street from walking into your doctor’s office and getting the details of your last prostate exam. It’s also the law that fines an insurance company for tossing sensitive information into the trash rather than disposing it of appropriately.

On March 23, 2013, the HIPAA Final Omnibus Rule was enacted, creating significant new civil and criminal penalties for non-compliance. Healthcare providers, or covered entities as they are referred to in HIPAA, have been wrestling with the enormity of HIPAA since 1996. While many are not yet fully compliant, the vast majority have at least put in the effort to become compliant.

Just because you’re not an actual health care provider or insurance company doesn’t mean that you can breathe a sigh of relief, however. The law was recently expanded to include business associates of such organizations as health care providers, or even subcontractors of that business associate. Any downstream vendors that have any contact whatsoever with private health information are now effected by this law, as well as the potentially hefty fines just mentioned.

What’s changed in the Final Rule is that HIPAA is now being rigorously enforced and it also now extends the law to cover all service providers who transmit, process, store, review, or destroy patient health information, for both paper records and electronic records. If you have clients or customers who are healthcare providers, expect to see new Business Associate Agreements from them that will increase your liability, indemnify the client and hold them harmless, and make your company responsible for all costs for the investigation, reporting, notification, and civil and regulatory penalties when a breach or suspected breach occurs. Be sure to discuss these new agreements with your lawyer and insurance agent before you sign them and accept full financial responsibility.

An important change for business associates is that they must now comply with, and be subject to audits for, the HIPAA Security and Privacy rules. These requirements will be enforced, audited, and investigated by the Office of Civil Rights(OCR) and the State Attorneys General. Just to name a few, business associates are required to perform business impact analysis, have a written incident response plan, and have internal IT systems with all of the technical controls in place as specified in the Security Rule, which is based on the National Institutes of Standards and Technology (NIST) 800-series Special Publications.

For the healthcare providers, the first step is to identify all business associates with whom you do business. Those vendors should be classified according to risk. A

vendor risk management program should be developed. Due diligence on the high risk business associates will be crucial. In the event of a reportable breach, failure to have performed proper due diligence on vendors may be deemed negligent by the regulators which then escalates the monetary penalties. If your organization has a vendor management program, be sure it is documented, audit-able, and enforced.

No business can afford to have their bottom line affected like that. If that’s not enough to sink your company, then the lack of trust from customers due to loss of such sensitive and private information will. Do everything you can and should to protect and dispose of information, the most effective thing being to enlist the help of a qualified data security expert. The good news is that the deadline to become fully compliant is September 23, 2013.

Reclamere offers free initial consultations to healthcare providers (covered entities) to review their vendor/business associate compliance programs, and also offers free initial consultations to vendors (business associates) to assess their HIPAA compliance risk state. For more information on how HIPAA can impact your company, how you can protect yourself, and perhaps most importantly, protect the private data of innocent healthcare patients, please contact us.

For your free no-obligation consultation about your Business Associate compliance management program or other HIPAA compliance resources, please visit www.reclamere.com, email [email protected], or call 814-684-5505 ext. 303.

Angie Singer Keating, CISA, CIPP, CISM, CRISC is CEO and Co-Founder of Reclamere, Inc. – The Data Security Experts.  Follow her on Twitter @VeepGeek and stay up to date on the latest security and compliance issues with the Reclamere blog www.reclamere.com/blog/.


Throughout the year, our writers feature fresh, in-depth, and relevant information for our audience of 40,000+ healthcare leaders and professionals. As a healthcare business publication, we cover and cherish our relationship with the entire health care industry including administrators, nurses, physicians, physical therapists, pharmacists, and more. We cover a broad spectrum from hospitals to medical offices to outpatient services to eye surgery centers to university settings. We focus on rehabilitation, nursing homes, home care, hospice as well as men’s health, women’s heath, and pediatrics.