According to a study conducted by PricewaterhouseCoopers around 55 percent of data breaches reported since September 2009 involve business associates. You may wonder about the significance of this study in your daily operations, but the answer is simple: money.

HIPAA violations range from $100 to $50,000 per violation — a single patient record is one violation. So, a breach encompassing one hundred (100) patients could account for five million dollars ($5,000,000.00) in fines. Even worst, under the Omnibus Rule, Covered Entities must obtain assurances from their Business Associates as to their compliance with some parts HIPAA Privacy, HIPAA Security Omnibus Rule, HITECH Act and other state and Federal Regulations. In other words, you could be responsible for other organizations failure to protect your data and following the rules.

The next question in your mind should be: who is a Business Associate? A simple answer to this is anyone that you pay to provide services to you or your clients and that during the performance of these services they store, transmit, maintain, or receipt electronic protected health information (ePHI). For example, Business Associates include but are not limited to IT contractors, cloud storage services, email encryption services, web hosts, software companies, billing companies, data analysts, consultants, lawyers, accountants, etc.

Going back to the topic of obtaining assurances, one of the basic requirements covered under obtaining assurances from Business Associates is the Business Associate Agreement (BAA). A BAA is an agreement where the Covered Entity specifies the responsibilities of the Business Associate as it relates to HIPAA and the Business Associate acknowledges and accepts the same. Note that a BAA is not required if these clauses are included in the original requirement.

In summary,

  • Business Associates account for most data breaches.
  • If you paid for their services and they store, transmit, maintain, or receipt electronic protected health information (ePHI) from your patients to complete their tasks, they are your Business Associate.
  • A Business Associate Agreement (BAA) between you and your Business Associates is a must. If they refuse to sign you must terminate the relationship.

EPI Compliance Business Associate Resources

  • Business Associate Attestation Form. This form is provided as part of the EPI Compliance platform and the same may be used as proof of your efforts to obtain assurances from your Business Associates.
  • Business Associate Center. Send electronic Business Associate Agreement to your Business Associates and Manage those copies in EPI’s document management system.

Note: To Learn more about Business Associates and related HIPAA regulations visit EPICompliance.