Health prime logo


How to make sure your Business Associates are HIPAA Compliant

Covered Entities (CE) and their Business Associates (BA) must comply to HIPAA policies to ensure protection to health data from patients. It´s part of the covered entities duty to ensure their BA are HIPAA Compliant.

Business Associates perform functions that involve the use or disclosure of Protected Health Information (PHI). This is done through services or actions taken on behalf of a covered entity.

Some examples of HIPAA Business Associates are:

  • Collections agencies
  • IT Consultants
  • Billing / Coding company
  • Practice management partners
  • Third-party claims processors

To ensure the Direct Liability of Business Associates, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. Therefore, this made BA of covered entities directly liable for compliance with certain requirements of the HIPAA Rules.

By law, the HIPAA Privacy Rule applies only to covered entities. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves.

Due to this, CE often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose PHI to these BA if they meet HIPAA regulations and comply with this act.

Read more about HIPAA and how you can prevent breaches in your practice on our blog 4 steps to reduce HIPAA breaches within your medical practice – Health Prime (

How can you make sure your BA are HIPAA Compliant?

1. Have a HIPAA Business Associate Agreement

Ensure that the business associates will appropriately safeguard protected health information by establishing a written agreement. This will also serve to clarify and limit the permissible uses and disclosures of PHI by your business associates.

There are specific guidelines a written contract between a Covered Entity and a Business Associate must have such as:

  • Permitted and required uses and disclosures of PHI by the BA.
  • Clarification that a BA will not use or further disclose the information other than as permitted or required by the contract or by law.
  • Implementation of appropriate safeguards to prevent unauthorized use or disclosure of the information.
  • Authorized termination of the contract by the CE if the BA violates a material term of the contract.

Read more about these BA Contracts guidelines and get a sample BA Agreement Provisions on the U.S. Department of Health & Human Services (HHS) website.

2. Ensure you have a solid Business Associate Management Program

Covered Entities would do well to ensure they have employed a solid structure within their organizations to monitor Business Associates. It is your duty to make sure they are following HIPAA guidelines.

Your business should conduct on-going due diligence of their BAs and must act upon any information or evidence that suggests non-compliance by either requiring their Business Associates to correct the issue, or by terminating the business relationship.

With this in mind, you will be able to stay vigilant with your associates to prevent breaches and protect your practices´ and patients´ information.

3. Analyze your BAs to determine their HIPAA policies

Meet with your Business Associates to determine what PHI they access, how they access it, how they store it, and how they protect it.

Ask them to update you on how they proceed to manage your information. Also, understand which HIPAA policies they have within their organizations to safeguard your PHI. They must be able to provide you with protocols they have with their teams and employees training to assure your PHI is safe.

4. Keep up with HIPAA changes

Medical practices should stay up to date with the constantly evolving healthcare industry news, including potential HIPAA policy changes. Make sure you stay updated on upcoming HIPAA changes and be aware on how they can impact both your medical practice and your Business Associates.

This will allow you to detect areas of improvement on your HIPAA safeguards and establish new ones if pertinent by new policies. Learn more about upcoming changes on HIPAA this year on our blog Will HIPAA Changes be Introduced in 2022?

What happens if your Business Associates don´t comply to HIPAA?

If a Business Associate is found in violation of HIPAA law, the reputation and public trust of the related Covered Entity (CE) is negatively impacted. The CE may also be fined.

At Health Prime, we are HIPAA Compliant. We have controls and safeguards in place to ensure the confidentiality, integrity, and availability of your PHI. Our employees are trained periodically to be updated on HIPAA policy changes and avoid potential breaches.

At HPI, we are not your vendor. We are your partner. We take care of your information, as you take care of your patients.

If you want more information about our services, feel free to reach out to us at Make sure you subscribe to our Health Prime blog. Stay tuned on all the latest updates on how to improve your medical practice and make sure you are getting paid for your work.

Share on facebook
Share on twitter
Share on linkedin


Subscribe to
our Blog

to our Newsletter