Business associates have the same compliance and security obligations under HIPAA as covered entities (healthcare provider, health plan, or clearinghouse). They are also subject to enforcement actions and financial penalties for breaches of protected health information (PHI) or other violations.
Under HIPAA, a “Business Associate” is specifically defined as a person or entity that provides services or performs work that involves the use or disclosure of protected health information (PHI) on behalf of a covered entity (healthcare provider, health plan, or clearinghouse). As a matter of course, business associates are not a homogenous group. They perform a wide variety of functions and can range in size from a single individual to a large corporation.
IT Services Firms & Hosting Companies
The common denominator – business associates are obligated to comply with HIPAA and safeguard PHI with the same stringency as a covered entity. In recent years, the enforcement of this BA requirement has intensified. Healthcare providers routinely ask vendors to sign business associate agreements. Many BAs have received large fines from the Office of Civil Rights (OCR) for data breaches and compliance failures. Today, healthcare-focused investors almost always require their portfolio companies to attest to their compliance.
As a result, in addition to satisfying HIPAA, many BAs take the additional step of becoming HITRUST certified. This provides them with a standards-based framework on which to build and enhance their security program. It also gives them a validated certification they can promote publicly. Agio can assist BAs with HIPAA security risk assessments and HITRUST certification while jointly building a cost-effective risk management program.