You Can’t Hide Behind a Business Associate Agreement

TodFerran1What it really means to maintain BA HIPAA compliance

By: Tod Ferran, CISSP, QSA
Follow him on Twitter @TodFerran

During the last few months of auditing various HIPAA environments, I’ve seen three distinct groups of covered entities that have responded to new HIPAA Omnibus requirements regarding business associates.

  • Group #1: Most common. They’ve chosen to completely ignore the new requirement to update all business associate agreements (BAA). Perhaps they are lazy, busy, or worried that asking for a new signature might negatively affect the relationship or open the door for the BA to negotiate new terms.
  • Group #2: Up and coming. They slowly work to update and encourage signing of all agreements, but believe that’s all it takes to become compliant.
  • Group #3: Practically nonexistent. They diligently work to ensure business associates are truly HIPAA compliant and securely handling patient data before accepting any new/updated agreements and before transmitting any electronic protected health information (ePHI) to the BA.

Want to take a guess which group you should be in?

Covered entities don’t have the option to hide behind BAA if a Health and Human Services (HHS) auditor comes knocking. This tactic may have worked before September 2013, but the HHS specifically stated in new HIPAA documentation that covered entities are required to take dual-responsibility for patient data protection, and signing a new agreement just isn’t enough anymore. The HHS calls this new business associate responsibility “obtaining satisfactory assurances” [45 CFR §164.308(b)(1)].

Though government documentation does little to explain the phrase, “satisfactory assurances” essentially means covered entities must personally take measures to check BA patient data handling processes and review BA security measures. To meet this requirement, some covered entities require proof of a completed risk analysis or personally request the implementation of a standard risk management plan. Others track all business associates with a compliance-monitoring tool.

It’s common sense

The logic behind the new rule is quite sound when you think about it. The new rule prevents business associates from signing contracts without actually implementing HIPAA practices. Would you give a teenager who failed the driving test the keys to your car if they promised they’d be careful? The HHS wouldn’t.

You have been assigned the part of the responsible parent, and if you willfully neglect that responsibility, the HHS may come after you to the tune of $50,000 minimum per violation.

BA best practices

Don’t get me wrong, I’m not trying to downplay the importance of business associate agreements. After all, they are still required as per HIPAA rules. Just remember patient data is so important that you may need to consider dropping business associates that choose to ignore compliance best practices. With recent class-action lawsuits seeking $1,000 per compromised individual, it’s worth it to be choosey.

Here’s the moral of the story. The new HIPAA Omnibus rule isn’t just about signing a new BAA. Every covered entity with business associates (virtually all of you) is required to obtain assurances that their business associates treat patient data the way the HHS wants them to, and the way you want them to. Whether you choose to personally audit each BA, or require documented data security procedures, take the initiative to secure the future of your organization and safety of patient data.

About the Author: Tod Ferran is a Security Analyst for SecurityMetrics, an industry leader in compliance and data security that provides guided HIPAA compliance for covered entities and business associates nationwide. Visit for more information on a business associate program. Follow SecurityMetrics on Twitter @SecurityMetrics