Healthcare News & Insights

Ensuring HIPAA compliance with hospitals’ BAs

Securing protected health information (PHI) remains a top priority for facilities covered by HIPAA’s security rule, but their business associates (BAs) may not be on the same page. 

166468332This should worry hospital leaders because during the next phase of HIPAA audits, BAs will be under the microscope, too.

Currently, the audits have been delayed indefinitely, so there’s still time for hospital leaders to review their BAs’ compliance and take added precautions.

Evaluating BAs

To assist evaluating BAs’ compliance, Manatt Health Solutions, a policy and business advisory division of the law firm Manatt, Phelps & Phillips, LLP, conducted a series of interviews with covered entities and their business associates about how they secure PHI and the security challenges they face.

The group notes that BAs can perform a wide variety of services, like care management, claims coding and billing, and other IT functions. As a result, providers tend to categorize all vendors as business associates in order to implement over-arching compliance plans.

The group also found that some covered entities have as many as 10,000 BAs, and that large covered entities, such as hospitals and health systems, often have trouble keeping an accurate record of how many BA they use.


Typically, BAs are hired and managed from various departments in a facility, rather than through a centralized process, like through a legal or compliance office.

Though resources for evaluating your BAs’ compliance might be scarce, hospital leaders will still want to make sure that some level of oversight is in place, especially for smaller BAs like software vendors. The study revealed that small BAs were more likely to be familiar with HIPAA obligations than large BAs, which often have offices dedicated to HIPAA compliance.

Some cloud and software vendors have even been found using the wrong standards to guide their security efforts, believing they’re meeting HIPAA compliance standards when they’re not.

Securing compliance

It’s crucial that hospitals put some kind of oversight on their BAs, and keep records of what steps they’ve taken to ensure BA compliance. Though costly, the expense of oversight measures pales in comparison to the possible penalties for a PHI breach.

For example, the report found that most covered entities don’t audit their BAs for compliance, or ask to see BAs’ risk analyses, policies or procedures. This could leave facilities vulnerable to breaches of HIPAA violations.

One way to address this is through business associate agreements, such as including a provision that requires BAs to attest and show they’ve performed thorough risk assessments and implemented preventive policies. Another good step to take would be setting rules for BAs about returning or destroying PHI after a business relationship ends, which the report found many covered entities haven’t accounted for.

Linda Sanches, the Office for Civil Rights information and privacy security senior advisor, recently recommended that facilities create comprehensive lists of their BAs as one way to prepare for the upcoming audits. If your facility wants to be proactive about BA HIPAA compliance going forward, it might be worthwhile to creating a centralized office for contracting BAs. That way, it’s less of a struggle to keep an accurate record of your facility’s BAs.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.