The Health Insurance Portability and Accountability Act (HIPAA) is one of the most vital pieces of federal statutes ever signed into law. It has four primary objectives – to ensure patient health information is safe and secure, to make sure a person continues to receive health insurance in between jobs, to minimize fraud and abuse in healthcare, and to enforce the various standards regarding health information.
Hospitals, doctors, and other medical institutions cannot meet all the demands of HIPAA on their own. This is where Covered Entities and Business Associates come in. The two groups are responsible for ensuring HIPAA compliance. This article will focus on business associates and their purpose.
What are Business Associates?
Business associates are vendors tapped by Covered Entities to help “create, receive, maintain, or transmit” Protected Health Information (PHI). A business associate (BA) can be a person or an entity tapped to work with a patient’s health information.
Because of the importance and sensitivity of the job, a BA is required to undergo strict HIPAA training for business associates before they can handle any PHI. The training provides them with the information needed to ensure they comply with HIPAA rules, especially as BAs have to navigate within the legislation’s Privacy Rule.
Business associates come from a range of organizations. They can be legal, consulting, administrative, management, or financial firms. A collections agency, medical transcriptionist, IT consultant, law firm, or medical device maker can be considered a business associate.

BAs can perform different and distinct functions that a Covered Entity cannot. Here are some jobs these businesses do:
- Accounting
- Benefits Management
- Billing
- Claims processing
- Data analysis and processing
- Practice Management
- Quality Assurance
What’s the Purpose of Business Associates?
It’s interesting to note that there are business associates outnumber covered entities in the healthcare industry. One reason for this is the sheer size of the healthcare sector and the magnitude of services it offers.
Healthcare operations have also become more complex over the years. They also generate copious amounts of data. Doctors don’t have the time to deal with documentation. Nurses also have to focus on different duties. The business of running a hospital is also a lot of work for one administrative team.
Outsourcing is the solution to this dilemma. The healthcare industry outsources a lot of its key practices to outside vendors, AKA business associates. One hospital or a single private practice will hire several vendors to provide them with important services.
It’s a business associate’s job to provide essential services and maintain the integrity of PHI. A BA has to be HIPAA compliant. They start by completing HIPAA training for business associates. They also have to sign a Business Associate Agreement before they’re awarded a project or tapped to provide a service.
How Important is a Business Associate Agreement?
A Business Associate Agreement is a linchpin for a company working in the healthcare industry. It became crucial for business associates to be HIPAA compliant ever since the 2013 HIPAA Final Omnibus Rule rolled out.
The US Department of Health and Human Services (HHS) now requires all business associates to sign a Business Associate Agreement with the covered entities they will assist. The agreement states that both the covered entity and business associate will share the responsibility of protecting the patient’s data and doing breach notification.

PHI protection remains the main responsibility of covered entities. However, HHS mandates that business associates assure that it will keep the patient data they create or receive private and secure.
Covered entities working with business associates must get concrete assurances to treat PHI with the seriousness and integrity the HHS demands. It’s often done with a Business Associates Agreement. The agreement usually has these provisions:
- To determine what Personal Health Information the Business Associate will access
- To require the Business Associate to use the mandated safeguards needed to secure PHI
- To ensure the Business Associate won’t disclose PHI except when allowed by the contract
- To require Business Associate to undergo the relevant HIPAA Training for Business Associates
- To outline the steps to be taken in case of a data breach
- To include subcontractor compliance if needed
- To provide detailed provision for the termination of the Business Associate Contract
- To detail the procedure for the return or destruction of PHI
Providing What is Needed
Business associates are one of the critical elements that make the healthcare industry run smoothly. While these individuals or companies provide vital services, they must provide assurances that PHI is secure at all times. A robust Business Associates Agreement will ensure HIPAA compliance.