HIPAA Security Tip #25: Business Associates

By Iseman Cunningham Riester & Hyde LLP

In the HIPAA Privacy implementation effort, compliance with the business associate* requirements was by far the most significant hurdle for Covered Entities. Some Covered Entities, in fact, have yet to attain compliance despite the two years that have passed since the Privacy Rule took effect.

Fortunately, the Security Rule requirements for business associates are not particularly complex. They essentially involve adding four specific paragraphs to existing business associate contracts, which can usually be accomplished in a simple addendum or amendment.

Covered Entities may take advantage of this opportunity to revisit business associate arrangements by:

  1. Renegotiating terms of existing business associate contracts which are not advantageous to the Covered Entity.
  2. Finalizing business associate relationships with those entities that balked at recognizing their business associate status on the first go-round.

Many Covered Entities have been content to allow business associates to continue providing services without insisting on compliance with HIPAA business associate standards (i.e. signing a business associate agreement). Such a practice is doubly dangerous. Turning a blind eye not only exposes the Covered Entity to regulatory violations in its own right, it may also make the Covered Entity responsible for violations committed by an errant business associate.

* A business associate is a person or organization that performs or assists with a function, for or on behalf of a covered entity, involving the use or disclosure of individually identifiable health information.



HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.

(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.

HIPAA Security Tips Archive

No posts to display