Could You Be a HIPAA Business Associate and Not Know It?

January 8, 2019

By Kate Hickner
Featured in KJK Today Year-End 2018

We have all heard about HIPAA. It’s a federal law designed to set a minimum floor for the privacy and security of protected health information. Over the years, HIPAA has been expanded and strengthened. It’s now heavily enforced by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

HIPAA directly regulates covered entities, including group health plans, health care clearinghouses (e.g., certain entities that process health information) and health care providers that conduct certain covered transactions electronically. But HIPAA also regulates many others, referred to as “business associates”- individuals or entities that provide services involving the use or disclosure of protected health information to the covered entities just mentioned. For example, law firms, accounting firms, billing companies, practice management companies, software companies, information technology consultants and others often qualify as HIPAA business associates if they provide services to a health care provider, group health plan or health care clearinghouse.

HIPAA requires that business associates themselves directly comply with numerous regulatory requirements, including for example the HIPAA Privacy, Security and Breach Notification Rules. For example, HIPAA business associates are not only required to enter HIPAA Business Associate Agreements with their covered entity clients but they must also develop their own robust and active HIPAA compliance plans satisfying specific criteria.

As covered entities bolster their own HIPAA compliance and related contracting standards and as the federal government increases its HIPAA audit and enforcement activities with respect to business associates, we are encountering more and more organizations that are HIPAA business associates who are unaware of their HIPAA compliance obligations.

If you believe that your organization may be a business associate and you have not taken steps to assess or comply with your obligations under HIPAA, the time is now. It is less expensive to address these issues in a proactive manner than in a reactive manner after noncompliance has been identified by the government or a business partner. Strong HIPAA compliance programs can also be used as a marketing tool to differentiate business associates from their competitors.

2019 is a great year to take proactive steps to mitigate HIPAA associated legal, financial and business risk. The KJK Healthcare Group provides HIPAA guidance to its clients on a daily basis. We are available to answer any HIPAA related questions that you have.


KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.