BA HIPAA Fundamentals

The Impact of Proposed Changes to the HIPAA Security Rule for Business Associates

Posted May 18, 2026 by Steve Alder

A final rule updating the HIPAA Security Rule is due for release as early as May 2026. According to HHS/OCR, the modifications to the Security Rule will improve cybersecurity in the health care sector by strengthening requirements to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats. In Spring 2025, OCR released a timetable suggesting a May 2026 release, although the final rule will likely be delayed. If OCR opts to release a final rule implementing all changes proposed in its January 2026 Notice of Proposed Rulemaking (NPRM), it will have a major impact on business associates of HIPAA-covered entities.

For more than two decades, the HIPAA Security Rule has set a baseline for cybersecurity to safeguard electronic protected health information (ePHI). Prior to its release in 2003, there were no standards for cybersecurity, although at the time, adoption of electronic health records was far from widespread. The standards of the HIPAA Security Rule have helped to ensure that ePHI, and the systems used to store, process, and transmit that information, have appropriate safeguards to protect against unauthorized access; however, standards that were reasonable and appropriate in the early 2000s are no longer sufficient to protect against the barrage of attacks from nation-state actors and cybercriminals, the increasing sophistication of intrusion and lateral movement techniques, and the emerging threat of AI-assisted attacks.

New Mandatory Cybersecurity Rules for HIPAA Business Associates

For the past few years, more than 700 large healthcare data breaches have been reported each year, a large proportion of which occurred at business associates of HIPAA-covered entities. To address the cybersecurity weaknesses routinely being exploited by threat actors, OCR proposed two sets of voluntary healthcare-specific cybersecurity performance goals (CPGs): essential and enhanced. The CPGs consist of high-impact measures to strengthen cybersecurity, and healthcare organizations were encouraged to adopt the essential CPGs and then mature their cybersecurity programs by adopting the enhanced cybersecurity goals.

When OCR released the CPGs, it was made clear that they were a precursor to mandatory new cybersecurity measures. The NPRM- HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information was published by OCR in the Federal Register on January 6, 2025. Since then, OCR has been reviewing the extensive feedback it received.

The Security Rule update was proposed in response to increased cyberattacks, evolving healthcare delivery environments, and the common deficiencies identified by OCR during its compliance investigations. If a final rule is issued, it will be the first major update to the HIPAA Security Rule in more than two decades. In its proposed form, business associates will be required to make substantial changes to their cybersecurity and compliance programs. Proposed rules typically have a compliance deadline of approximately 240 days (8 months). If released per OCR’s proposed timetable, compliance will likely be required as early as Q1, 2027.

There are extensive new Security Rule requirements for business associates, which will be time-consuming and potentially costly to implement. These are not changes that can be implemented overnight or in a few weeks. The changes will require extensive planning, implementation, validation, and detailed documentation. Business associates should be proactive and assess where their current security program falls short, rather than wait until the final rule is issued.

Regulated Entities Must Implement All Security Rule Implementation Specifications

Changes have been made to the language of the HIPAA Security Rule, introducing the term HIPAA-regulated entities for covered entities and business associates to improve consistency. OCR has eliminated the distinction between “addressable” and “required” implementation specifications. The removal of “addressable” implementation specifications means covered entities and business associates will be required to comply with all implementation specifications. Together with the more prescriptive cybersecurity requirements, substantial changes will need to be made to security and compliance programs.

The current HIPAA Security Rule is scalable, flexible, and technology-neutral, whereas the proposed rule is more prescriptive and testable, with operationalized cybersecurity requirements. The proposed Security Rule introduces a host of new cybersecurity requirements, and while there are limited exceptions, some requirements are risk-based and only apply to systems containing ePHI, regulated entities will have to make significant changes to their cybersecurity programs. New requirements include encryption of all ePHI at rest and in transit, multifactor authentication across all systems, continuous monitoring of systems for anomalous activity, vulnerability scanning, penetration testing, more prescriptive patch management requirements, configuration management, anti-malware protections, network segmentation, and annual testing of technical controls.

The HIPAA Security Rule requires business associates to provide security awareness training under 45 CFR § 164.308(a)(5), Standard: Security Awareness and Training. This requirement applies to all workforce members with access to IT systems, not only staff who use or disclose PHI. Security awareness training is focussed on cybersecurity training and is separate from, and in addition to, HIPAA training for Business Associates on Privacy Rule, Breach Notification Rule, and organizational policy requirements. The proposed HIPAA Security Rule changes are not expected to change the existing security awareness training requirements.

More Detailed and Prescriptive Business Associate Risk Analysis Requirements

Certain requirements, such as the risk analysis, have more detailed and prescriptive requirements. Under the current regulations, business associates are required to periodically conduct a risk analysis to identify risks and vulnerabilities to ePHI, following any significant change to technology, software, hardware, or business practices, and after a security incident.

The proposed rule requires a risk analysis to be conducted at least annually. The risk analysis must identify and assess all risks and vulnerabilities to all systems, devices, applications, environments, and services that collect, receive, maintain, store, transmit, or touch ePHI. The risk analysis must cover risks associated with subcontractors, service providers, cloud environments, and integrated technologies, and must feed into contingency planning, disaster recovery, and downtime operations planning.

The risk analysis must cover all ePHI in the business associate’s possession, not just the ePHI created or received on behalf of a covered entity, including ePHI from multiple clients and ePHI maintained in shared systems. Before a HIPAA-compliant risk analysis can be conducted, the business associate must identify all systems, devices, applications, services, and environments where ePHI is created, received, maintained, or transmitted. That information must be maintained in a comprehensive, accurate, and up-to-date asset inventory.

The risk analysis must be a formal, fully documented, and repeatable process, aligned with recognised cybersecurity practices. It must be regularly updated to reflect changes in the healthcare environment, evolving threats, and new technologies, and be repeated when systems, subcontractors, business practices, technology, and threat conditions change. This update moves the risk analysis from what is often viewed, albeit incorrectly, as a one-time event to a continuous process. Everything must be documented in detail, including the methodology, identified risks, rationale for risk ratings, mitigation decisions, and residual risks, with written verification of the completeness of the risk analysis and implemented safeguards by qualified personnel.

Greater Oversight of Vendors by HIPAA-Covered Entities

Risks must be subjected to a risk management process, and while that has not changed, specific, documented mitigation plans need to be developed and prioritized for all risks, with remediation measures tracked through to completion. There will be greater oversight of business associates by covered entities. Previously, covered entities were required to obtain satisfactory assurances of HIPAA Security Rule compliance, such as by obtaining a signed business associate agreement. The updated Security Rule requires safeguards to be verified by a covered entity through annual written verification from the business associate.

That means business associates must maintain detailed documentation of all compliance efforts, including their risk analysis methodology and results, the mitigations implemented, and the administrative, physical, and technical safeguards implemented to reduce risks to a reasonable and appropriate level, plus any residual risks that have yet to be addressed. Safeguards must be reassessed and reverified every year.

In the event of a security incident involving ePHI, the HIPAA Breach Notification Rule requires business associates to notify each affected covered entity within 60 days; however, the updated HIPAA Security Rule requires covered entities to be notified within 24 hours of an emergency or other occurrence affecting their electronic information systems and the activation of contingency plans. Business associates must also have a plan for restoring access to critical systems. That means business associates are likely to face increased scrutiny of their breach response and will need to provide regular updates to their covered entity clients.

The expansion of requirements for business associates will require updates to current business associate agreements to include the new obligations. HIPAA-covered entities will need to incorporate the new HIPAA Security Rule requirements into their business associate templates, assess whether their current business associates meet the new requirements, and, if not, ensure that they have a viable plan to implement the required changes on time.

Comparison of Requirements of Current vs. Proposed Security Rule

Compliance Area	Post HITECH Act – HIPAA Security Rule Requirement	Proposed HIPAA Security Rule Requirement
Applicability	Business associates were directly subject to the Security Rule, with certain obligations operationalized through business associate agreements.	Introduction of the term “HIPAA Regulated Entities.” Obligations of business associates are identical to those of covered entities, eliminating any interpretative discrepancies.
Implementation Specifications	Distinction between required and addressable implementation specifications	Elimination of distinction – All implementation specifications are required for compliance.
Asset Inventory	No requirement for an asset inventory.	Business associates must create and maintain a comprehensive and accurate technology asset inventory, on which the risk analysis will be based, complete with network/ePHI movement maps.
Risk Analysis	Business Associates required to conduct an accurate and thorough assessment of risks and vulnerabilities to ePHI. Risk assessments required periodically, and in response to material changes to systems, technology, and workflows	Explicit requirements for risk analysis methodology, which must be formal, repeatable, and documented. Must cover the entire ePHI ecosystem, with specific expectations for content. Must cover risks associated with subcontractors, vendors, cloud platforms, shared systems, service providers, and supply chains. Risk analyses must be conducted at least annually, and methodologies must be updated in response to changes to systems, vendors, threat conditions, and changing operational practices. Extensive documentation requirements, including methodology, analysis, mitigations, and residual risks. The risk analysis and safeguards must be documented and performed by qualified personnel, with written verifications required.
Administrative Safeguards: Standard: Evaluation	Periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI	Consistent methodology required, with an emphasis on recurring testing, technical reviews, vulnerability scanning, and documented reassessments, including in response to emerging threats and operational/environmental changes. Extensive documentation requirements for analyses and mitigations.
Technical Safeguards	Technologies and configurations not specified. Left to the discretion of the business associate, with some addressable requirements.	Specific cybersecurity measures mandated: Encryption of all ePHI at rest and in transit (with limited exceptions) aligned with current best practices; implementation of multi-factor authentication across all systems; continuous monitoring of systems for anomalous activity; vulnerability scanning and penetration testing; prescriptive patch management requirements and timelines; configuration management; backup restoration timing requirements; anti-malware protections, network segmentation; access control specifications; mandatory creation of audit and access logs; and periodic testing of technical controls.
Compliance Audits and Testing	Perform a periodic technical and nontechnical evaluation to establish the extent to which policies and procedures meet Security Rule requirements.	Annual risk analyses, verification of safeguards, testing of contingency plans, and vulnerability scanning and penetration testing.
Physical Safeguards	Physical measures, policies, and procedures to protect a regulated entity’s electronic information systems and related buildings and equipment.	Minor requirements for physical safeguards, including workstation management and facility access.
Workforce Access Management	Ensure that all members of its workforce have appropriate access to ePHI. Flexible and technology neutral, without prescriptive standards or review frequencies.	Expanded requirements for access provisioning, termination procedures, privilege management, minimum necessary access, and periodic reviews of access provisions.
Administrative Safeguards: Business associate contracts	Covered entities must obtain satisfactory assurances that the business associate will appropriately safeguard ePHI, typically achieved through business associate agreements.	Covered entities must verify that a business associate has implemented the required technical safeguards. The business associate must provide the necessary documentation to prove compliance.
Contingency Planning	Must establish data backup, disaster recovery, and emergency operational plans. No requirement to report activation of contingency plans.	Formalized incident response plans required, with defined roles and responsibilities, incident classification, response timelines, post-incident analysis, and detailed documentation requirements. Required criticality analysis, maintenance of exact backup copies, restoration testing, and restoration of critical systems and data within the specified timeframes. Business associates must report emergencies involving electronic information systems and activation of contingency plans to covered entities within 24 hours.
Documentation	Policies, procedures, and analysis documentation must be retained for 6 years, with no specified requirements for format.	Business associate must maintain structured, granular documentation of risk analyses, verify safeguards, risk mitigations, contingency plan reporting, cybersecurity training, third-party risk assessments, logs of system activity, and continuous monitoring. OCR will require documentation to be produced in data breach/complaint investigations and compliance reviews.
Security Incident Procedures	Must identify, respond to, and mitigate harm from security incidents.	Formal incident response plan required with testing requirements, and workforce reporting procedures. Adds expectation for timely notifications to appropriate regulated entities when shared systems or data are impacted.
Vendor and supply chain risk management	As stipulated in business associate agreements	Formal requirement for downstream vendor oversight and the assessment and management of risks associated with vendors and subcontractors. Analyses and mitigations must be fully documented for audit purposes
Business associate agreements	–	Business associate agreements must be updated to reference the new requirements. Covered entities require annual written verifications of technical safeguards, validated by qualified cybersecurity personnel.
CyberSecurity Training	CFR § 164.308(a)(5), Standard: Security Awareness and Training.	Business associated agreements can be expected to include cybersecurity training for business associates.
Enforcement	There has been increased enforcement in 2026.	Business associates may face increased liability for compliance failures. The proposed rule has more prescriptive standards that should aid enforcement by reducing interpretive flexibility.

When and If a Final Rule Will Be Issued

The proposed HIPAA Security Rule update significantly raises the cybersecurity bar for all HIPAA-regulated entities. Any business associate that can demonstrate that they have implemented a rigorous and well-documented risk analysis, all new safeguards, and have mitigated third-party risks will be in an ideal position to comply with the final rule when it is issued, and will be perfectly positioned to attract new healthcare clients.

When the HHS published its regulatory agenda for the year, the May release date was not set in stone. The proposed rule was delayed by several months, and the same may happen to the final rule, especially if the decision is made to severely cut back on its requirements. How long a delay is impossible to predict, as OCR is keeping its cards close to its chest. There is a possibility that the final rule may not be issued, as the Trump administration is pro-deregulation; however, the current state of healthcare cybersecurity and the volume of cyberattacks and data breaches being reported each month mean something needs to be done.

In my opinion, a final rule will be issued, and many of the core requirements will be retained, especially the new risk analysis requirements. It is therefore in the best interests of all business associates to start preparing for that release by reviewing their current security measures and planning, organizationally and financially, for Security Rule changes. While the final rule could differ substantially from the proposed rule, the core elements of the proposed rule are unlikely to change. The best place for business associates to start is with a gap analysis to determine how current security measures stack up against the proposed new HIPAA Security Rule standards, to ensure they can hit the ground running when the final rule is released and be fully compliant ahead of the enforcement date.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post The Impact of Proposed Changes to the HIPAA Security Rule for Business Associates appeared first on The HIPAA Journal.

HIPAA Risk Assessment

Posted January 16, 2026 by Steve Alder

A HIPAA risk assessment assesses threats to the privacy and security of PHI, the likelihood of a threat occurring, and the potential impact of each threat so it is possible to determine whether existing policies, procedures, and security mechanisms are adequate to reduce risks and vulnerabilities to a reasonable and appropriate level.

The requirements for covered entities and business associates to conduct a HIPAA risk assessment appear twice in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act. However, it may be necessary for organizations to conduct risk assessments beyond these requirements.

The first requirement to conduct a HIPAA risk assessment appears in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process). This standard requires covered entities and business associates to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI”.

The second requirement appears in the HIPAA Breach Notification Rule (45 CFR § 164.402). This standard only applies when there has been an impermissible acquisition, access, use, or disclosure of unsecured PHI (in any format), and a HIPAA risk assessment is necessary to determine whether the event is notifiable to HHS and the affected individual(s).

However, beyond the HIPAA risk assessment requirements of the HIPAA Security and Breach Notification Rules, risks exist to the confidentiality, integrity, and availability of PHI when it is not in electronic format – for example, when unauthorized disclosures are made verbally or when a printed medical report is left unattended in an area of public access.

Because of these risks, it may be necessary to conduct a HIPAA privacy risk assessment which not only takes into account risks to the confidentiality, integrity, and availability of non-electronic PHI, but which also covers individuals’ access rights (to their PHI), Business Associate Agreements, and other Organizational Requirements of HIPAA.

HIPAA Security Risk Assessment

The objective of a HIPAA security risk assessment is outlined in the General Rules (CFR 45 § 164.306) that precede the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule. These are to:

Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits.
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part (the HIPAA Privacy Rule).
Ensure compliance with this subpart (the HIPAA Security Rule) by its workforce. Note: This is achieved via security awareness training and the enforcement of a sanctions policy.

With regards to the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule, the General Rules allow a “flexibility of approach” in how the standards are implemented. Despite the flexibility of approach clause, it is important that all standards are implemented unless an implementation specification is not “reasonable and appropriate” and an equivalent alternate measure is implemented in its place. The full list of Administrative, Physical, and Technical implementation specifications is:

Standards	Sections	Implementation Specifications (R)=Required, (A)=Addressable	Implementation Commentary
Security Management Process	164.308(a)(1)	Risk Analysis (R), Risk Management (R), Sanction Policy (R), Information System Activity Review (R)	Organizations should perform a comprehensive risk analysis to identify potential vulnerabilities to ePHI. Develop and document a risk management strategy that prioritizes remediation activities. Enforce a sanction policy for employees who fail to comply with security policies, and implement tools for reviewing system activity regularly to detect any unauthorized access.
Assigned Security Responsibility	164.308(a)(2)	(R)	Assign a senior-level individual (such as a CISO or Privacy Officer) to be responsible for ensuring the implementation and oversight of security policies and procedures across the organization. This individual should have authority and resources to enforce HIPAA compliance.
Workforce Security	164.308(a)(3)	Authorization and/or Supervision (A), Workforce Clearance Procedure (A), Termination Procedures (A)	Establish and document procedures for supervising workforce members who access ePHI. Screen employees before granting access, and ensure prompt deactivation of accounts and access upon termination or role change to prevent unauthorized access.
Information Access Management	164.308(a)(4)	Isolating Health Care Clearinghouse Function (R), Access Authorization (A), Access Establishment and Modification (A)	Create controls to isolate systems that manage ePHI, especially if a healthcare clearinghouse is part of a larger organization. Define procedures for granting, modifying, and removing user access based on job roles. Access should be reviewed periodically and updated accordingly.
Security Awareness and Training	164.308(a)(5)	Security Reminders (A), Protection from Malicious Software (A), Log-in Monitoring (A), Password Management (A)	Develop a formal training program that includes regular security updates, awareness of phishing and malware threats, instructions for recognizing suspicious activities, and best practices for password management. Training should be documented and mandatory for all employees.
Security Incident Procedures	164.308(a)(6)	Response and Reporting (R)	Develop and maintain a written incident response plan that defines how to detect, report, and respond to security incidents. Train staff on recognizing incidents, and test the plan through simulated exercises to improve readiness.
Contingency Plan	164.308(a)(7)	Data Backup Plan (R), Disaster Recovery Plan (R), Emergency Mode Operation Plan (R), Testing and Revision Procedure (A), Applications and Data Criticality Analysis (A)	Implement a robust contingency planning framework that includes regular data backups, disaster recovery procedures, and emergency mode operations to ensure continuity of care. Conduct periodic testing and revise plans based on outcomes. Assess and prioritize data and application criticality to focus recovery efforts effectively.
Evaluation	164.308(a)(8)	(R)	Regularly evaluate your security program’s effectiveness through audits, risk assessments, and policy reviews. Document evaluation results and implement improvements as needed to address any weaknesses or evolving threats.
Business Associate Contracts	164.308(b)(1)	Written Contract or Other Arrangement (R)	Enter into Business Associate Agreements (BAAs) with all vendors who handle ePHI on your behalf. Ensure these agreements outline security responsibilities and establish that the associate is subject to HIPAA rules.
Facility Access Controls	164.310(a)(1)	Contingency Operations (A), Facility Security Plan (A), Access Control and Validation Procedures (A), Maintenance Records (A)	Implement procedures to control physical access to facilities where ePHI is stored. This includes locking doors, using ID badges, and ensuring that emergency access is planned. Document maintenance activities and control how visitors and staff are validated before entering sensitive areas.
Workstation Use	164.310(b)	(R)	Define appropriate uses of workstations that access ePHI. Restrict the use of unauthorized software and internet access, and place workstations in secure locations where unauthorized individuals cannot view screen content.
Workstation Security	164.310(c)	(R)	Physically secure workstations by using cable locks, locking office doors, and ensuring terminals are not left unattended when logged in. This helps prevent unauthorized access or tampering.
Device and Media Controls	164.310(d)(1)	Disposal (R), Media re-use (R), Accountability (A), Data Backup and Storage (A)	Develop policies for securely disposing of media containing ePHI, such as shredding paper records or wiping hard drives. Maintain a media tracking system to ensure accountability and store backups securely offsite or in the cloud.
Access Control	164.312(a)(1)	Unique User Identification (R), Emergency Access Procedure (R), Automatic Logoff (A), Encryption and Decryption (A)	Assign unique user IDs for tracking access to systems containing ePHI. Ensure emergency access is available when needed. Set automatic logoff policies to reduce risk from unattended terminals, and encrypt data both at rest and in motion where appropriate.
Audit Controls	164.312(b)	(R)	Use software tools that track and log all access to ePHI, including login attempts, file accesses, and modifications. Regularly audit these logs to identify unusual activity and respond to potential breaches.
Integrity	164.312(c)(1)	Mechanism to Authenticate Electronic Protected Health Information (A)	Use checksums, digital signatures, or similar tools to ensure that ePHI has not been altered or destroyed in an unauthorized manner. Validate these mechanisms regularly to ensure reliability and security.
Person or Entity Authentication	164.312(d)	(R)	Ensure users authenticate themselves before accessing ePHI using secure methods such as strong passwords, biometric verification, or multi-factor authentication. Regularly update and review authentication policies.
Transmission Security	164.312(e)(1)	Integrity Controls (A), Encryption (A)	Encrypt data transmissions such as emails or data sent via APIs to protect ePHI from interception. Implement integrity controls like message authentication codes to ensure that data is not altered during transmission.

The final section of the HIPAA Security Rule covers Business Associate Agreements and other Organizational Requirements. This section requires covered entities to ensure their Business Associate Agreements require business associate to comply with the HIPAA Security Rule and report any security incidents (not just data breaches) to the covered entity. With regards to the Organization Requirements, the standard in 45 CFR § 164.314 applies to group health plans; but all covered entities in hybrid, affiliated, or OHCA arrangements should review the content of this standard as well.

HIPAA Breach Risk Assessment

The second “required” HIPAA risk assessment is actually optional inasmuch as the HIPAA Breach Notification Rule states any that impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach unless a low probability of compromise can be demonstrated via a risk assessment that takes at least the following factors into account:

The nature and extent of breached PHI including the types of identifiers and the likelihood of reidentification,
The unauthorized person (if known) who acquired, accessed, or used the breached PHI or to whom an impermissible disclosure was made,
Whether PHI was actually acquired or viewed (read HHS’ guidance on ransomware to establish what constitutes “acquired or viewed” in cyberattacks),
The extent to which the risk to PHI has been mitigated.

The reason for the HIPAA breach risk assessment being described as optional is that covered entities and business associates could – if they wish – skip this HIPAA assessment and notify every impermissible acquisition, access, use, or disclosure of PHI. The drawback to this approach is that it may result in business disruption if HHS’ Office for Civil Rights feels your organization is experiencing an above-average number of data breaches and decides to conduct a compliance review.

It can also cause a loss of trust from individuals served by the organization if patients and plan members are receiving frequent breach notifications – especially if they are advised to take measures to protect themselves against fraud, theft, and loss unnecessarily because “breached” PHI has not actually been acquired or viewed. Although “optional”, it can be a good idea to conduct a HIPAA breach risk assessment to prevent unavoidable notifications.

HIPAA Risk Assessment Workflow- the hipaajournal.com

HIPAA Privacy Risk Assessment

Due to the requirement to conduct risk assessments being in the HIPAA Security Rule, many covered entities and business associates overlook the necessity to conduct a HIPAA privacy risk assessment. A HIPAA privacy risk assessment is equally as important as a security risk assessment but can be a much larger undertaking depending on the size of the organization and the nature of its business.

In order to complete a HIPAA privacy risk assessment, an organization should appoint a Privacy Officer, whose first task it is to identify organizational workflows and get a “big picture” view of how the requirements of HIPAA Privacy Rule impact the organization´s operations. Thereafter the Privacy Officer needs to map the flow of PHI both internally and externally in order to conduct a gap analysis to identify where breaches may occur.

The final stage of a HIPAA privacy risk assessment should be the development and implementation of a HIPAA privacy compliance program. The program should include policies to address the risks to PHI identified in the HIPAA privacy assessment and should be reviewed as new work practices are implemented or new technology is deployed.

As required by 45 CFR § 164.530, it is essential employees are trained on any policies and procedures developed as a result of a HIPAA privacy risk assessment and when material changes to policies and procedures impact employees’ functions. Although covered entities and business associates may comply with this requirement “to tick the box”, better trained staff make fewer HIPAA errors, so training on HIPAA policies and procedures should be embraced as a risk mitigation strategy.

Not Identifying Risks Can be Costly

The severity of fines for non-compliance with HIPAA has historically depended on the number of patients affected by a breach of PHI and the level of negligence involved. Few fines are now issued in the lowest “Did Not Know” HIPAA violation category, because there is little excuse for not knowing a legal requirement exists to protect PHI.

More recently, the majority of fines have been under the “Willful Neglect” HIPAA violation category, where organizations knew – or should have known – they had a responsibility to safeguard PHI. Many of the largest fines – including the $5.5 million fine issued against the Advocate Health Care Network – are attributable to organizations failing to identify where risks to the integrity of PHI exist.

However, since the start of the second round of HIPAA audits, fines have also been issued for potential breaches of PHI. These are where flaws in an organization´s security have not been uncovered by a HIPAA risk assessment, or where no assessment has been conducted at all. In March 2016, North Memorial Health Care of Minnesota paid more than $1.5 million to settle related HIPAA violation charges.

It’s Not Just Large Organizations in the Firing Line

Although the majority of headlines relating to HIPAA violations concern large medical organizations and large fines for non-compliance, there are very many small medical practices also investigated by the Office for Civil Rights (OCR) or subject to HIPAA audits. Since 2003, OCR has received more than 300,000 reports of alleged HIPAA violations. Less than 2% of these relate to data breaches involving 500 individuals or more.

A significant problem for small and medium sized medical practices is that not all insurance carriers cover the cost of a HIPAA breach. The cost of a HIPAA breach not only includes the fine, but also the cost of hiring IT specialists to investigate the breach, the cost of repairing public confidence, and the cost of providing credit monitoring services for individuals. Insurers may also limit their coverage according to the nature of the HIPAA violation and the level of negligence.

Without insurance coverage, the cost of a HIPAA breach could potentially close a small medical practice. However, this scenario can be mitigated by conducting a HIPAA risk assessment and implementing measures to resolve any uncovered issues. An assessment can be complicated and time-consuming, but the alternative is potentially terminal to small medical practices and their business associates.

Business Associates Must Be Included

Every covered entity that creates, receives, maintains, or transmits PHI has to conduct an accurate and thorough HIPAA risk assessment in order to comply with the Security Management requirements of the HIPAA Security Rule. This condition of HIPAA compliance not only applies to medical facilities and health plans. Business associates, subcontractors, and vendors must also conduct a HIPAA security risk assessment. Similar to covered entities, fines for non-compliance can be issued by OCR against business associates for potential breaches of PHI.

OCR treats these risks seriously. In December 2014, the agency revealed that 40% of all HIPAA breaches involving an exposure of more than 500 patient records are attributable to the negligence of business associates. In June 2016, it issued its first fine against a business associate – the Catholic Health Care Services of the Archdiocese of Philadelphia agreeing to pay $650,000 following a breach of 450 records. The non-profit organization had failed to conduct a HIPAA risk assessment since 2013.

More recently, the proportion of data breaches attributable to a lack of compliance by business associates may appear to have reduced, but this is not necessarily the case. Under the HIPAA Breach Notification Rule (CFR § 164.410), a business associate is required to notify a covered entity when a breach of unsecured PHI occurs. It is then the covered entity’s responsibility to notify HHS and the affected individual(s) – so it may be the case many data breaches are recorded as being attributable to a covered entity when in fact a business associate is at fault.

Developing a Risk Management Plan and Implementing New Procedures

A HIPAA risk assessment should reveal any areas of an organization’s security that need attention. Organizations then need to compile a risk management plan in order to address the weaknesses and vulnerabilities uncovered by the assessment and implement new procedures and policies where necessary to close the vulnerabilities most likely to result in a breach of PHI.

The risk levels assigned to each vulnerability will give an organization direction on the priority that each vulnerability needs to be given. The organization can then create a remediation plan to tackle the most critical vulnerabilities first. The remediation plan should be complemented with new procedures and policies where necessary, and appropriate workforce training and awareness programs.

It has been noted by OCR that the most frequent reason why covered entities and business associates fail HIPAA audits is because of a lack of procedures and policies – or inadequate policies and procedures. It is important that the appropriate procedures and policies are implemented in order to enforce changes to the workflow that have been introduced as a result of the HIPAA risk assessment.

Tools to Assist with a HIPAA Risk Assessment

Conducting a HIPAA risk assessment on every aspect of an organization’s operations – not matter what its size – can be complex. This is particularly true for small medical practices with limited resources and no previous experience of complying with HIPAA regulations. To help reduce the complexity of conducting HIPAA risk assessments, in 2014, OCR released a downloadable Security Risk Assessment (SRA) tool that helps small and medium sized medical practices with the compilation of a HIPAA risk assessment.

The SRA tool is very helpful in helping organizations identify some locations where weaknesses and vulnerabilities may exist – but not all. In the User Guide accompanying the software, it is stated at the beginning of the document “the SRA tool is not a guarantee of HIPAA compliance”. This is because, although the tool consists of 156 questions relating to the confidentiality, availability, and integrity of all PHI, there are no suggestions on how assign risk levels or what policies and procedures to introduce.

Much the same applies to other third-party tools that can be found on the Internet. They may also help organizations identify some weaknesses and vulnerabilities, but not provide a fully compliant HIPAA risk assessment. Indeed, many third-party vendors publish disclaimers in the small print of their terms and conditions similar to that at the beginning of the SRA tool User Guide. The conclusion is that tools to assist with a HIPAA risk assessment can be helpful for identifying issues but are not suitable for providing solutions to all issues.

HIPAA Risk Assessment FAQ

Where are risks most commonly identified?

Where risks are most commonly identified vary according to each organization and the nature of its activities. For example, a small medical practice may be at greater risk of impermissible disclosures through personal interactions, while a large healthcare group may be at greater risk of a data breach due to the misconfiguration of cloud servers.

What is a “reasonably anticipated threat”?

A reasonably anticipated threat is any threat to the privacy of individually identifiable health information or to the confidentiality, integrity, or availability of PHI that is foreseeable. These not only include threats from external bad actors, but also threats originating from human error or a lack of knowledge due to a lack of training. This is why a “big picture” view of organizational workflows is essential to identify reasonably anticipated threats.

What is the difference between a risk assessment and a risk analysis?

The difference between a risk assessment and a risk analysis is that a risk assessment identifies the risks to HIPAA compliance, whereas a risk analysis assigns risk levels for vulnerability and impact combinations. The objective of assigning risk levels to each risk is so that risks with the potential to be most damaging can be addressed as priorities. Most HIPAA risk analyses are conducted using a qualitative risk matrix.

Who is responsible for conducting a HIPAA security risk assessment?

The responsibility for conducting a HIPAA security risk assessment usually lies with a HIPAA Compliance Officer; or, if the responsibility for HIPAA compliance is shared between a HIPAA Privacy Officer and a HIPAA Security Officer, the risk assessment and analysis should be conducted by the HIPAA Security Officer with assistance from his or her colleague depending on the nature of risks identified.

Are there different types of risk assessment for covered entities and business associates?

There are not different types of risk assessment for covered entities and business associates. Both covered entities and business associates need to conduct “A-to-Z” risk assessments for any Protected Health Information created, used, or stored. While business associates may experience a lower volume of PHI than a covered entity, the risk assessment has to be just as thorough and just as well documented.

What is a HIPAA risk assessment?

A HIPAA risk assessment is a risk assessment that organizations subject to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act have to complete in order to be compliant with the “Security Management Process” requirements. Non-compliant organizations have been filed for failing to comply with this requirement of HIPAA.

What is the difference between a HIPAA risk assessment and a HIPAA compliance assessment?

The difference between a HIPAA risk assessment and a HIPAA compliance assessment is that a HIPAA risk assessment identifies potential threats and vulnerabilities so measures can be implemented to mitigate their likelihood. A HIPAA compliance assessment is usually an assessment performed by a third party to assess an organization´s compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

Why can I not find a HIPAA risk assessment template on the Internet?

You will not find a HIPAA risk assessment template on the Internet because covered entities and business associates vary significantly in size, complexity, and capabilities, and there is no “one-size-fits-all” HIPAA risk assessment. Due to the number of variables, there is no such thing as a HIPAA risk assessment template; and, if you do source a template from the Internet, you should treat it with caution as it may not include every potential risk to PHI maintained by your organization.

When is a HIPAA risk assessment necessary?

A HIPAA risk assessment is necessary in two instances. The first instance appears in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process). The second instance occurs under the HIPAA Breach Notification Rule (45 CFR § 164.402), which applies when there has been an impermissible acquisition, access, use, or disclosure of unsecured PHI. However, organizations should conduct risk assessments more often than these requirements, particularly related to non-electronic PHI and organizational requirements.

What is the objective of a HIPAA security risk assessment?

The objective of a HIPAA security risk assessment is to identify risks to the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits. The risk assessment should not only focus on external threats, but also those within the organization attributable to malicious insiders or a lack of security awareness training.

What factors are considered in a HIPAA breach risk assessment?

The factors considered in a HIPAA breach risk assessment include the nature and extent of breached PHI, the types of identifiers and the likelihood of re-identification, the unauthorized person who accessed or used the breached PHI, whether PHI was actually acquired or viewed, and the extent to which the risk to PHI has been mitigated.

What could be the consequence of not identifying risks to PHI in a risk assessment?

The consequences of not identifying risks to PHI in a risk assessment are an increased likelihood of a data breach or impermissible disclosure, and – following on from such an event – a sanction issued by HHS’ Office for Civil Rights for failing to conduct a thorough risk assessment. It is important to be aware there are no excuses for failing to conduct a thorough risk assessment as covered entities and business associates “know or should know” they have a responsibility to safeguard PHI.

Do the HIPAA risk assessment requirements apply to Business Associates?

The HIPAA risk assessment requirements apply to business associates as business associates are required to comply with the HIPAA Security and Breach Notification Rules and the two HIPAA standards relating to HIPAA risk assessments appear in these Rules. Business associates are also advised to conduct HIPAA Privacy Rule risk assessments if the nature of their activities for a covered entity could violate the privacy of individually identifiable health information.

What tools can assist organizations with a HIPAA risk assessment?

The tools that can assist organizations with a HIPAA risk assessment include a downloadable Security Risk Assessment (SRA) tool released by HHS’ Office for Civil Rights in 2014 to help small and medium-sized medical practices with the compilation of a HIPAA risk assessment. There are also many tools available from third party compliance experts that are best used for identifying issues in situations not covered by the Security Risk Assessment Tool (i.e., HIPAA Privacy Rule compliance).

The post HIPAA Risk Assessment appeared first on The HIPAA Journal.

HIPAA Compliance for Business Associates

Posted April 30, 2025 by Steve Alder

HIPAA compliance for business associates has acquired greater significance since the publication of proposals to align the HIPAA Security Rule more closely with HHS’ Healthcare Sector Cybersecurity Strategy – among which is a requirement for covered entities to obtain verifications from business associates that they have implemented measures to protect electronic Protected Health Information.

The implication of this requirement – if finalized – is that covered entities will only be permitted to contract services from business associates that can demonstrate compliance with HIPAA. However, demonstrating compliance with HIPAA is not straightforward for many business associates because what HIPAA compliance for business associates consists of can vary considerably depending on the type of service provided to or on behalf of a covered entity.

Despite the variety of compliance requirements, some areas of HIPAA compliance are common to all business associates. Business associates that can demonstrate compliance with these common areas via independent certification are likely to have a competitive advantage against other service providers to the healthcare industry. This article explains what these common areas of compliance are and what business associates need to do to comply with HIPAA.

What is a HIPAA Business Associate?

A HIPAA business associate is an organization, or a person who is not a member of a covered entity’s workforce, that provides services to or on behalf of a covered entity which enable the business associate to have “persistent access” to Protected Health Information (PHI). Examples of HIPAA business associates include medical billing service providers, software providers (including Managed Service Providers), and accreditation organizations with access to PHI.

There are exceptions to this definition of a HIPAA business associate. Some providers of healthcare and payment services, and organizations or persons for whom access to PHI is incidental or transient, do not qualify as HIPAA business associates. Researchers also do not qualify as HIPAA business associates when PHI is disclosed for research because the purpose of the disclosure is not regulated by the HIPAA Administrative Simplification Regulations.

When an organization or person qualifies as a HIPAA business associate, they are required to comply with all applicable standards, requirements, and implementation specifications of the HIPAA Administrative Simplification Regulations. Each HIPAA business associate must determine which standards, requirements, and implement specifications are applicable to the service being provided, and implement policies, procedures, and other measures as necessary.

Why HIPAA Compliance for Business Associates is Important

When the HIPAA Privacy Rule was published in 2002, covered entities were required to obtain “satisfactory assurances” HIPAA business associates would only use PHI disclosed to them for the purposes of the service being provided, would safeguard the information from misuse, and would help the covered entity comply with some of their HIPAA Privacy Rule obligations by providing a service that enabled the covered entity to carry out its functions compliantly.

However, until the passage of the HITECH Act in 2009, HIPAA business associates could not be held accountable for the failure to uphold their satisfactory assurances. The HITECH Act made HIPAA business associates and their downstream subcontractors directly liable for compliance with certain requirements of the HIPAA Rules. The direct liability of HIPAA business associates and downstream subcontractors was codified in the HIPAA Omnibus Final Rule in 2013.

“Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.” (§160.102(b))

More recently, The Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking in January 2025 which, when finalized, will require covered entities to obtain written verifications from their HIPAA business associates that each HIPAA business associate has deployed and is operating technical safeguards that protect the confidentiality, integrity, and availability of PHI maintained on electronic information systems.

As the Notice of Proposed Rulemaking has the objective of aligning the HIPAA Security Rule with HHS’ Cybersecurity Performance Goals, and as compliance with HHS’ Cybersecurity Performance Goals may also become a condition of participation in Medicare and Medicaid, verifiable HIPAA compliance for business associates may soon become a condition for providing services to or on behalf of covered entities in the healthcare industry.

The Responsibilities of HIPAA Business Associates

The responsibilities of HIPAA business associates are much the same as they were in 2002 – only use PHI for the purposes of the service being provided, safeguard the information from misuse, and support the covered entity’s functions by providing a HIPAA compliant service. HIPAA business associates may use PHI for internal management and administration purposes, but there must be a documented chain of custody if PHI is disclosed to downstream subcontractors.

How HIPAA business associates fulfil their responsibilities depends on their existing status. For example, a software provider that wants to break into the healthcare market may only now be starting their journey to HIPAA compliance, while a Managed Service Provider with existing healthcare clients may already be fulfilling some responsibilities of HIPAA business associates – but not all – and may need to review and revise its operations to achieve full HIPAA compliance.

For the benefit of organizations and persons starting their journeys to HIPAA compliance, this article focuses on the common areas of HIPAA compliance for business associates from start to finish. Existing HIPAA business associates can use this article to identify gaps in compliance activities, while those with additional or uncommon HIPAA compliance responsibilities should seek advice from an independent compliance professional.

The Basics

Do You Qualify as a HIPAA Business Associate?

The first thing to determine is whether the service being provided qualifies you as a HIPAA business associate or subcontractor. If the service does not involve disclosures of PHI by a covered entity or upstream business associate, if disclosures of PHI are incidental or transient, or if the service is exempted under the HIPAA definition of a business associate, it is not necessary to comply with HIPAA (although other privacy and security regulations may apply).

Are disclosures of PHI involved?

Examples of when a service does not involve disclosures of PHI by a covered entity to a third party include when an organization provides email services to a healthcare provider, but the healthcare provider does not use email service to send, receive, or store PHI. Alternatively, an organization could provide software for an on-premises email server, but the organization does not have access to PHI sent, received, stored, or transmitted by the on-premises email server.

Are disclosures of PHI incidental?

Incidental disclosures of PHI are usually considered to be disclosures secondary to permitted disclosures of PHI that cannot reasonably be prevented. In the context of HIPAA compliance for business associates, incidental disclosures are when a third party whose services do not ordinarily involve uses and disclosures of PHI has unintended access to PHI. Examples could include a landscape gardener who recognizes a patient in the garden of a nursing home.

Is access to PHI transient?

Transient disclosures of PHI are disclosures to transmission-only services that do not have repeated or routine access to PHI. Example of third parties that do not qualify as a HIPAA business associate because their access to PHI is transient include the US Postal Service and other private couriers such as Fed-Ex, UPS, and DHL. Internet Service Providers also do not qualify as HIPAA business associates when they are used for transmission purposes only.

Is the service exempted?

Several types of services are exempted from qualifying as HIPAA business associates when the service being provided on behalf of a covered entity is for the treatment of a patient (i.e., medical specialists, laboratories, etc.) or for payment processing. However, the exemption for payment processing only applies to financial institutions providing their “normal” services for customers – not to developers and vendors of payment processing applications.

If You Qualify as a HIPAA Business Associate … …

If you qualify as a HIPAA business associate, there are several activities you must undertake before providing a service for or on behalf of a covered entity. The first is to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. The HIPAA Privacy Officer is responsible for ensuring compliance with all applicable HIPAA Administrative Simplification Requirements, while the HIPAA Security Officer is responsible for implementing the HIPAA Security Rule Safeguards.

Both roles can be outsourced, designated to existing employees, or – in smaller organizations – designated to the same employee. However, other than in exceptional circumstances, it is important to appoint both roles. It is rare that HIPAA compliance for business associates can be accomplished complying solely with the requirements of the HIPAA Security Rule. In most cases a more holistic approach to HIPAA compliance for business associates is necessary.

Business Associate Agreements

Before any PHI is disclosed to a HIPAA business associate, upstream covered entities must enter into a HIPAA Business Associate Agreement with the business associate. The Agreement establishes the permissible uses and disclosures of PHI by the business associate, how the business associate will respond to patients exercising their HIPAA rights, and responsibility for reporting disclosures of PHI not permitted by the Agreement, security incidents, and data breaches.

If your organization (as a HIPAA business associate) is using a service provided by a third party subcontractor (i.e., Microsoft 365) in the provision of the service to the covered entity, and PHI will be disclosed to the downstream subcontractor, your organization must also enter into a Business Associate Agreement with the downstream subcontractor. Some subcontractors (i.e., Microsoft) have a standard Business Associate Agreement that your organization must agree to.

Why Business Associate Agreements are Important

Determine which standards apply

Determining which standards of HIPAA apply to a service is one of the most complicated areas of HIPAA compliance for business associates. This is because, while most business associates are aware the service has to comply with the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule, many overlook the Security Rule’s General Requirements – including the requirement to:

“Protect against any reasonably anticipated uses or disclosures [of PHI] that are not permitted or required under subpart E of this part (the HIPAA Privacy Rule).” (§164.306(a))

In addition to being aware of which uses and disclosures of PHI are permitted by the HIPAA Privacy Rule – and in what circumstances – and implementing policies and procedures to prevent violations of the HIPAA Privacy Rule, business associates may also have to prepare for individuals exercising their HIPAA rights and security incident notifications – the responsibility for which may be subject to the terms of upstream and downstream Business Associate Agreements.

Map the flow of PHI in all formats

One of the factors that can affect which standards of HIPAA apply is how PHI is created, received, maintained, or transmitted by the organization. For example, if PHI is received verbally, written down, and then transferred to an electronic system for storage, it will be necessary to have procedures in place to compliantly dispose of the media on which the PHI was written down as well as the final disposition of PHI stored on the electronic system.

Mapping the flow of PHI in all formats will also enable HIPAA business associates to determine when an individual’s consent or authorization is required prior to further disclosing PHI (for example, Substance Use Disorder records), or when an attestation is required from the recipient of PHI that the information will not be used to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.

Conduct Risk Analyses

Determining which HIPAA standards apply and mapping how PHI flows through the organization will help HIPAA business associates better prepare for a risk analysis – a process required by the HIPAA Security Rule, but also potentially necessary for PHI in all formats depending on the nature of the service(s) being provided to a covered entity. HIPAA risk analyses should be based on guidance published by HHS and adjusted as necessary to accommodate uncommon circumstances.

Identify and document potential vulnerabilities and threats to PHI

Business associates are required to identify and document vulnerabilities which, if triggered by a reasonably anticipated threat, would create a risk of unauthorized access to – or disclosure of – PHI. All vulnerabilities and reasonably anticipated threats from both internal and external sources must be documented.

Assess the capabilities of existing policies and security measures

Most organizations will already have some policies and security measures in place to support HIPAA compliance for business associates. However, business associates should assess whether the existing policies and security measures are sufficient to reduce identified vulnerabilities and risks to a reasonable and appropriate level.

Determine the likelihood and impact of a threat occurrence

It is not possible to eliminate all risks to the confidentiality, integrity, and availability of PHI, but by determining the likelihood and impact of a threat occurrence, HIPAA business associates should be able to prioritize which vulnerabilities should be addressed either by implementing additional technical safeguards or the provision of workforce training.

Determine the level of risk and potential consequences

Determining the level of risk to PHI and the potential consequences of a data breach will help HIPAA business associates with the development of contingency plans, data backup plans, and emergency mode operation plans (as required by the Administrative Safeguards) to ensure the availability of covered entities’ PHI during a HIPAA security incident

Implement additional policies and security measures as required

If existing policies and security measures are not sufficient to reduce identified vulnerabilities and risks to a reasonable and appropriate level, business associates are required to implement additional policies and security measures as required, and document the reasons for them based on the previous steps in the risk analysis process.

Reassess periodically and in response to a regulatory or operational change

A risk analysis is required every time there is a change in regulations or work practices, and when new technology is implemented. If none of these events occur, HIPAA business associates must still perform a periodic technical and non-technical evaluation to ensure policies and security measures remain effective and in compliance with HIPAA.

Common Safeguards

Because business associates must implement administrative, physical, and technical safeguards based on the outcome of a risk analysis, there is no one-size-fits-all guidance for what safeguards must be implemented in order to accomplish HIPAA compliance for business associates. Nonetheless, there are several common safeguards that must be implemented in order for HIPAA business associates to comply with HIPAA.

Physical security

Secure locations in which PHI in all formats is stored and restrict physical access to systems on which PHI is maintained. It may also be necessary to secure workstations and other devices or media which can access PHI depending on whether PHI is stored locally on the workstations, devices, and media, and what other technical safeguards exist to prevent unauthorized access.

Unique user IDs

Although HIPAA does not stipulate password requirements, business associates are required to assign unique user IDs for all members of the workforce. If user IDs consist of a username and password, it is important to enforce the use of strong passwords and be conscious that the mandatory use of MFA is included in the proposed update to the HIPAA Security Rule.

Minimum Necessary

Other than in exempted circumstances, uses and disclosures of PHI must be limited to the minimum necessary to fulfil the purpose of a use or disclosure. This means assigning different access permissions to systems depending on their functions, and different access permissions to workforce members depending on their roles.

Maintain audit logs

One of the purposes of assigning unique user IDs is to create audit logs and monitor access to PHI by workforce members. For this reason, it is important workforce members are instructed not to share login credentials with other members of the workforce. The audit logs should also monitor access to PHI by applications and be configured to flag anomalies that could indicate unauthorized access.

Workforce training

A common issue with HIPAA compliance for business associates is that the security awareness training provided by business associates is generic. According to the General Requirements of the HIPAA Security Rule, workforce training must be designed to protect against reasonably anticipated uses or disclosures of PHI not required or permitted by the HIPAA Privacy Rule.

Sanctions Policy

Business associates are required to apply sanctions against workforce members for any violation of the HIPAA Privacy Rule or for any violation of a policy implemented by the business associate to comply with the HIPAA Security Rule. Business associates that do not have, do not explain, or do not enforce a sanctions policy are themselves in violation of HIPAA.

Incident Management Preparation

According to §164.304 of the HIPAA Security Rule, the definition of a HIPAA security incident is any “attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” The reason that unsuccessful security incidents must be monitored is to identify trends in failed access attempts in order to identify future potential risks to the security of PHI.

System configurations

In order to monitor unsuccessful security incidents, systems should be configured where it is possible to automatically detect and log events such as unsuccessful brute force attacks on log-in credentials, pings, and scans looking for undefended network ports. Anti-virus software and email systems should also be monitored for increasing volumes of detected malware and spam emails.

Reporting procedures

Procedures should also be developed for members of the workforce to report incidents that have evaded detection by security software or that have resulted from their own actions. In some cases, it can be beneficial to implement a system that facilitates anonymous reports to ensure that workforce members report an incident before it develops into a more serious event.

Incident management plan

Business associates must develop an incident management plan that includes incident monitoring, tracking, handling, and response for each type of incident. The plan must be documented and include the procedures for determining whether an incident is notifiable to an upstream covered entity. This can depend on the content of the Business Associate Agreement.

Incident preparedness testing

The incident management plan must be tested periodically for each type of incident and revised as necessary if vulnerabilities are discovered or if an analysis of detected unsuccessful security incidents identifies an increasing incident type. It may also be necessary to test workforce members on their abilities to identify and report incidents using a safe or sandboxed environment.

Procedures for receiving notifications

If a HIPAA business associate uses services provided by a downstream subcontractor, and the Business Associate Agreement with the downstream subcontractor specifies the business associate must be notified of security incidents and data breaches, the business associate must have procedures in place for receiving notifications (i.e., a point of contact, the method of notification, etc.).

Procedures for making notifications

Procedures must also be in place for notifying upstream covered entities when a HIPAA security incident or data breach occurs. Depending on the content of the Business Associate Agreement with the upstream covered entity, it may also be necessary to have procedures in place to notify affected individuals and HHS’ Office for Civil Rights in the event of a data breach.

Documentation and Reviews

One of the most important elements of HIPAA compliance for business associates is documentation. The accurate documentation of how PHI flows through the organization, risk analyses, and policies and procedures to support HIPAA compliance are essential. It is also important that all HIPAA training is documented as well as any sanctions imposed for violations of HIPAA. Business Associate Agreements and breach notifications must also be documented.

Organized documentation implies operational efficiency, which can help build trust in upstream covered entities. Organized documentation also makes it easier to keep on top of periodic reviews and evaluations. In addition, although documentation alone will not absolve a business associate from liability in the event of an avoidable HIPAA violation, organized documentation provides visible evidence of a business associate’s good faith effort to be HIPAA compliant.

It is important for certain documents to be reviewed periodically (risk analyses, incident management plans, etc.). However, HIPAA documentation is not the only regulatory requirements business associates may have to comply with and it is advisable to implement a policy management platform that not only manages HIPAA documentation and reviews, but also other documentation required by other federal and state agencies (i.e., OSHA, CMS, etc.).

The Strategic Advantage of HIPAA Compliance for Business Associates

HIPAA compliance is often seen as a legal obligation, but for business associates, it can also serve as a strategic advantage. By embracing HIPAA standards, demonstrating a commitment to safeguarding PHI via independent certification, and aligning HIPAA compliance activities with broader privacy and security frameworks, business associates not only fulfill their HIPAA compliance responsibilities but can also enhance their reputation and unlock growth opportunities.

Demonstrating compliance with applicable HIPAA Administrative Simplification Regulations via white papers, case studies, and independent certifications positions HIPAA business associates as reliable and attractive partners. This can serve as a differentiator in the healthcare industry when a compliance-certified HIPAA business associate is compared to other vendors and service providers – opening doors to business opportunities, contracts, and collaborations.

Business associates that invest in HIPAA compliance are better positioned to adapt to new laws and industry standards. The processes and systems established for HIPAA compliance often lay the groundwork for meeting future regulatory requirements, ensuring long-term sustainability and success. For those willing to embrace the challenges and opportunities of HIPAA compliance for business associates, the rewards extend far beyond meeting regulatory requirements – they lead to lasting business growth and innovation.

The post HIPAA Compliance for Business Associates appeared first on The HIPAA Journal.