Complete Guide to HIPAA for Business Associates

HIPAA for business associates

Healthcare organizations must abide by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act to comply with federal regulations.

HIPAA requires all healthcare providers, hospitals, health plans, and covered entities to ensure the privacy of protected health information of patients, or PHI—but it also applies to third-party businesses who work with these companies in a way that requires handling sensitive information.

HIPAA and HITECH are more important than ever for securing protected health information given the growing number and severity of cyber attacks and data breaches. Here’s what you need to know about HIPAA for business associates if you work with HIPAA-covered entities and need to become HIPAA compliant yourself.

What is HIPAA?

The Act of 1996 HIPAA “addresses the use and disclosure of individuals’ health information—called protected health information,” according to the Department of Health and Human Services. HIPAA was created to ensure the privacy and ethical use of personal health information.

The rule applies to all covered entities as well as criteria for an individual’s privacy rights to control how their own health information is used. Covered entities include “health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with transactions.”

Who Needs to Comply with HIPAA?

Business Associates

As mentioned, all healthcare providers need to comply with HIPAA, but the act also applies to all business associates handling personal health information (PHI). A business associate is described as “a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.”

Business associates may include, but are not limited to:

business associates must comply with HIPAA
  • Accounting or financial firms
  • Insurance providers
  • Manufacturers, vendors, and suppliers
  • Legal counsel
  • Data aggregators
  • Management & administrative personnel
  • Accreditation organizations

How Do You Know If You’re Handling PHI?

HIPAA regulations protect “individually identifiable health information (PHI) held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” PHI includes:

  • The patient’s name, address, birthday and social security number
  • Description of the patient’s physical or mental condition 
  • The care or treatment provided to the individual 
  • Information about the payment of care which would identify the patient
  • Any information that could reasonably be used to identify the patient  

De-identified data is not protected by HIPAA, and its use has no restrictions. To be categorized as de-identified data, the data cannot contain information that could be used to identify an individual. 

Understanding HIPAA Titles

Healthcare HIPAA symbol

HIPAA contains five main sections that introduce regulations and protections for different situations and areas of business.

The five entities of HIPAA include:

  • Health insurance reform
  • Administrative simplification
  • Tax-related health provisions
  • Application and enforcement of group health plan requirements
  • Revenue offsets


Title II, or Administrative Simplification provisions, is most commonly referenced regarding HIPAA compliance. This title requires that all healthcare entities have a unique 10-digit national provider identifier number, or NPI. It also states that healthcare organizations need to follow the standardized mechanism for electronic data interchange when processing and submitting insurance claims.

HIPAA Privacy Rule

The HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, is another part of this title which states the national standard for protecting patient health information. Standards for patient data security are also outlined by the Security Standards for the Protection of Electronic Protected Health Information.

Finally, Title II includes the enforcement rule, which sets the guidelines for HIPAA compliance violation investigations. 

Penalties for HIPAA Violations

HIPAA is crucial for protecting important information, so there is a steep penalty for violations.

The maximum penalty for a HIPAA violation is $50,000, and the annual maximum is $1.5 million for repeat violations. Intentional HIPAA violations can result in higher fees or even jail time.

Every HIPAA-covered organization needs a privacy official to develop and implement the policies to follow HIPAA guidelines. Additionally, all employees handling PHI need training for the policies and procedures related to HIPAA.

The privacy of PHI should be maintained, and if it is disclosed, then the covered entity should mitigate any harmful effects. Falling victim to a healthcare data breach or failing to give patients access to their PHI is a violation that can result in severe penalties.

How the HITECH Act Expands HIPAA

The Health Information Technology for Economic and Clinical Health Act, or HITECH Act of 2009, was created to expand the scope of privacy and security protections available under HIPAA. HITECH increased the legal liability for non-compliance of HIPAA and offered more strict enforcement.

The main objective of HITECH is to increase the use of electronic health records (EHR) to match the expected expansion for the exchange of electronic PHI within healthcare entities. As with all PHI, the electronic PHI needs to follow all HIPAA guidelines when being shared between doctors, hospitals, and other parties.

Under the HITECH Act, HIPAA violations have greater penalties for willful neglect. 

Managing HITECH and HIPAA Compliance for Business Associates

To protect PHI and remain HIPAA and HITECH compliant, cyber security is crucial. However, it can be difficult to navigate all of the requirements, especially for businesses that aren’t directly in the healthcare field and are new to learning HIPAA’s standards.

At AIS, we utilize the top cybersecurity practices to reduce the possibility of a data breach. With experience in many fields including healthcare and business associates working with healthcare organizations, we have the expertise to make sure you remain compliant. 

Our knowledgeable team assesses and achieves complete information security. Through our NIST-based approach and risk analysis, our experts thoroughly understand your strengths and areas of risk. We build a personalized information security system best suited for your organization and make sure you meet stringent regulatory requirements.

Get in touch through our website or give us a call at (317) 751-4332 to learn more about our strong technological solutions and how we can help you adhere to HIPAA regulations.

Skip to content