HIPAA Business Associate Compliance: What Your Vendors Are Actually Required to Do

The Compliance Gap Most Healthcare Organizations Miss

When a healthcare organization experiences a data breach, the investigation rarely stops at the front door. Regulators from the HHS Office for Civil Rights follow the data — and increasingly, that trail leads directly to a vendor, a billing company, a cloud host, or an IT service provider. HIPAA business associate compliance is not a formality your legal team handles once at contract signing. It is an ongoing obligation with real enforcement teeth, and the organizations that treat it as a checkbox exercise are the ones paying seven-figure settlements.

This post is written for compliance managers and executives who want a clear-eyed answer to a practical question: what are your business associates actually required to do, and how do you verify they are doing it?

Who Qualifies as a Business Associate Under HIPAA

A business associate is any person or entity that performs functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information (PHI). The definition is deliberately broad. Under the HIPAA Omnibus Rule of 2013, it was extended further to include subcontractors who handle PHI on behalf of a business associate.

Common examples include:

• Medical billing and coding companies
• Cloud storage and electronic health record (EHR) vendors
• IT managed services providers with access to systems containing PHI
• Legal firms that handle medical malpractice or disability cases involving patient records
• Third-party administrators and claims processors
• Transcription services
• Accountants and consultants who access PHI in the course of their engagement

If a vendor touches PHI — even incidentally, even in an encrypted state — the covered entity has an obligation to assess whether a business associate relationship exists and, if it does, to execute a compliant Business Associate Agreement (BAA) before any PHI is shared.

Organizations serving the healthcare industry should treat vendor classification as an ongoing process, not a one-time exercise. Staff turnover, new service integrations, and technology migrations all create new exposure points that require re-evaluation.

What a Business Associate Is Actually Required to Do

Since the Omnibus Rule, business associates are directly liable under HIPAA — not just through contractual obligation to a covered entity, but through direct regulatory enforcement. OCR can investigate and fine a business associate independently of any action taken against the covered entity. That distinction matters enormously when you are evaluating your vendor relationships.

Security Rule Obligations

Business associates must implement the same administrative, physical, and technical safeguards required under the HIPAA Security Rule that apply to covered entities. This includes:

• Conducting and documenting a security risk analysis of their systems that store, process, or transmit PHI
• Implementing access controls, audit controls, and integrity controls over electronic PHI (ePHI)
• Encrypting ePHI in transit and, where addressable, at rest
• Maintaining a workforce training program on security policies and procedures
• Establishing and testing contingency plans including data backup and disaster recovery procedures
• Implementing policies governing workstation use and device and media controls

Privacy Rule Obligations

Business associates may use and disclose PHI only as permitted by their BAA or as required by law. They may not use PHI for their own purposes, sell it, or disclose it in ways that exceed the scope of the agreement. They must also:

• Honor individual rights requests that covered entities pass through, such as access and amendment requests
• Make their internal practices and records available to HHS for compliance reviews upon request
• Maintain accounting of disclosures where required

Breach Notification Obligations

A business associate that discovers a breach of unsecured PHI must notify the covered entity — not OCR directly — without unreasonable delay and no later than 60 days after discovery. The notification must include the specific details required under the Breach Notification Rule: the identification of individuals affected, a description of the type of PHI involved, the date of the breach, and a description of what the business associate is doing to mitigate harm and prevent recurrence.

Failure to report a breach in time is itself a HIPAA violation. Covered entities that have been blindsided by a late-breaking vendor notification know exactly how damaging this can be — both to patient trust and regulatory standing.

What Must Be in Your Business Associate Agreement

A BAA is the legal instrument that establishes the terms of PHI handling between a covered entity and a business associate. It is required before any PHI is shared. A BAA that does not meet the minimum content requirements of 45 CFR § 164.504(e) is not a compliant BAA — it is a document that creates the illusion of compliance while leaving both parties exposed.

A compliant BAA must:

1. Describe the permitted uses and disclosures of PHI by the business associate
2. Require the business associate to not use or disclose PHI beyond what is permitted or required
3. Require implementation of appropriate safeguards under the Security Rule
4. Require the business associate to report breaches and security incidents to the covered entity
5. Require the business associate to ensure any subcontractors who handle PHI agree to the same restrictions through their own BAA
6. Allow the covered entity to terminate the agreement if the business associate violates a material term
7. Require the return or destruction of PHI upon termination of the agreement

Many organizations use template BAAs provided by their vendors. This is a practice worth scrutinizing carefully. Vendor-supplied BAAs are written to protect the vendor, not you. They frequently contain indemnification language, narrow incident reporting windows, and limitation-of-liability clauses that will work against you in the event of a breach. Review every BAA with legal counsel and compliance expertise before signing.

If your organization needs help building a structured approach to vendor agreements and related documentation, our HIPAA Compliance Documentation Toolkit provides a practical starting point for covered entities and business associates alike.

Downstream Obligations: Subcontractors Are Not Exempt

One of the most overlooked areas of HIPAA business associate compliance is the subcontractor chain. When a business associate engages a subcontractor — a cloud provider, a data analytics firm, a software development shop — that subcontractor becomes a business associate in its own right if it handles PHI. The original business associate is responsible for ensuring that a BAA is in place with every downstream subcontractor.

This creates a compliance chain that extends well beyond the organizations a covered entity can see or directly control. If a billing company uses an offshore transcription service that has no BAA in place, that is a HIPAA violation — and the covered entity bears responsibility for having failed to require the billing company to manage its own subcontractors appropriately.

Your BAA with each business associate must explicitly require subcontractor BAAs. Your vendor due diligence process should confirm that those requirements are being enforced, not merely acknowledged.

How Covered Entities Should Be Monitoring Business Associate Compliance

HIPAA does not require covered entities to audit their business associates continuously. But it does require covered entities to have reasonable assurances that their business associates are compliant. When a breach occurs and OCR investigates, one of the first things examiners ask is: what did you do to verify that this vendor was actually protecting PHI?

"We had a BAA signed" is not a sufficient answer.

A defensible vendor compliance program includes:

• Pre-engagement due diligence: Security questionnaires, SOC 2 Type II reports, or evidence of a completed HIPAA risk analysis before PHI access is granted
• Contractual audit rights: BAAs should include the right to audit or request compliance attestations
• Annual review of active BAAs: Agreements should be reviewed for accuracy as services evolve and personnel change
• Incident response integration: Your incident response plan should account for vendor-initiated breaches and define how notification workflows function across the BAA relationship
• Termination protocols: Documented procedures for retrieving or destroying PHI when a vendor relationship ends

Organizations that lack the internal resources to maintain this level of oversight often benefit from ongoing compliance support. Our Regulatory vCISO Services are designed specifically for organizations that need expert-level compliance leadership without the cost of a full-time CISO.

Common Business Associate Compliance Failures That Lead to Enforcement

OCR enforcement actions and HHS breach portal submissions consistently reveal the same categories of failure. Understanding these patterns helps compliance managers prioritize where to focus their vendor oversight efforts:

• No BAA in place: PHI shared with a vendor before any agreement is signed remains one of the most common violations — and one of the hardest to defend
• Outdated or inadequate BAAs: Agreements signed before the 2013 Omnibus Rule that were never updated, or template agreements that do not meet current content requirements
• No security risk analysis at the business associate level: Vendors that handle PHI but have never conducted a formal risk analysis in compliance with the Security Rule
• Delayed breach notification: Business associates failing to notify the covered entity within the 60-day window, or notifying without the required detail
• Uncontrolled subcontractor access: Third parties accessing PHI without a BAA because the primary business associate failed to manage its own downstream chain

Building a Mature Business Associate Compliance Program

Mature HIPAA business associate compliance programs treat vendor management as a discipline, not a paperwork exercise. That means building processes that scale: a vendor registry that tracks BAA status, classification of vendors by risk tier based on the volume and sensitivity of PHI accessed, defined review cycles, and clear escalation paths when a vendor cannot demonstrate compliance.

For organizations looking to formalize this approach, our Compliance Program Development services help healthcare organizations and their business associates build structured, auditable programs that hold up under OCR scrutiny.

If your organization operates across multiple regulated environments — for example, a healthcare technology company that also holds federal contracts — the compliance obligations multiply. Our team has direct experience helping organizations navigate overlapping frameworks, including those covered under our IT Compliance Services.

For deeper background on protecting sensitive data assets and understanding how data breach risk applies to your vendor relationships, our post on the growing threat of data breaches is worth reviewing alongside this material.

The Bottom Line for Compliance Managers

HIPAA business associate compliance is not your vendors' problem alone. Covered entities share enforcement exposure when their vendor oversight is inadequate. The question is not whether you have BAAs on file. The question is whether those agreements are accurate, whether the vendors operating under them are actually meeting their obligations, and whether you have the documentation to prove it when OCR comes asking.

If you have not reviewed your business associate inventory and agreement library in the past twelve months, that gap is worth closing before a breach forces the issue.

Ready to Strengthen Your HIPAA Business Associate Compliance Program?

Cleared Systems works with healthcare organizations, business associates, and multi-framework regulated entities to build compliance programs that stand up under real scrutiny. Whether you need a full program assessment, BAA review, or ongoing vCISO-level support, we are ready to help. Request a quote to start the conversation, or explore our engagement models to find the structure that fits your organization.