In June 2023, OCR settled with a business associate — a medical records management company — for $75,000 after a breach exposed the protected health information of over 2,000 patients. The root cause was not a sophisticated cyberattack. It was a failure to implement basic Security Rule safeguards. The covered entity that hired the vendor had no documentation showing it ever verified the company's compliance posture. This is the reality of business associate HIPAA compliance — and why your organization cannot afford to treat vendor management as a formality.

Why Business Associate HIPAA Compliance Falls on Your Shoulders

Under 45 CFR §160.103, a business associate is any person or entity that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. Think billing companies, cloud hosting providers, IT consultants, shredding services, and even certain legal firms.

Since the Omnibus Rule of 2013, business associates are directly liable for HIPAA Security Rule and certain Privacy Rule provisions. But here is what covered entities consistently overlook: your liability does not end because your business associate is independently regulated. OCR has made clear that covered entities must take affirmative steps to ensure their vendors handle PHI appropriately.

If you know — or should have known — that your business associate is violating HIPAA, and you fail to act, your organization can face enforcement action. This is not theoretical. It is codified in 45 CFR §164.314(a)(1).

The Business Associate Agreement: Necessary but Not Sufficient

Every covered entity knows it needs a Business Associate Agreement (BAA) in place before sharing PHI. But in my work with covered entities, I consistently see organizations treat the BAA as the finish line rather than the starting gate.

A properly executed BAA under 45 CFR §164.504(e) must include specific provisions: permissible uses and disclosures of PHI, the requirement to implement appropriate safeguards, breach notification obligations, and terms for returning or destroying PHI at contract termination. Generic templates downloaded from the internet rarely cover all required elements.

More critically, a signed BAA without ongoing oversight is a compliance gap waiting to become an OCR investigation. The agreement creates a legal framework. Your vendor management program is what makes business associate HIPAA compliance operational.

Four Steps to Operationalize Vendor HIPAA Compliance

1. Conduct a Comprehensive Business Associate Inventory

You cannot manage what you have not identified. Start by cataloging every vendor, contractor, and subcontractor that touches PHI. Include cloud service providers — even those that claim they "never access" your data. If they store or transmit PHI, they are business associates under HIPAA.

Organizations that invest in HIPAA training and certification consistently perform better at this step because trained staff can recognize business associate relationships that less experienced teams miss.

2. Verify Safeguards Beyond the BAA

Request evidence. Ask business associates for their most recent risk analysis (required under 45 CFR §164.308(a)(1)). Review their policies on encryption, access controls, and workforce training. If a vendor cannot produce documentation of these Security Rule requirements, that is a red flag your organization must address before — not after — a breach.

3. Establish Breach Notification Protocols

Under the Breach Notification Rule (45 CFR §§164.400-414), a business associate must notify the covered entity of a breach without unreasonable delay, and no later than 60 days after discovery. Your BAA should specify how this notification occurs, who receives it, and what information must be included.

In practice, many breach reports from business associates arrive late, incomplete, or not at all. Build contractual penalties for non-compliance and test your notification workflows annually.

4. Require Workforce Training at the Vendor Level

The workforce training requirement under 45 CFR §164.530(b) applies to business associates handling PHI. Yet OCR enforcement actions consistently reveal that vendor employees receive little to no HIPAA education. Your BAA should require documented training, and your organization should verify that it actually happens.

Pointing your business associates to a structured workforce HIPAA compliance program is one of the most practical steps you can take to reduce downstream risk.

OCR's enforcement record tells a clear story. Between 2019 and 2024, multiple resolution agreements specifically cited failures in business associate oversight. Penalties in these cases ranged from tens of thousands to millions of dollars.

In its 2022 annual report to Congress, OCR emphasized that hacking and IT incidents — many originating at business associates — accounted for the largest share of reported breaches. Over 75% of individuals affected by breaches that year were impacted by incidents at business associates or their subcontractors.

The minimum necessary standard (45 CFR §164.502(b)) also applies to disclosures to business associates. Your organization must limit the PHI shared with each vendor to only what is necessary for the specific service they perform. Blanket access to patient records for a billing company is a HIPAA violation waiting to surface.

Documentation That Survives an OCR Investigation

If OCR comes calling, they will ask for your business associate inventory, executed BAAs, evidence of due diligence, and records of how you responded to any known compliance issues. "We had a contract" is not a defense if you never verified the vendor's safeguards or ignored warning signs.

Maintain a centralized file for each business associate that includes the signed BAA, risk assessment documentation, evidence of workforce training, breach notification logs, and records of periodic compliance reviews. Update this documentation at least annually and whenever the scope of services changes.

The Cost of Treating Business Associate Compliance as a Checkbox

Healthcare organizations that reduce business associate HIPAA compliance to a signed agreement and a filed contract are accepting risk they can control. Every vendor with access to PHI is an extension of your organization's compliance posture.

OCR does not distinguish between a breach caused by your internal workforce and one caused by a vendor you failed to oversee. The reputational damage, financial penalties, and patient trust erosion hit the same way. Build vendor oversight into your Notice of Privacy Practices review cycles, your annual risk analysis, and your ongoing workforce training requirements — and hold every business associate to the same standard you hold yourself.