In 2018, a medical billing company called Advanced Care Hospitalists paid $500,000 to settle with OCR after a business associate it hired gained access to patient data and used it to create fake invoices. The covered entity got hit — but the business associate walked away with patient records it should never have touched. That case changed how I talk to every client about business associate HIPAA compliance.

If your organization shares protected health information with any outside vendor — a billing service, a cloud storage provider, an IT contractor, a shredding company — you're operating in the exact territory where OCR has been handing out its most aggressive penalties. And in 2026, with updated enforcement priorities and tighter regulatory expectations, the stakes have only gone up.

What Is a Business Associate Under HIPAA?

A business associate is any person or organization that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. That's the textbook answer. Here's the practical one.

If a vendor can see, touch, store, or move your patient data — even accidentally — they're probably a business associate. Cloud hosting providers. Answering services. EHR vendors. Consultants who access your network. Even that IT guy who remotes into your server once a quarter.

The definition is broad on purpose. HHS designed it to close loopholes. And yet, I still walk into organizations every month that haven't identified half of their business associates.

The Subcontractor Problem

Here's where it gets layered. Under the HIPAA Omnibus Rule of 2013, subcontractors of business associates are also considered business associates. That means if your billing company outsources coding to a third party, that third party needs its own Business Associate Agreement (BAA) and its own compliance program.

Most covered entities never ask about subcontractors. Most business associates never disclose them. That gap has fueled some of OCR's largest investigations.

The $4.3 Million Mistake: Why BAAs Alone Don't Cut It

I've seen organizations treat the BAA like a magic shield. Sign the paper, file it away, move on. That approach cost Advocate Medical Group dearly — they agreed to a $5.55 million settlement in 2016 after multiple breaches, including laptops containing ePHI of approximately 4 million individuals. The investigation revealed failures that extended across their business associate relationships and internal safeguards alike.

A BAA is necessary. It is not sufficient. Business associate HIPAA compliance requires active, ongoing oversight — not a signed PDF collecting dust in a shared drive.

What a Proper BAA Must Include

  • A description of the permitted uses and disclosures of PHI
  • Requirements that the BA implement appropriate safeguards
  • Obligations to report breaches and security incidents
  • Terms for returning or destroying PHI when the contract ends
  • Acknowledgment that the BA is directly liable under HIPAA
  • Provisions addressing subcontractor obligations

If your BAA template is missing any of these elements, you have a compliance gap right now. OCR's sample BAA provisions are a solid starting point for comparison.

Direct Liability Changed Everything — And Most BAs Still Don't Know

Before 2013, business associates operated in a gray zone. They were bound by contract, not by law. The Omnibus Rule changed that completely. Business associates are now directly liable for HIPAA Security Rule violations, certain Privacy Rule provisions, and breach notification requirements.

That means OCR can investigate and penalize a business associate independently — without going through the covered entity first. I've watched this realization hit vendor executives in real time during compliance assessments. The color drains from their faces.

If you're a business associate reading this, you need your own risk analysis, your own policies and procedures, your own workforce training, and your own incident response plan. Borrowing your client's compliance program doesn't work. It never did, but now it's explicitly illegal.

Your Business Associates Need Training — Here's What OCR Expects

The HIPAA Security Rule at 45 CFR § 164.308(a)(5) requires security awareness training for all workforce members. That includes every employee at a business associate organization who handles ePHI.

In my experience, this is the single biggest gap in business associate HIPAA compliance. The covered entity trains its own staff but never asks whether the billing company, the cloud vendor, or the IT contractor has done the same. And the business associate assumes its client is handling compliance for everyone.

Nobody trains. Everybody's exposed.

If you're a covered entity, start asking your business associates for proof of workforce training. If you're a business associate, get your team through a structured program like HIPAA Introduction Training 2026 — it covers exactly what OCR expects your staff to know.

Remote Workforce Adds Another Layer

Many business associates now operate with remote or hybrid teams. A medical transcriptionist working from a home office. A claims processor using a personal laptop. A consultant connecting through public Wi-Fi at a coffee shop.

Every one of those scenarios creates ePHI exposure. Your business associates need role-specific guidance for these environments, which is exactly why HIPAA Training for Remote Healthcare Workers exists. It addresses encryption, device management, and secure access — the exact controls OCR evaluates during an investigation.

How to Audit Your Business Associate Relationships in 2026

Here's a framework I use with every client. It's not theoretical — it's built from actual OCR corrective action plans I've studied.

Step 1: Inventory Every Vendor Relationship

List every vendor, contractor, and service provider that interacts with PHI. Include cloud services, payment processors, consultants, janitorial services with facility access, and any subcontractors they use. If you have fewer than ten on your list, you're probably missing some.

Step 2: Verify Every BAA

Pull every BAA. Confirm each one is signed, current, and contains the required provisions. Check termination clauses. Verify subcontractor language exists. If a BAA is older than three years and hasn't been reviewed, flag it immediately.

Step 3: Request Compliance Documentation

Ask each business associate for evidence of their own HIPAA compliance program: risk analysis, training records, incident response procedures, encryption standards. You're not being aggressive — you're fulfilling your oversight obligations as a covered entity.

Step 4: Establish Breach Notification Protocols

Under the Breach Notification Rule, a business associate must notify the covered entity within 60 days of discovering a breach. But I've seen BAAs that don't specify how that notification happens, who receives it, or what information must be included. Nail down the details before an incident forces the question.

Step 5: Schedule Annual Reviews

Compliance isn't a one-time project. Your BA relationships should be reviewed annually — at minimum. New services, new subcontractors, new technology, and new staff all change the risk profile.

Community Health Programs: A BA Compliance Blind Spot

Community health organizations often work with dozens of external partners — outreach workers, social service agencies, translation services, transportation providers. Many of these partners handle PHI without realizing it. Many have never signed a BAA.

I've seen community health centers with forty active vendor relationships and BAAs for six of them. If your organization operates in this space, get your extended workforce trained through programs like HIPAA Training for Community Health Workers. It's designed for the non-clinical staff and partners who handle PHI in the field — exactly the people most compliance programs forget.

What Happens When a Business Associate Gets Breached?

When a business associate experiences a breach, both the BA and the covered entity feel the impact. The covered entity is responsible for notifying affected individuals and HHS. The BA is responsible for identifying the scope and cooperating with the investigation.

In practice, finger-pointing starts immediately. The BA says it followed the covered entity's instructions. The covered entity says it trusted the BA's security representations. OCR investigates both.

The only way to protect your organization is documentation. If you can prove you conducted due diligence — signed BAAs, requested compliance evidence, trained your workforce, and conducted risk analyses — you have a defensible position. Without that paper trail, you're writing a settlement check.

The Bottom Line for 2026

Business associate HIPAA compliance isn't optional, secondary, or someone else's problem. OCR treats it as a core obligation for both covered entities and business associates. Every vendor relationship is a potential liability. Every unsigned BAA is an open investigation waiting to happen.

Start with your vendor inventory. Verify your agreements. Demand training records. Build a review cycle you can sustain. The organizations that do this work proactively are the ones I never see in enforcement headlines.

The ones that don't? They become the case studies I reference in blog posts like this one.