In 2018, a medical records company called Advanced Care Hospitalists paid $500,000 to settle HIPAA violations after a billing services contractor gained access to PHI for over 9,000 patients — without a proper business associate agreement in place. The contractor wasn't a hospital. Wasn't a doctor's office. It was a billing company. And HHS made it very clear: business associates must comply with the HIPAA privacy standards, period. If your organization handles PHI on behalf of a covered entity and you think compliance is someone else's problem, you're wrong — and you're exposed.
The HITECH Act Changed Everything for Business Associates
Before 2009, business associates operated in a gray zone. They signed agreements promising to protect PHI, but direct enforcement against them was virtually nonexistent. The HITECH Act demolished that loophole.
Under HITECH and the 2013 Omnibus Rule, HHS extended direct liability to business associates. That means OCR can — and does — investigate, fine, and publicly name business associates who violate the HIPAA Privacy and Security Rules. You don't need to be a covered entity to face a seven-figure penalty.
I've seen IT vendors, shredding companies, cloud storage providers, and billing firms all operate under the assumption that HIPAA is their client's concern. That assumption has cost organizations millions.
What Exactly Qualifies as a Business Associate?
A business associate is any person or organization that creates, receives, maintains, or transmits protected health information on behalf of a covered entity. That's the formal definition from 45 CFR Part 160.
In practice, that includes a massive range of vendors and partners:
- IT service providers and cloud hosting companies that store ePHI
- Medical billing and coding companies
- Claims processing firms
- Attorneys who access PHI for legal services
- Consultants who perform utilization reviews
- Shredding and document destruction companies
- Accountants with access to records containing PHI
If your work touches PHI in any form — electronic, paper, or verbal — you are a business associate. And business associates must comply with the HIPAA privacy standards just as rigorously as the hospitals and health plans they serve.
The $2.3 Million Wake-Up Call That Shook the Industry
In 2016, Raleigh Orthopaedic Clinic paid $750,000 after it handed over x-rays containing PHI to a vendor without a business associate agreement. The vendor wasn't vetted. The PHI wasn't protected. OCR stepped in.
But the case that really turned heads was CHSPSC LLC. In 2020, this business associate — a management company serving Community Health Systems hospitals — agreed to a $2.3 million settlement after a breach affecting over 6 million individuals. The failures included lack of technical safeguards, insufficient risk analysis, and inadequate information system activity reviews.
That settlement wasn't against a hospital. It was against the business associate. OCR's message is unmistakable: they will pursue business associates directly.
Which HIPAA Privacy Standards Apply to Business Associates?
This is the question I get most often from vendors and subcontractors. Here's the direct answer.
Business associates must comply with the HIPAA privacy standards that govern use and disclosure of PHI. Specifically, a business associate:
- May only use or disclose PHI as permitted by its business associate agreement or as required by law
- Must implement safeguards to prevent unauthorized use or disclosure of PHI
- Must report any unauthorized use, disclosure, or breach to the covered entity
- Must ensure subcontractors agree to the same restrictions (yes, subcontractor liability flows downstream)
- Must make PHI available for individuals' access requests when the business associate holds the designated record set
- Must provide an accounting of disclosures when required
On top of the Privacy Rule requirements, business associates are directly subject to the HIPAA Security Rule. That means implementing administrative, physical, and technical safeguards for ePHI. It also means conducting a thorough risk analysis — the exact area where CHSPSC failed.
The Breach Notification Obligation
Business associates have a standalone obligation under the Breach Notification Rule. If you discover a breach of unsecured PHI, you must notify the covered entity within 60 days. Failing to do so is an independent violation that OCR can enforce directly against you.
I've worked with business associates who assumed their covered entity clients would handle breach notification. That's a dangerous misunderstanding. Your obligation to report to the covered entity is yours alone. The covered entity then reports to affected individuals and HHS — but the clock starts ticking the moment your workforce discovers the breach.
Business Associate Agreements Are Not Optional Decorations
A business associate agreement (BAA) is the contractual backbone of the relationship between a covered entity and a business associate. Without a valid BAA, both parties are in violation of HIPAA.
Here's what I've seen go wrong repeatedly: organizations execute BAAs and then file them away, never revisiting them. A BAA isn't a one-time checkbox. It must reflect the actual services being provided, the specific PHI being handled, and the current regulatory requirements. Outdated BAAs are nearly as dangerous as missing ones.
Every BAA should specify permitted uses and disclosures, require the business associate to implement safeguards, mandate breach reporting, and address return or destruction of PHI at termination. If your BAA doesn't cover these elements, it's insufficient.
Workforce Training: The Overlooked Compliance Pillar
Here's what I tell every business associate I consult with: your compliance program is only as strong as the people executing it. HIPAA requires that workforce members receive training on your policies and procedures. That applies to business associates, not just covered entities.
Most breaches I've investigated trace back to human error — an employee clicking a phishing link, a contractor emailing PHI to the wrong recipient, a developer leaving a database unsecured. Training prevents these failures before they become six-figure settlements.
If your organization needs structured, role-specific HIPAA education, explore the HIPAA training catalog at HIPAACertify. Proper workforce training isn't just a regulatory requirement — it's the single most cost-effective risk mitigation tool you have.
Subcontractors: The Chain of Liability Extends Further Than You Think
Under the Omnibus Rule, subcontractors of business associates are themselves business associates. This means a cloud hosting company hired by your billing vendor to store ePHI must also comply with HIPAA. And your billing vendor must have a BAA with that cloud hosting company.
I've seen organizations with three or four layers of subcontractors, each assuming the layer above them handled compliance. Nobody had. The result was a breach with no clear chain of accountability and massive exposure for everyone involved.
Map your subcontractor relationships. Ensure BAAs exist at every level. Verify that each subcontractor has implemented appropriate safeguards. This isn't optional — it's what the regulation demands.
Five Steps Every Business Associate Should Take in 2026
If you're a business associate reading this and wondering where to start, here's your action list:
- Conduct a comprehensive risk analysis. Not a checklist — an actual evaluation of threats to the confidentiality, integrity, and availability of ePHI you handle.
- Review and update all BAAs. Ensure they reflect current services, current regulations, and current subcontractor relationships.
- Train every workforce member. Use structured HIPAA training programs that cover privacy, security, and breach notification obligations specific to business associates.
- Implement a breach response plan. Know exactly who to notify, how to document, and how to meet the 60-day reporting window.
- Document everything. OCR doesn't give credit for good intentions. They give credit for written policies, signed training acknowledgments, completed risk analyses, and executed BAAs.
OCR Is Watching — And They're Not Slowing Down
HHS has made business associate enforcement a priority. The OCR enforcement highlights page shows a steady stream of settlements and civil money penalties targeting business associates alongside covered entities.
Business associates must comply with the HIPAA privacy standards — not as a courtesy, not as a best practice, but as a legal obligation backed by real enforcement. I've watched too many organizations learn this lesson through OCR investigations rather than through proactive compliance.
Don't let your organization be the next cautionary tale on a government enforcement page. Build your compliance program now, train your workforce thoroughly, and treat HIPAA not as your client's problem but as your own.