In 2023, OCR settled with a business associate — a medical records management company — for $100,000 after an investigation revealed failures to safeguard protected health information. The company had no business associate agreement on file and was handling PHI with virtually no privacy safeguards. This case reinforced a principle that too many organizations still overlook: business associates must comply with the HIPAA privacy standards, and OCR is actively enforcing that obligation.

How the Omnibus Rule Changed Everything for Business Associates

Before the 2013 Omnibus Rule, business associates operated in a gray area. Covered entities were responsible for ensuring their vendors handled PHI properly, but direct enforcement against business associates was limited. The Omnibus Rule eliminated that gap entirely.

Under 45 CFR §164.502(a) and the expanded definitions in §160.103, business associates are now directly liable for compliance with applicable provisions of the HIPAA Privacy Rule and the full Security Rule. This means OCR can — and does — investigate, fine, and settle directly with business associates, independent of the covered entity that hired them.

If your organization provides services to a covered entity and you create, receive, maintain, or transmit PHI on their behalf, you are a business associate. That includes cloud hosting providers, billing companies, IT contractors, shredding services, consultants, and even subcontractors — now classified as business associate subcontractors under the Omnibus Rule.

Specific Privacy Standards Business Associates Must Follow

The idea that business associates must comply with the HIPAA privacy standards is not abstract. There are specific, enforceable requirements your organization must meet.

The Minimum Necessary Standard

Business associates must apply the minimum necessary standard when using or disclosing PHI. Under 45 CFR §164.502(b), you may only access the minimum amount of protected health information needed to perform the service outlined in your business associate agreement. Broad, unrestricted access to patient records is a violation — even if the covered entity granted it.

Limitations on Use and Disclosure

Your organization may only use or disclose PHI as permitted by your business associate agreement or as required by law. You cannot repurpose PHI for marketing, sell it, or use it for employment decisions unless explicitly authorized. Violations of these limitations carry civil and criminal penalties under the HIPAA enforcement framework.

Individual Rights Obligations

Business associates must also support the rights of individuals regarding their PHI. If you maintain PHI in a designated record set on behalf of a covered entity, you may be required to provide access to that information or make amendments when requested. Your business associate agreement should clearly define these responsibilities.

Breach Notification Duties

Under the Breach Notification Rule at 45 CFR §164.410, business associates must report any breach of unsecured PHI to the covered entity without unreasonable delay and no later than 60 days after discovery. Failure to report a breach — or delaying notification — is itself a HIPAA violation subject to penalties.

Why a Business Associate Agreement Alone Does Not Equal Compliance

In my work with covered entities and their vendors, I see the same mistake repeatedly: organizations sign a business associate agreement and treat it as a compliance checkbox. A BAA is legally required under 45 CFR §164.502(e), but it is a contract — not a compliance program.

A signed BAA does not protect you from OCR enforcement if your organization lacks administrative, physical, and technical safeguards. It does not substitute for a risk analysis. It does not train your workforce. OCR has made clear through enforcement actions that business associates must implement actual, operational privacy and security protections.

The 2024 OCR annual report to Congress highlighted that a significant percentage of investigated breaches involved business associates. Covered entities increasingly name their vendors as the source of incidents, and OCR follows the evidence wherever it leads.

The Risk Analysis Requirement Most Business Associates Ignore

Under the HIPAA Security Rule at 45 CFR §164.308(a)(1), every business associate must conduct a thorough risk analysis of potential threats to the confidentiality, integrity, and availability of ePHI. This is not optional. OCR cites the absence of a risk analysis more than any other deficiency in enforcement actions.

Your risk analysis must be documented, reviewed periodically, and updated whenever your environment changes — new systems, new subcontractors, new workflows. A risk analysis from three years ago that sits in a drawer offers zero protection in an investigation.

Workforce Training Is a Direct Obligation — Not Just the Covered Entity's Problem

Business associates must comply with the HIPAA privacy standards across their entire workforce. Under 45 CFR §164.530(b), training must be provided to every member of the workforce who handles PHI. This includes full-time employees, part-time staff, contractors, and volunteers.

Training cannot be generic. It must address your organization's specific policies and procedures for protecting PHI. Enrolling your team in HIPAA training and certification is one of the most direct ways to meet this requirement and document compliance. OCR expects training records — who was trained, when, and on what material.

How OCR Enforces Privacy Standards Against Business Associates

OCR enforcement against business associates has accelerated since 2016. Penalties have ranged from $31,000 to over $4 million depending on the severity and duration of the violations. Common findings include:

  • No signed business associate agreement in place
  • Failure to conduct a risk analysis
  • Impermissible disclosures of PHI to unauthorized parties
  • Lack of workforce training documentation
  • Delayed or absent breach notifications

OCR has also pursued business associates through its HIPAA Right of Access Initiative, holding organizations accountable when they obstruct patient access to their own records.

Protecting Your Organization: Actionable Steps for Business Associates

If your organization functions as a business associate, take these steps immediately:

  • Confirm every covered entity relationship has a current, compliant BAA. Review them annually.
  • Conduct and document a comprehensive risk analysis. Address identified risks with a management plan.
  • Implement written privacy and security policies that reflect how your organization actually handles PHI — not boilerplate templates.
  • Train every workforce member. Use a structured program like HIPAA Certify's workforce compliance solution to ensure consistent, documented training.
  • Establish a breach notification procedure so your team knows exactly how and when to report incidents to covered entities.
  • Apply the minimum necessary standard to every use and disclosure of protected health information.

Business associates must comply with the HIPAA privacy standards — not as a theoretical obligation, but as a regulatory reality enforced through audits, investigations, and significant financial penalties. The organizations that treat compliance as an ongoing operational priority, rather than a one-time paperwork exercise, are the ones that protect both their patients and their business.