In 2024, OCR settled with a medical transcription company for $1.2 million after a breach investigation revealed the business associate had never conducted a risk analysis, failed to encrypt PHI at rest, and had no workforce training program. The organization assumed that because it wasn't a hospital, HIPAA didn't fully apply. That assumption cost them seven figures. If your organization handles protected health information on behalf of a covered entity, you need a HIPAA compliance checklist for business associates — and you need to act on it before OCR comes knocking.

Why Business Associates Face the Same HIPAA Liability as Covered Entities

Since the Omnibus Rule took effect in 2013, business associates have been directly liable for compliance with specific provisions of the HIPAA Privacy Rule, the full Security Rule, and the Breach Notification Rule. This isn't optional. If your company processes, stores, transmits, or has any access to PHI for a covered entity, you are a business associate under 45 CFR §160.103.

OCR enforcement actions against business associates have increased steadily. Between 2016 and 2024, business associates accounted for a growing share of resolution agreements and civil money penalties. The message is clear: subcontractors, IT vendors, billing companies, cloud hosting providers, and consultants all carry direct regulatory risk.

The Complete HIPAA Compliance Checklist for Business Associates

This checklist covers every major obligation your organization must address. Use it as an audit framework, not a one-time exercise. HIPAA compliance is an ongoing operational requirement.

1. Execute a Business Associate Agreement (BAA)

  • Ensure you have a signed BAA with every covered entity you serve — and with any subcontractors who access PHI on your behalf.
  • The BAA must specify permitted uses and disclosures of PHI, require safeguards, mandate breach reporting, and address termination provisions per 45 CFR §164.504(e).
  • Review and update BAAs whenever services, data flows, or subcontractor relationships change.

2. Conduct a Comprehensive Risk Analysis

  • Perform a risk analysis that identifies every system, workflow, and location where PHI is created, received, maintained, or transmitted — as required under 45 CFR §164.308(a)(1).
  • Document threats, vulnerabilities, likelihood of exploitation, and potential impact to PHI confidentiality, integrity, and availability.
  • Repeat this process annually or whenever significant changes occur in your environment.

Risk analysis failures are the single most common finding in OCR investigations. In my work with covered entities and business associates, I've seen organizations skip this step more than any other — and pay the price.

3. Implement Security Rule Administrative, Physical, and Technical Safeguards

  • Administrative: Assign a Security Officer, develop and enforce security policies, implement workforce access controls, and establish a sanction policy for violations.
  • Physical: Restrict physical access to facilities and workstations that store or access electronic PHI (ePHI). Document facility security plans and device/media controls.
  • Technical: Deploy access controls, audit controls, integrity controls, and transmission security. Encrypt ePHI in transit and at rest wherever technically feasible.

4. Develop and Enforce Privacy Policies

  • Limit your use of PHI to what is authorized in your BAA and apply the minimum necessary standard — access only the minimum PHI required to perform your contracted function.
  • Establish clear policies for PHI handling, storage, return, and destruction upon contract termination.
  • While business associates do not issue a Notice of Privacy Practices, you must understand and comply with the covered entity's privacy requirements as specified in your BAA.

5. Build a Breach Notification and Incident Response Program

  • Under 45 CFR §164.410, business associates must notify covered entities of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery.
  • Document an incident response plan that includes detection, investigation, containment, documentation, and notification procedures.
  • Maintain a log of all security incidents, including those that do not rise to the level of a reportable breach.

6. Train Your Entire Workforce on HIPAA Requirements

Healthcare organizations consistently struggle with this requirement, and business associates are even worse. Every member of your workforce — employees, contractors, volunteers — who has access to PHI must receive HIPAA training at onboarding and periodically thereafter.

Training must cover PHI handling, your organization's specific policies and procedures, recognizing and reporting security incidents, and the consequences of HIPAA violations. A structured HIPAA training and certification program ensures your workforce meets this obligation with documented proof of completion.

7. Document Everything

  • HIPAA requires you to retain policies, procedures, risk analyses, training records, BAAs, and incident logs for six years from the date of creation or the date last in effect — whichever is later (45 CFR §164.530(j)).
  • If OCR opens an investigation, your documentation is your primary defense. Undocumented compliance is functionally the same as noncompliance.

Common Gaps That Trigger OCR Enforcement Against Business Associates

After reviewing years of OCR resolution agreements, the pattern is unmistakable. Business associates most frequently fail in these areas:

  • No risk analysis or an incomplete risk analysis — this appears in nearly every enforcement action.
  • No BAA in place with subcontractors who access PHI.
  • No encryption on laptops, mobile devices, or portable media containing ePHI.
  • No documented workforce training — OCR will ask for records, and "we told everyone verbally" does not satisfy the requirement.
  • Delayed breach notification — exceeding the 60-day reporting window to the covered entity.

Each of these gaps can independently result in a HIPAA violation with penalties ranging from $141 per violation to over $2 million per violation category per year, depending on the level of culpability under the penalty tiers established in 45 CFR §160.404.

Turn This Checklist Into an Ongoing Compliance Program

A HIPAA compliance checklist for business associates is only useful if it drives sustained action. Assign ownership for each checklist item. Set calendar reminders for annual risk analysis reviews, BAA audits, and training refreshers. Test your incident response plan at least once a year.

If your organization lacks internal HIPAA expertise, invest in a compliance platform that provides structured guidance. HIPAA Certify's workforce compliance solution helps business associates implement training, track completion, and maintain the documentation OCR expects during an investigation.

OCR does not distinguish between organizations that intended to comply and those that did not. They look at what you documented, what you implemented, and what your workforce actually does with PHI every day. Start with this checklist. Build from there. And never assume that being a business associate means reduced scrutiny — the regulatory reality is exactly the opposite.