Information Security Leader, Author, Instructor and Speaker

Business associates: How to manage the new HIPAA problem child

Posted on May 15, 2014 in Articles | by

With the HIPAA Omnibus Rule in full effect, one of the big changes introduced is the newfound liability heaped on business associates. While covered entities have always been required to enter into business associate agreements (BAAs) with service providers, the Omnibus Rule extends the government’s regulatory reach through those agreements. Service providers who sign BAAs are now subject to the direct regulatory authority of the Department of Health and Human Services (HHS). In addition, covered entities now share liability for the actions of business associates.

Hospitals, health insurers, medical practices and other HIPAA covered entities often rely upon a range of outside service providers to assist them with administrative, patient care and other tasks where the provider comes into contact with protected health information (PHI). In those cases, the provider is considered a business associate under the HIPAA regulation and the covered entity is required to enter into a Business Associate Agreement (BAA) with the provider.

Read more: Business associates: How to manage the new HIPAA problem child

Published May 15, 2014 on


Leave a Reply

Your email address will not be published. Required fields are marked *

Mike Chapple, CISSP, Ph.D.

Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.

Full Biography