Business Associate Obligations Under HIPAA: Key Requirements and Compliance Checklist

Business associates handle Protected Health Information (PHI) for covered entities, making your HIPAA responsibilities both extensive and enforceable. This guide translates the rules into practical steps so you can reduce risk, pass a Compliance Audit, and prove due diligence without slowing operations.

Use the sections below to confirm your scope, implement safeguards, prepare for the Breach Notification Rule, and lock down contractual and record‑keeping practices. Treat each list as a working checklist you can validate against your current program.

Business Associate Definition

A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity, or provides services that require PHI access. This includes electronic PHI (ePHI) held in apps, clouds, backups, or logs.

• Common examples: billing companies, EHR and practice-management vendors, cloud and data center providers, email and texting platforms, claims processing, legal and consulting firms, transcription, shredding, analytics, and customer support with screen access.
• Subcontractors that handle PHI for you become downstream business associates. You must flow down HIPAA obligations via a Business Associate Agreement (BAA) and oversee their compliance.
• Tools or vendors that can view PHI—even incidentally—are in scope unless access is fully prevented or data is de-identified.

HIPAA Compliance Obligations

As a business associate, you must comply with the HIPAA Security Rule in full and key provisions of the Privacy Rule. You may use or disclose PHI only as permitted by your BAA or as required by law, apply the minimum necessary standard, and support covered entities with individual rights requests.

• Execute and honor a Business Associate Agreement that defines permitted uses and disclosures.
• Implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards aligned to risk.
• Conduct a risk analysis and ongoing risk management; document decisions and remediation.
• Report security incidents and potential breaches under the Breach Notification Rule.
• Ensure subcontractors sign BAAs and meet the same restrictions and safeguards.
• Provide access, amendment, and accounting of disclosures support to covered entities.
• Mitigate harmful effects of any improper use or disclosure and prevent recurrence.
• Return or securely destroy PHI at contract end if feasible; document if not feasible.
• Make policies, procedures, and relevant records available for a Compliance Audit or investigation.

Security Safeguards

Security hinges on layered safeguards tailored to your environment. Build controls around people, premises, and technology to keep PHI confidential, intact, and available.

• Administrative Safeguards: risk analysis, risk management plan, sanctions, workforce security and background checks, role-based access, training and awareness, vendor management, incident response, and contingency planning with backups and disaster recovery testing.
• Physical Safeguards: facility access controls, visitor management, workstation security, device and media controls, secure disposal, and protection of offices, server rooms, and home workspaces.
• Technical Safeguards: unique user IDs, multi-factor authentication, least privilege, encryption in transit and at rest, network segmentation, audit logging and monitoring, integrity controls, automatic logoff, secure configuration baselines, patching, and data loss prevention for email and file sharing.

Operationalize these controls with change management, documented exceptions, and periodic testing. Validate that alerts reach responsible owners and that evidence is retained for audits.

Breach Notification

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. When you detect an incident, assess risk by evaluating the data involved, the unauthorized recipient, whether PHI was actually viewed or acquired, and the effectiveness of mitigation.

• Timing: notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. Many BAAs set shorter deadlines (for example, 5–10 days); follow the stricter term.
• Discovery: the clock starts the day you knew—or should reasonably have known—of the breach.
• Content: describe what happened, dates, types of PHI, number of individuals affected, mitigation taken, and steps individuals can take. Include contact information for follow-up.
• Scope: report subcontractor incidents to the covered entity and coordinate on investigation, remediation, and required notices under the Breach Notification Rule.
• Evidence: preserve logs, alerts, forensic artifacts, and decision records supporting your assessment.

Permitted Uses and Disclosures

You may use or disclose PHI only as permitted by your BAA, as necessary to perform contracted services, or as required by law. Always apply the minimum necessary standard and restrict access to workforce members with a legitimate need.

• Permitted: treatment, payment, and health care operations performed on behalf of the covered entity; internal management and administration if disclosed only as required by law or with reasonable assurances of confidentiality; and de-identified or properly aggregated data.
• Prohibited without authorization: marketing communications, most sales of PHI, and uses outside your BAA’s scope. If in doubt, seek written direction from the covered entity before proceeding.
• Individual rights: support requests for access, amendment, and accounting by timely supplying information to the covered entity.

Contractual Requirements

The Business Associate Agreement operationalizes HIPAA between you and the covered entity. Ensure the contract is specific, testable, and aligned with your actual controls and processes.

• Required terms: permitted uses/disclosures; safeguard obligations; breach and incident reporting; subcontractor flow-down; access, amendment, and accounting support; availability to regulators; return/destruction of PHI; and termination for cause.
• Recommended terms: notification timelines, encryption expectations, audit and assessment rights, evidence delivery formats, cyber insurance, cost allocation for breach response, change control, data residency, and secure transition/exit procedures.
• Governance: define points of contact, escalation paths, and cadence for security reviews and joint tabletop exercises.

Record Keeping

Maintain written policies, procedures, and evidence showing your HIPAA program is implemented and effective. Retain required documentation for at least six years from creation or last effective date, whichever is later.

• Risk analyses, risk treatment plans, vulnerability scans, penetration tests, and remediation tracking.
• Security incident and breach investigation files, with timelines and Breach Notification Rule decisions.
• Training materials, completion logs, acknowledgments, and sanctions applied.
• Access reviews, audit logs, system configurations, backups, and recovery test results.
• All Business Associate Agreements and subcontractor agreements, plus due diligence records.
• Requests and responses supporting access, amendment, and accounting of disclosures.

Package records so you can quickly respond to a Compliance Audit or inquiries from covered entities. Keep a clear evidence map linking each HIPAA requirement to artifacts that prove it.

FAQs

What are the main HIPAA obligations for business associates?

You must implement Administrative, Physical, and Technical Safeguards; limit PHI uses and disclosures to what your Business Associate Agreement permits; report incidents under the Breach Notification Rule; ensure subcontractors meet the same obligations; support access, amendment, and accounting requests; mitigate harm; and retain documentation for audit readiness.

How soon must a business associate report a breach?

Notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. If your Business Associate Agreement specifies a shorter deadline, you must meet that stricter timeframe and provide the required incident details and evidence.

What safeguards must business associates implement?

Implement layered controls: Administrative Safeguards (risk analysis, training, incident response, contingency plans), Physical Safeguards (facility access, workstation and device protections, secure disposal), and Technical Safeguards (unique IDs, MFA, least privilege, encryption, logging, integrity and transmission security). Tailor each to your risk profile and document how they operate in practice.