HIPAA Privacy Rule Summary for Business Associates: HHS OCR Guidance

Overview of HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for how protected health information (PHI) may be used and disclosed. For business associates, it defines compliance obligations tied to the purposes for which a covered entity permits access to PHI and the guardrails that prevent unauthorized PHI disclosure.

Business associates may use or disclose PHI only as allowed by their business associate agreement or as required by law. The “minimum necessary” standard, individual rights (access, amendment, and accounting), and protected health information safeguards all shape how you design processes, technology, and training.

The Privacy Rule works alongside the Security Rule (for ePHI safeguards) and the Breach Notification Rule (for breach notification procedures). Together, these rules frame the operational baseline HHS OCR uses in guidance and HIPAA enforcement actions.

Key principles that guide business associates

• Limit PHI uses/disclosures to contract- or law-permitted purposes and apply the minimum necessary standard.
• Implement administrative, physical, and technical safeguards proportionate to risk.
• Support covered entities in fulfilling individual rights and responding to incidents.

Definitions of Business Associates

A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity to perform a function or service. Subcontractors that handle PHI for a business associate are also business associates and must meet equivalent requirements.

Common examples include claims processors, cloud service providers, EHR and billing vendors, data analytics firms, consultants, legal and accounting firms, and health information exchanges. Workforce members of a covered entity are not business associates, and mere conduits that only transport data without routine access do not qualify.

Because business associates operate across complex ecosystems, you should embed unauthorized PHI disclosure prevention into procurement, contracting, and vendor oversight, ensuring PHI access is role-based, time-bound, and auditable.

Requirements for Business Associate Agreements

A written business associate agreement must be in place before PHI is shared. The agreement translates regulatory duties into actionable expectations and remedies, aligning day-to-day operations with the Privacy Rule.

Core clauses every agreement should include

• Permitted uses and disclosures: Specify the purposes for which the business associate may use or disclose PHI and incorporate the minimum necessary standard.
• Safeguards: Require administrative, physical, and technical protected health information safeguards, including risk analysis, access controls, auditing, and incident response.
• Breach and incident reporting: Define breach notification procedures, timelines, and reporting content; require prompt reporting of security incidents.
• Subcontractor flow-down: Mandate that subcontractors agree in writing to the same restrictions and protections.
• Individual rights support: Obligate cooperation to provide access, amendment, and accounting of disclosures for PHI held by the business associate.
• HHS access: Permit HHS to examine internal practices related to PHI privacy and security.
• Return or destroy PHI: On termination, return or destroy PHI; if infeasible, extend protections and limit further uses/disclosures.
• Termination rights: Allow the covered entity to terminate for a material breach of compliance obligations.

Obligations for Breach Management

Business associates must maintain capabilities to detect, assess, contain, and report incidents involving PHI. An impermissible use or disclosure is presumed to be a breach unless you demonstrate a low probability of compromise using a documented risk assessment.

Risk assessment factors

• Nature and extent of PHI involved (identifiers, sensitivity, and risk of re-identification).
• Unauthorized person who used or received the PHI and their obligations to protect it.
• Whether the PHI was actually acquired or viewed.
• Extent of mitigation, such as prompt retrieval, encryption, or confidentiality assurances.

Once a breach is discovered, notify the covered entity without unreasonable delay and no later than 60 calendar days from discovery. Your report should describe what happened, the types of PHI involved, the number of affected individuals, steps taken for containment and mitigation, and recommended actions for impacted individuals.

Cooperate with the covered entity as it determines individual notifications, notices to HHS (and media when required), and corrective actions. Maintain logs of security incidents, implement lessons learned, and strengthen controls to support ongoing unauthorized PHI disclosure prevention.

Business Associate Liability and Penalties

Business associates are directly liable for compliance with the HIPAA Security Rule and for specific provisions of the Privacy and Breach Notification Rules that apply to them, including impermissible uses/disclosures and failure to provide timely breach notification to covered entities.

HHS OCR may impose civil monetary penalties for violations, considering factors such as the nature and extent of the violation, resulting harm, and the entity’s culpability and corrective actions. In egregious cases involving knowing misconduct, individuals may also face civil and criminal penalties under federal law.

Beyond regulatory risk, contracts may permit termination and damages for noncompliance. A strong compliance program reduces exposure from investigations, litigation, and reputational harm arising from HIPAA enforcement actions.

HHS OCR Enforcement Guidance

HHS OCR guidance emphasizes practical steps: completing and updating risk analyses, implementing risk-based controls, executing and maintaining current business associate agreements, and documenting decisions tied to the minimum necessary standard. OCR routinely cites failures in these areas when resolving investigations.

Operational focus areas

• Governance and accountability: Assign leadership for privacy and security, define roles, and track compliance obligations.
• Access management: Enforce least privilege, timely role changes, and strong authentication, with auditing and alerts.
• Data protection: Encrypt ePHI at rest and in transit, manage keys, and harden systems and cloud environments.
• Vendor oversight: Vet subcontractors, flow down requirements, and monitor performance and incidents.
• Training and awareness: Conduct initial and periodic training tailored to job functions and threat trends.
• Testing and drills: Exercise incident response and breach notification procedures and close gaps identified.

Conclusion

For business associates, the HIPAA Privacy Rule—guided by HHS OCR—centers on disciplined use/disclosure limits, robust safeguards, documented breach response, and reliable vendor management. Clear contracts, evidence-backed risk decisions, and continuous improvement are the most effective path to sustained compliance.

FAQs.

What are the main responsibilities of business associates under HIPAA?

You must limit PHI uses and disclosures to what your business associate agreement permits or the law requires, apply the minimum necessary standard, implement comprehensive safeguards for ePHI and paper PHI, support covered entities in honoring individual rights, and promptly report and help manage incidents and breaches.

How must business associate agreements address PHI use?

They must define permitted and required uses and disclosures, require protected health information safeguards, set breach notification procedures and timelines, flow down the same restrictions to subcontractors, provide for HHS access, and address PHI return or destruction upon termination, with termination rights for material noncompliance.

What steps must covered entities take following a breach by a business associate?

Covered entities perform a risk assessment, determine whether notification is required, and, if so, issue timely notices to affected individuals, HHS, and the media when applicable. They coordinate with the business associate to mitigate harm, correct vulnerabilities, and enforce contractual remedies or terminate the relationship if necessary.