What Are the Business Associate Requirements Under HIPAA? Key Duties and Compliance Steps

If your organization creates, receives, maintains, or transmits Protected Health Information (PHI) for a healthcare client, you operate as a business associate. Understanding the business associate requirements under HIPAA helps you reduce risk, meet contractual duties, and protect PHI.

Below are the essential obligations and practical compliance steps you can implement now, aligned with the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule.

Business Associate Agreements

Purpose and scope

A Business Associate Agreement (BAA) is a contract that sets the permitted uses and disclosures of PHI and binds you to safeguard it. You must execute a BAA before handling PHI, and you are directly liable for compliance with its terms.

Core clauses to include

• Permitted uses/disclosures and the minimum necessary standard.
• Administrative, physical, and technical safeguards consistent with the HIPAA Security Rule.
• Reporting obligations for incidents and breaches under the Breach Notification Rule.
• Support for individual rights (access, amendment, and accounting of disclosures when applicable).
• Subcontractor HIPAA Compliance via flow-down BAAs with the same restrictions and conditions.
• Right to make internal practices and records available to the Secretary of HHS upon request.
• Termination provisions and requirements to return or destroy PHI.

Practical steps

• Inventory services that involve PHI and map data flows to confirm who touches ePHI.
• Standardize your BAA template and negotiation playbook to avoid gaps.
• Track effective dates, versions, and termination/return-or-destroy commitments.
• Verify that your liability insurance aligns with BAA obligations.

Administrative Safeguards Implementation

Governance and roles

Designate a Compliance Officer and a Security Officer to own policies, risk management, and oversight. Establish a security management process that includes formal Risk Analysis and documented risk treatment.

Policies, training, and sanctions

• Adopt policies for access, incident response, change management, and vendor oversight.
• Train your workforce on PHI handling, phishing, and minimum necessary; document completion.
• Apply a sanctions policy consistently for violations and retain evidence.

Access governance and minimum necessary

• Use role-based access to limit PHI to users who need it to perform job duties.
• Review access at least quarterly and immediately upon role changes or termination.

Contingency planning

• Maintain data backup, disaster recovery, and emergency mode operations plans.
• Test restorations and scenarios; document results and improvements.

Documentation and retention

• Maintain written policies and procedures and retain required documentation for six years.
• Record decisions where an addressable specification is not implemented and justify alternatives.

Physical Safeguards Measures

Facility and environment

• Control physical access to areas where ePHI systems reside and maintain visitor logs.
• Protect against environmental hazards with appropriate power, climate, and fire controls.

Workstations and devices

• Harden workstations; auto-lock screens; restrict installation privileges.
• Use secure device configuration baselines and mobile device management for laptops and phones.

Media controls

• Encrypt portable media; track custody; sanitize or destroy media before reuse or disposal.
• Prohibit unapproved personal storage devices for PHI.

Remote and hybrid work

• Require secure home office setups, privacy screens, and locked storage for physical records.
• Disable local data storage when feasible; prefer virtual desktops or controlled applications.

Technical Safeguards Enforcement

Access controls

• Issue unique user IDs; enforce strong authentication and multi-factor authentication for remote and privileged access.
• Segment networks; apply least privilege and just-in-time elevation for administrators.

Audit controls

• Enable logging for systems handling ePHI and centralize logs for monitoring and alerting.
• Define retention consistent with policy and investigative needs.

Integrity and availability

• Use anti-malware, application allowlisting, and file integrity monitoring to protect ePHI.
• Apply secure configuration baselines and routine patch management.

Transmission security and encryption

• Encrypt PHI in transit (e.g., TLS for web/email, VPN for administrative access).
• Encrypt PHI at rest and manage keys securely; review cryptographic settings periodically.

Application and API security

• Perform secure SDLC activities: threat modeling, code review, and security testing.
• Limit data returned by APIs to the minimum necessary and mask sensitive fields where possible.

Breach Notification Procedures

Determining a breach

Use the four-factor Breach Notification Rule analysis: nature/extent of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and the extent of mitigation. If risk is not low, treat the incident as a breach.

Timelines and content

• Notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery.
• Provide the known facts: what happened, dates, types of PHI involved, number of affected individuals, mitigation steps, and a point of contact. Supply additional details as they become available.

Incident response workflow

• Contain the incident, preserve evidence, and initiate your investigation plan.
• Document decisions, risk analysis, and corrective actions; coordinate messaging with the covered entity.

Mitigation and lessons learned

• Offer remediation (e.g., credential resets, credit monitoring when appropriate) and prevent recurrence with targeted control improvements.
• Update policies, training, and vendor requirements based on root-cause findings.

Risk Assessment Practices

Ongoing Risk Analysis

Conduct an enterprise-wide Risk Analysis to identify where ePHI lives, who can access it, and the threats and vulnerabilities that could impact confidentiality, integrity, and availability. Repeat assessments after major changes and at regular intervals.

Methodology and outputs

• Inventory assets and data flows; evaluate likelihood and impact to derive risk levels.
• Produce a prioritized risk register with owners, timelines, and chosen treatments (reduce, accept, transfer).

Verification and testing

• Run vulnerability scans, penetration tests, and social engineering tests to validate controls.
• Exercise tabletop scenarios for outages, ransomware, and vendor incidents; capture measurable improvements.

Evidence and governance

• Maintain artifacts (policies, screenshots, tickets, logs) that show controls operate as designed.
• Have leadership review and approve findings and remediation plans.

Subcontractor Compliance Management

Flow-down obligations

If you engage vendors that handle PHI, they become your subcontractors. Execute BAAs with them and enforce Subcontractor HIPAA Compliance equal to your own commitments.

Vendor risk lifecycle

• Due diligence before onboarding: security questionnaires, certifications, and technical validation.
• Contract requirements: BAAs, minimum controls, breach notification timelines, and the right to audit.
• Ongoing oversight: periodic assessments, performance metrics, and evidence reviews.
• Offboarding: revoke access, retrieve or destroy PHI, and document completion.

Data minimization and access

• Limit PHI shared with subcontractors to the minimum necessary and tokenize where feasible.
• Enforce encryption, network restrictions, and monitoring on all connections and data stores.

Coordinated incident handling

• Require immediate subcontractor notice of incidents and jointly perform risk assessments.
• Align timelines so upstream covered entities receive timely, accurate notifications.

By operationalizing the BAA, safeguards, breach response, and continuous Risk Analysis, you build a consistent compliance posture that protects PHI and strengthens client trust.

FAQs

What is a Business Associate Agreement under HIPAA?

A Business Associate Agreement (BAA) is a required contract between a covered entity and a business associate that defines permitted PHI uses/disclosures and obligates administrative, physical, and technical safeguards, breach reporting, subcontractor flow-down, and PHI return or destruction at termination.

What are the required safeguards for business associates?

Business associates must implement the HIPAA Security Rule’s administrative, physical, and technical safeguards—such as Risk Analysis and risk management, access controls, audit logging, encryption where appropriate, workforce training, contingency planning, and documented policies and procedures.

How must business associates handle breach notifications?

After discovering a breach of unsecured PHI, you must notify the covered entity without unreasonable delay and no later than 60 days. Provide known facts, affected individuals (if identifiable), data types involved, mitigation taken, and a contact point, and supplement details as the investigation progresses.

What responsibilities do subcontractors have under HIPAA?

Subcontractors that handle PHI on your behalf are directly liable for HIPAA compliance. They must sign a BAA with you, implement the same safeguards you follow, limit PHI to the minimum necessary, and promptly notify you of any incidents or breaches so you can meet upstream obligations.