Business Associates not complying with HIPAA

Business Associates not complying with HIPAA is our 4th post on the subject of The History of HIPAA and in this post we’re going to address the risk they’re taking by not complying with HIPAA.

Ignoring HIPPA compliance

It’s apparent to this writer, and the Department of Health and Human Services I might add, that many companies, both large and small, are ignoring HIPAA Compliance. With that in mind, another purpose of this post is to warn small companies that size does not matter when it comes to compliance. If you create, transmit, receive, or store protected health information (PHI), no matter how small you are, if you are a covered entity, or a business associate doing business with a covered entity, you must be HIPAA compliant. Period.

Reasonable and Appropriate

One of the things I was pleasantly surprised to find out, in researching our own HIPAA Compliance initiative here at DTS InfoTech, is that there is genuine understanding and empathy by the Department of Health and Human Services for small covered entities and business associates. That is, HHS understands and makes allowances for the smaller covered entities, and business associates that don’t have the staff or budget that larger companies do - companies that actually have a dedicated compliance officer, staff and money to spend on compliance. HHS actually acknowledges the problem and allows smaller companies to be flexible in their compliance. Another way to say that is they can implement HIPAA in a way that is reasonable and appropriate for them.

Flexibility Approach

The HIPAA Security Rule (SR) also contains a concept called the “Flexibility Approach” - what others refer to as the SR’s guiding principle. In essence, the flexibility principle identifies four factors that an Organization should consider when deciding how to “reasonably and appropriately” implement the Standards and Implementation Specifications.

Business Associates and HIPAA Compliance

Until the HITECH Act was enacted into law on February 17, 2009, a BA’s compliance with HIPAA regulations was mandated only as part of the business associate agreement (see CFR 164.504(e)(1)) with its respective CE. Now, under HITECH and the Final Rule (Omnibus), a BA is “directly on the hook” (i.e. via statutory authority) for complying with the following sections of the Security Rule:
1. Administrative Safeguards CFR 164.308
2. Physical Safeguards CFR 164.310
3. Technical Safeguards CFR 164.312
4. Organizational Requirements CFR 164.314
5. Policies and Procedures and Documentation Requirements CFR 164.316

In short, a BA must comply with the five sections above of the Security Rule in the same way a CE is required to comply, and must also comply with any additional HITECH security requirements imposed on a CE. As a business associate, I’ve never liked this. But it’s the law and we all have to comply.

But there is good news. It’s called . . .

Flexibility Factors
The four SR Flexibility Factors are as follows:
1. The size, complexity, and capabilities of the Organization.
2. An Organization’s infrastructure, hardware, and software security capabilities.
3. The costs of security measures.
4. The probability and criticality of potential risks to ePHI.

There appears to be some “wiggle room” in the SR, especially for small Organizations. Addressable Specifications must be assessed and implemented as specified if “reasonable and appropriate” to the Organization.

Reasonable and Appropriate

The term, reasonable and appropriate, is really good news for small CE’s and BA’s. But it also takes away any excuse small companies have for not complying with HIPAA.

From The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment:

“Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

The Privacy Rule’s safeguards standard is flexible and does not prescribe any specific practices or actions that must be taken by covered entities. This allows entities of different sizes, functions, and needs to adequately protect the privacy of PHI as appropriate to their circumstances.” Because all companies are unique, the key phrase here “appropriate to their circumstances” cannot be overstated.

Up to this point, I’ve used over 600 words as a setup for this: How does HHS enforce the law we know as HIPAA. Do they even enforce HIPAA? At one time HIPAA was known as a paper tiger. But not any longer.

In our next post will share: stories and links that tell the story of how OCR is fining smaller covered entities and business associates.


If your company is a health plan, health care clearinghouse, health care provider, insurance broker etc. and you’re relying on tape drives, external hard drives, or USB devices to back up your protected health data (PHI), then it’s critical for you to get and read: 12 Little-Known Facts Every Business Owner Must Know About Data Backup, Security And Disaster Recovery.

You’ll learn what most IT consultants don’t know or won’t tell you about making sure your company’s critical data is safe from loss, corruption, cyber criminals, natural disasters and employee sabotage, in addition to:
• The only way to know for SURE your data can be recovered if lost, corrupted or deleted – yet fewer than 10% of businesses have this in place.
• 7 critical characteristics you should absolutely demand from any offsite backup service; do NOT trust your data to any company that does not meet these criteria.
• Where tape backups fail and give you a false sense of security.
• The #1 cause of data loss that most businesses don’t even think about until their data is erased.

You can download your Free Business Advisory Guide Here.

This guide will explain in plain every day English what you need to know about data backup, security and disaster recovery.

And don’t worry about some sales guy calling you from our office because you downloaded information off of our website. No one from our office will call you; I promise. We don’t like sales calls any more than you do! We understand if you’re not ready to do that, and if that’s the case, then just read these posts when they come out. We post on a regular schedule.

Have you started your HIPAA compliance initiative?

With small health care practices as part of our growing family, we are committed to HIPAA compliance and creating a culture of compliance. We know first-hand that HIPAA compliance for small health care practices is daunting. As a BA we’re going through it ourselves. We’re actually doing it, not just writing about it.

Do you need some technology help in your health care practice? Would you like to work with a technology company that is dedicated to a culture of HIPAA compliance?

Give us a call at 503.359.1275. We’re always happy to chat!

Return to main HIPAA page

For more information visit:

Dedicated to your success,
Wally Moore
General Manager & Compliance Officer
DTS InfoTech . . . computer networks that work