Covered entities (CE) rely on business associates (BA) to provide vital services, but the relationship can be a compliance minefield. Failing to identify a vendor acting as a BA and failing to obtain a valid BA agreement (BAA) can cost CEs millions of dollars in HIPAA settlements. Poor internal communication may prevent some CEs from accurately identifying all BAs. BAAs can be difficult to negotiate with vendors new to the industry, and CEs may have active BAAs on file with vendors that no longer provide services for them.
The CE/BA relationship can be tricky to navigate, and misinformation abounds. Some CEs may take a hands-off approach and fail to review BAAs. Yet others may complicate the process by attempting to micromanage and requesting security measures that go beyond those required by state and federal laws. Privacy and security officers need to cut through the confusion and guide their organizations to clear, consistent policies for managing and maintaining BA relationships.