Skip to main content
MRO’s Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy along with Anthony Murray, Vice President of Information Technology, discuss the challenges of managing and auditing business associates.

Covered entities (CE) rely on business associates (BA) to provide vital services, but the relationship can be a compliance minefield. Failing to identify a vendor acting as a BA and failing to obtain a valid BA agreement (BAA) can cost CEs millions of dollars in HIPAA settlements. Poor internal communication may prevent some CEs from accurately identifying all BAs. BAAs can be difficult to negotiate with vendors new to the industry, and CEs may have active BAAs on file with vendors that no longer provide services for them.

The CE/BA relationship can be tricky to navigate, and misinformation abounds. Some CEs may take a hands-off approach and fail to review BAAs. Yet others may complicate the process by attempting to micromanage and requesting security measures that go beyond those required by state and federal laws. Privacy and security officers need to cut through the confusion and guide their organizations to clear, consistent policies for managing and maintaining BA relationships.


Bowen is an established author and speaker on healthcare privacy and security. She is an active member of the American Health Information Management Association (AHIMA), having served as its President and Board Chair, as a member of the Board of Directors and of the Council on Certification, and currently sits on the AHIMA Foundation Board of Directors. In her role at MRO, Bowen works with clients to ensure HIM policies and procedures are to code. Additionally, Bowen serves as the company’s Privacy and Compliance Officer (CPO).

More Posts