22 Percent of HIPAA Violations Caused by Business Associates

by | Sep 18, 2013

The passing of the Omnibus Rule extended HIPAA’s reach to include business associates of HIPAA-covered bodies and requires them to comply with the same set of standards as the healthcare organizations with which they work.

Business Associates are defined as any organization or individual that is required to work with, view or come into contact with Protected Health Information. This means the providers of hosting or data storage services will now be included under HIPAA and will be required to sign a business agreement that states they will adhere to HIPAA regulations. They will also be subject to financial sanctions if the Department of Health and Human Services locates any non-compliance issues.

The new rule was brought in to ensure patient health data is kept safe and in the case of business associates the alteration in legislation is long overdue. BAs are responsible for the exposure of a considerable amount of patient data and since HIPAA was brought in, BAs have been responsible for 22% of all security breaches according to an analysis of HHS breach reports conducted by Profitable Practice.

The research also found that when business associates have been liable for a security breach, the volume of data exposed is considerable. While 22 percent of HIPAA breaches were caused by BA’s, 48% of the 26.8 million individuals affected by security violations had their data exposed as a result of a BA security weakness.

The new rule makes BAs responsible for their actions – or lack of them – and it should minimize the number of data breaches happening as a result of BAs. BAs are also responsible for any subcontractors they use and must take responsibility for their activities and ensure they too are aware of HIPAA regulations and a BA is completed.

Any business associate that does not believe they have the policies and procedures in place to deal with the new HIPAA regulations should act quickly. It is not too late to become HIPAA compliant, although the deadline for putting in place policies and strategies is fast approaching. Any HIPAA violation or non-compliance issue found after the Sept 23 deadline could result in a financial sanction being issued by the OCR of up to $1.5 million per year, while individual violations now carry a maximum penalty of $50,000 per incident.

If you have any questions about the new regulations and what action needs to be taken you should seek legal guidance from an attorney who specializes in healthcare compliance. A full risk analysis must be completed to decide whether any security risks exist and details of the steps taken to protect data should be fully recorded.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy