The Health Insurance Portability and Accountability Act (HIPAA) permits healthcare providers and health plans (known as “Covered Entities”) to share health information with third party vendors, which are referred to as “Business Associates” under HIPAA’s regulations. Historically, HIPAA regulated Business Associates by requiring Covered Entities to manage them through contractual relationships. However, in 2009, Congress made Business Associates directly accountable to regulators for compliance with most of HIPAA’s regulations, and regulations to effect that change were finalized in 2013. With this enhanced accountability come questions about the extent to which Business Associates are in compliance with HIPAA’s privacy and security rules.
 
Informed by interviews with 16 Covered Entities and 5 Business Associates, Manatt authored a report for the California HealthCare Foundation to help assess Business Associates’ compliance with their obligations to protect health information under HIPAA. The report provides an overview of the different types of services that Business Associates provide to Covered Entities and describes the efforts that Business Associates and Covered Entities are making to satisfy HIPAA’s various privacy and security requirements. The report concludes by recommending several strategies for improving Business Associate compliance with HIPAA, particularly those doing business in California.

Additional Author:
Deven McGraw