Business Associates’ HIPAA Compliance: Should Covered Entities Be Concerned?

Price: $224 OnDemand


Sign up today for an entire year of unlimited access to relevant, timely professional learning courses, including webinars, eLearning courses and OnDemand offerings, and keep your professional credits up to date. All for just $399.

Learn more about the subscription!



HIPAA covered entities or business associates have vendors current or prospective and other entities which perform functions or activities, or provide services, to such entities that involve the use or disclosure of protected health information (PHI), which make such vendors, business associates to the covered entity.  Most covered entities and business associates know that they have to enter into business associate agreements with such vendors for HIPAA compliance purposes.  They may believe that, with those business associate agreements, they have met the requirements of the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) with respect to their business associates or subcontractors, and that they do not have to worry any further about those entities’ compliance with the HIPAA Rules.  After all, they can now be held directly liable by HHS for violations of HIPAA.  And HHS has made it clear that the HIPAA Rules do not require a covered entity to actively monitor the actions of its business associates or subcontractors and do not such entity responsible or liable for the actions of your business associates or subcontractors.

All of this is be true, but it is not the whole story. Covered entities and business associates need to be concerned about their business associate’s or subcontractor business associate’s HIPAA compliance:  The HIPAA violations of a business associate can negatively affect a covered entity.  But different business associates performing different services and handling different types of PHI present different levels of risk.  In appropriate circumstances, a covered entity or business associate may want to consider a more pro-active approach to the HIPAA compliance of its business associates or potential business associates.

This program will briefly discuss what a business associate or subcontractor business associate is, so that a HIPAA covered entity or business associate can properly identify the vendors/prospective vendors who may be business associates or subcontractor business associates.  Then the presentation will examine why a covered entity or business associate needs to be concerned about its business associates’ or subcontractor business associates’ HIPAA compliance.  It will then explore factors that a covered entity or business associate may want to consider in determining which, if any, such business associates or subcontractor business associates to engage with on HIPAA compliance.  Finally, the presentation will describe the range of mechanisms that a covered entity/business associate could employ and focus on several potential cost effective mechanisms that a covered entity or business associate can use to engage with appropriate business associates on their HIPAA compliance.

Educational Objectives:
• Identify the vendors of a HIPAA covered entity (or business associate) that may be business associates (or subcontractor business associates).
• Alert HIPAA covered entities (or business associates) and their advisors to the reasons why they should be concerned about the HIPAA compliance of their business associates (or subcontractor business associates).
• Learn how to identify the vendors/business associates/subcontractors with respect to whom HIPAA covered entities or business associates may need to take a pro-active approach on HIPAA compliance.
• Learn the types of approaches/mechanisms that HIPAA covered entities or business associate can employ to engage with such business associates (or subcontractors) on HIPAA compliance.

Who would benefit most from attending this program?
Health care practitioners/industry participants, as well as practitioners in other areas that advise participants in other industries who provide services to participants in the health care industry where the services involve use or disclosure of health information.



Paula Stannard is counsel in Alston & Bird LLP’s Health Care Practice Group, in its Washington, D.C. office.   Paula advises clients on regulatory questions that arise out of the ongoing health care reform efforts, and focuses her practice on HIPAA and health information technology (including certified electronic health records (EHR) and meaningful use issues), food and drug, and other regulatory/administrative law issues in the health care sector.  Paula Stannard is a former deputy general counsel and acting general counsel of the U.S. Department of Health and Human Services (HHS), where she oversaw the Food & Drug, Civil Rights and Legislation divisions of the 450-attorney HHS Office of the General Counsel and provided legal advice and counsel to senior HHS officials, including the secretary of the department. Her HHS experience provides clients substantive knowledge of, and experience in, FDA, HIPAA, e-health and health IT, federal health insurance regulation, patient safety, and public health preparedness and emergency response issues. She is a frequent contributor to Alston & Bird’s Privacy & Security Blog.