The Dangers of a Lackluster Business Associate

Patient Health Records folders

The Dangers of a Lackluster Business Associate

By Brian Sprowl of QI Express

When patients go to their healthcare providers, they go with the hope that the information that they share is going to be protected. So much of the information shared is private and should never see the light of day outside of a doctor’s or physician’s office.

While doctors, physicians and medical providers do a lot to help those that they serve, they can’t always do everything by themselves or in-house. Many covered entities (healthcare providers, health plans and health care clearinghouses) employ the services of Business Associates (BA’s) to help with the processing of Personal Health Information (PHI) or Personal Health Records (PHR). Business Associates include billing and collection companies, medical laboratories, staffing agencies and legal professionals. Business Associates play an integral role to covered entities because they not only handle sensitive information, but they facilitate certain tasks using the information that they are provided.

HIPAA has set in place certain rules and regulations to ensure the protection of private information, and those rules apply to Business Associates. But when Business Associates fail to adhere to the rules and regulations required by HIPAA, the Business Associates can greatly undermine the healthcare organizations that they are working in conjunction with. There can be a breakdown in trust and communication, which can lead to great harm for the person whose information has been leaked.

Business Associates handle a plethora of sensitive information. If a Business Associate is lackluster and carefree in the responsibility of protecting that information, the effected parties can be severely compromised. For instance:

Let’s say that I am your doctor, and you, the patient, share personal information with me. As a healthcare provider, your information is (or should be) protected. If I then pass on this information to my Business Associate, and they don’t protect that information, the Business Associate has not only failed you, the customer, but it has also failed the covered entity which has employed it. So in essence, the Business Associate not only has to look out for the well-being of the partner they worked for, but it also must keep in mind that it is also representing another entity, the patient.

If for some reason there is a leak of information due to the negligence of a Business Associate, it is the responsibility of the Business Associate to contain that breach so that it doesn’t get worse. If necessary, the covered entity should end the contract with the Business Associate if the problem isn’t addressed and fixed immediately. Quick action is a necessity to limit the potential damage that can be done to the person(s) whose information has been compromised. This is required by the HIPAA regulations.

Business Associates must follow the rules and regulations that HIPPA has set in place. Otherwise, this can lead to a major set of issues for all parties involved, and headaches that could have ultimately been avoided if the Business Associate took the proper steps in the first place.

At the end of the day, Business Associates are given sensitive information to help carry out certain integral functions and duties of the health care providers that they work with. Business Associates should protect the information being shared with them as if the information were their own.

[bctt tweet=”The Dangers of a Lackluster Business Associate @HIPAAExpress” via=”no”]


  1. An interesting perspective and position…thanks for sharing.

    My take is that the potential “lackluster” aspects of the business associate can or should be center stage when the Covered Entity and a Business Associate are developing their relationship to include what is expected as codified in the Business Associate Contract (or Agreement).

    So to some degree, the Covered Entity is also responsible in allowing its Business Associate to act in a lackluster manner. This is one reason to invest some time in deciding the type of satisfactory assurances that can keep the BA from venturing into the “lackluster” zone and thereby opening the door for some of the problems posted in the blog.

    In my view, there is a sense of collaboration, trust, and commitment which is connected with the term associate…especially when it appears in the phrase “Business Associate”…so I think in turn, CEs and their BAs should act in such a manner.

Comments are closed.