Businesses within the U.S. healthcare industry must always ensure their data handling meets HIPAA compliance guidelines. However, these rules also apply to business associates that handle ePHI on behalf of covered entities. One specific rule, the Security Rule, places obligations on associates to protect the confidentiality, integrity, and availability of patient data.
The obligations are broader than most business associates expect, and the proposed 2026 updates will close off remaining flexibility.
Who Qualifies as a Business Associate Under HIPAA
A business associate is any person or organization that externally supports a covered entity under HIPAA, for example, by providing services on their behalf. A business associate impacted by HIPAA creates, receives, maintains, and/or transmits ePHI, with access granted by a covered entity. The status “business associate” is defined by function, regardless of sector.
Business associates impacted by HIPAA include:
- IT vendors and associated services
- Cloud storage providers
- Medical billing companies
- Lawyers and law firms
- Third-party administrators (TPAs) supporting health plans
- Data disposal services
- Consultants
HIPAA and Security Rule obligations also apply to subcontractors who handle ePHI on business associates’ behalf.
Regardless of the sector they operate in, or the type of services they provide, a Business Associate Agreement (BAA) must be agreed, signed, and in place before ePHI is shared. A BAA is a crucial document that proves partnership compliance to external auditors.
What the HIPAA Security Rule Requires of Business Associates
The HIPAA Security Rule specifies that covered entities and business associates apply administrative, physical, and technical safeguards for ePHI. Doing so ensures data is as secure, confidential, and accessible to predetermined parties as possible.
HIPAA states that safeguards must ensure ePHI’s confidentiality, integrity, and availability. That means business associates must not:
- Allow unauthorized access to the data;
- Adjust, delete, or otherwise destroy the data unless authorized;
- Make the data inaccessible or unusable by authorized parties.
These HIPAA cybersecurity requirements, or safeguards, break down as follows:
- Administrative safeguards, which include risk analysis and management programs, robust access controls within the workforce, and contingency planning. Other safeguards include designating a security official, carrying out regular training, and establishing data access management and incident procedures.
- Physical safeguards, which include physical workstation, device, and endpoint security, and facility access and applicable controls where ePHI may be processed or stored.
- Technical safeguards, which include internal access control systems, auditing and integrity controls, and data transmission security wherever ePHI is handled.
Risk Assessment and Analysis as a Direct BA Obligation
Risk assessments and analyses are Security Rule requirements for all business associates. HIPAA requires BAs to evaluate and prepare for anticipated ePHI threats and to document their findings – it is not an optional best practice.
The HIPAA Security Rule, as outlined in “164.308 Administrative safeguards”, states that BAs must:
“(...) conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
Therefore, BAs must clearly identify all ePHI they handle and carefully evaluate threats and vulnerabilities, any current safeguards in place, and the likelihood of risks occurring.
After a risk assessment, BAs must analyze findings and document all the steps they take to protect ePHI. Through this process, it’s crucial to assign responsibilities and lay out clear timelines.
As with all risk assessments recommended by HIPAA, a BA must re-analyze and re-assess whenever changes are made to workflows, systems, or vendor relationships.
Using security assessment tools can support this process; however, BAs must still record and document all analysis in writing.
Business Associate Agreements and What They Must Cover
BAAs form the legal foundation for any business associate and covered entity relationship. They are binding contracts that specify how ePHI is to be used and disclosed during a partnership, what safeguards are expected, and how associates should report breaches.
BAAs also declare termination rights and responsibilities in the event of ePHI mismanagement and must account for any applicable subcontractor obligations.
To satisfy HIPAA compliance and auditing requirements, all parties must sign and keep fully documented BAA records. However, missing, incomplete, or unsigned BAAs are common triggers for noncompliance during Office for Civil Rights (OCR) audits.
Outdated or expired BAA records are an equally common OCR audit trigger. Maintain documents that reflect current relationships and safely dispose of records that are no longer relevant.
BAAs also apply to all vendors further downstream who have access to a covered entity’s ePHI.
Breach Notification Procedures for Business Associates
Beyond the Security Rule, HIPAA’s Breach Notification Rule carries additional obligations that business associates must independently follow. Specifically, a business associate must notify a covered entity within 60 days of discovering a breach impacting their ePHI. Set clear investigation and notification workflows before incidents occur.
Within 60 days of discovering a breach impacting ePHI, business associates must provide details covering:
- The exact ePHI at risk
- Details of individuals impacted
- Actions taken to contain and remedy the breach
When developing a documented incident response plan, business associates should establish how threats are detected and assessed, what steps they will take to contain and investigate threats, and how they intend to notify parties.
A business associate doesn’t have a legal obligation to report breaches to the media. However, covered entities must do so if the ePHI of 500 or more people in a given jurisdiction or state is breached.
Failure to meet notification timelines, i.e., missing the 60-day window, can result in OCR enforcement. This affects business associates independently of covered entities and their own obligations.
Cybersecurity and Emerging Threats Facing Business Associates
Baseline requirements written into the Security Rule in 2013 pre-date cloud-native architectures, mobile devices, and the cyber threat landscape that has evolved considerably since. BAs must apply safeguards that reflect these modern threat vectors beyond satisfying the letter of HIPAA 2013 baseline.
For example, attackers using ransomware frequently target business associates as backdoors into covered entities. The clearest case study is Change Healthcare, which processes claims and payments on behalf of thousands of providers and health plans nationwide.
In February 2024, a ransomware group breached Change Healthcare's network, forcing systems offline and disrupting claims processing and patient care delivery across the United States for months. A single vendor compromise cascaded into thousands of covered entities. An estimated 192.7 million individuals were affected, making it the largest healthcare data breach in U.S. history, and UnitedHealth Group's latest estimate puts the cost of the attack at over $3 billion.
Since baseline requirements were established in 2013, business associates have adapted to working with data across a much larger attack surface. This is largely thanks to the emergence of cloud computing, which, having blended with legacy networking, has created new challenges in preventing data loss (and maintaining its integrity).
NIST directly responded, publishing updated Security Rule guidance in early 2024 that integrates modern controls. For example, National Institute of Standards and Technology (NIST) offers a series of resources specifically referencing the Security Rule, published in early 2024.
Cybersecurity experts recommend several modern controls within frameworks to complement safeguarding strategies. For example, sandboxing (which isolates code for analysis) and zero trust architecture (which demands verification across all network activities) are increasingly referenced.
Documentation and Compliance Requirements Business Associates Must Maintain
Business associates must do more than simply install compliance controls – they must record clear evidence to prove to OCR that they are taking steps to meet recognized security practices. HIPAA specifies documents and plans, too, that satisfy compliance requirements.
All business associates must maintain documentation relating to the Security Rule for at least six years (since created or last updated). However, there is no specific overall retention period, as per the Privacy Rule, because state laws vary. It is good practice to follow the six-year rule as a baseline.
Such documentation includes:
- Evidence of risk assessments
- Detailed remediation plans
- Notification timelines
- Sanction policies for employees
- Records confirming physical security maintenance
- Current, active BAAs with all covered entities
- Training and development records
- PHI disclosure authorizations
- Detailed reviews of IT security
- Internal auditing logs
To avoid gaps in document retention arising during OCR inquiries, it’s wise to run internal audits and take remedial action.
Document retention period enforcement was strengthened, and data privacy and consent regulations were extended to business associates as a result of the HITECH Act of 2009:
“Under the original HIPAA Privacy and Security Rules, business associates of HIPAA covered entities had a “contractual obligation” to comply with HIPAA. Prior to the HITECH Act of 2009, there was no enforcement of that obligation, and covered entities could avoid sanctions in the event of a breach of PHI by a business associate by claiming they did not know the business associate was not HIPAA-compliant.”
Steve Alder, The HIPAA Journal
What the Proposed 2026 Updates Mean for Business Associates
OCR's regulatory agenda targeted a 2026 release for the final rule, but the proposal remains under review and could be modified or delayed. As the most significant alteration to business associates’ obligations in more than a decade, these changes may reduce some safeguarding flexibility.
Crucially, all changes proposed by the updates impact covered entities and business associates. For example, they must enforce multi-factor authentication across the board, demonstrate they can restore their critical infrastructure within 72 hours of a breach or incident, and encrypt all data at rest and in transit.
Under the proposals, there will no longer be a distinction between “required” and “addressable” implementations. That means business associates must comply with all implementation specifications dictated by HIPAA, rather than interpreting them in certain cases.
The requirements proposed are designed to protect business associates and covered entities amid evolving technological and threat landscapes. For example, all business associates must undertake vulnerability scanning every six months, and penetration testing at least once a year. Covered entities, too, must ensure their associates comply with safeguards they recommend.
This will be backed up by a written, documented technological asset inventory, updated at least once a year. This move is to help associates adapt to the scalability that ePHI environments continue to demand.
Best Practices for Building a Compliant BA Program
A sustainable, compliant BA program requires ongoing maintenance, not a one-time setup. Recognized security practices and requirements laid out in HIPAA’s Security Rule set the mandatory baseline, but there are additional steps business associates should take to stay ahead and remain compliant:
- BAAs are not one-off exercises. They should be continuously reviewed, amended, and resubmitted in line with Security Rule requirements. For example, when the proposed Rule changes for 2026 arise, covered entities and business associates should revisit their BAAs.
- Within BAAs, associates must establish which employees have role-based access to ePHI, and which vendors are approved to access it. Therefore, agreements should be reviewed if new user roles are established, and if new vendors are onboarded.
- ePHI obligations should always be based on risk assessments and analysis. Business associates should carry out these assessments before any systems containing or using ePHI are to be altered or brought into the infrastructure.
- Business associates should always encrypt ePHI, whether it is at rest or in transit. Encryption reduces both breach likelihood and OCR exposure.
- Observing a rolling HIPAA compliance checklist is also good practice, especially when changes are made to processes, personnel, systems, and vendor relationships.
Conclusion
As a result of HIPAA compliance changes over the years, business associates are under as much enforcement scrutiny as covered entities. And, when the 2026 updates come into effect, deferring safeguards will no longer be an option.
VikingCloud offers vulnerability management, penetration testing, and other advisory and assessment services built for HIPAA-regulated environments. Learn more about our HIPAA compliance services.
FAQs
Who is considered a business associate under HIPAA?
A business associate is any company or individual that uses or works with a healthcare company’s ePHI. Within HIPAA rules, the business associate works outside of the covered entity’s workforce.
Are business associates required to conduct a HIPAA risk assessment?
Yes, business associates must conduct HIPAA risk assessments or analyses to protect the confidentiality, integrity, and availability of ePHI that they handle. These assessments should be mandated as part of a BAA with covered entities.
What happens if a business associate causes a data breach?
In the event of a data breach, the business associate must report it to the covered entity impacted within 60 days of its discovery. They must take immediate action to contain and remedy the breach. Depending on the breach severity, the business associate can face penalties and OCR enforcement action.
What does the proposed 2026 HIPAA Security Rule update mean for business associates?
Most crucially, the proposed update states business associates must encrypt all data at rest, comply with “required” implementations, and apply multi-factor authentication across their infrastructure. They must also show, via contingency plans, that they can restore critical business systems within 72 hours of any incident.
How long must business associates retain HIPAA documentation?
The HIPAA Security Rule states business associates must retain documentation for at least six years, from the date of creation or from when it was last updated.
Related Blogs
Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.

The Franchise Uptime Paradox: Every Location’s Downtime Becomes Your Brand’s Problem




.png)