top of page

Count your Business Associates -- Accurately

Updated: Jun 30

Within long-term care, the challenge of data security can be complicated by the sheer number of outside contractors working on behalf of an organization and having potential access to private health information. Under the Health Insurance Portability and Accountability Act (HIPAA), all contractors with potential access must be held accountable through a contract referred to as Business Associate Agreement (BAA).

While the task may sound straightforward, it’s really not. The challenge is in the details of determining which outside entities or individuals need to sign a contract. 

 Consider these questions:

  1. Do you have BAAs in place with every outsider who could potentially see, hear or put hands on private information?

  1. Are the contracts you have in place specific enough to truly ensure accountability for the private information your organization is ultimately responsible for protecting?

Let’s take these points one at a time:

Commonly, some contracts are in place while others aren’t.  Perhaps a shredding company has been overlooked, or a cleaning crew that works after hours in proximity to private information. 

To know who is or is not a business associate by HIPAA’s definition, this simple formula applies:

If a person or entity is not an employee, and not another healthcare provider delivering treatment, then one question remains:  Does this entity or individual, in the performance of duties for your organization, have potential access to private information?  If so, you need a contract in place.

Next, beyond boilerplate language, contracts should include details of how the private information of those you serve will be handled, used and stored.  For instance, if you are working with a vendor to monitor patients via cameras, know where the saved videos are stored, who has access to them, and whether the vendor’s staff has been trained in safe handling of private information.  You would also want documentation of specific timelines and processes for destroying the videos.

Last year, in a report issued by the U. S. Office for Civil Rights (OCR), one of the most common remedial actions following a breach was listed as “revisions to BAAs to include more detailed provisions for protecting private information.”  

Aside from regulations, it’s good business to hold outsiders accountable for safe-handling of information that your organization is responsible for protecting.  When it comes to the individuals you serve, the responsibility to protect private information rests on your shoulders.  If outsiders want to work for you, then responsibility must fully shift to those acting on your behalf.  Otherwise, you shoulder your own responsibility and theirs, too – meaning it’s on you if a business associate’s negligence leads to a breach. 

Better to count your business associates right from the start. 

About the author

Diane Evans is founder of Guarded Edge, which offers training and services on the application of the Health Insurance Portability and Accountability Act (HIPAA) within long-term care.  Diane can be reached at  Readers may access a complimentary Social Media Policy by visiting

16 views0 comments

Recent Posts

See All


bottom of page