HIPAA Basics for Business Associates 2024 Edition

The Department of Health and Human Services (HHS) enforces the Health Insurance Portability and Accountability Act (HIPAA). HIPAA contains a wide range of operational, administrative, technical and physical privacy and security requirements. Business associates (BAs) of covered entities (CEs) must comply with the HIPAA requirements.

Increasingly more often BAs are being fined larger amounts for noncompliance with HIPAA, including over $2 million. BAs are also increasingly recognized as the cause of HIPAA privacy breaches and security incidents.

HHS has indicated they will be increasingly targeting BAs for more HIPAA compliance investigations because of the demonstrated lack of BAs’ knowledge and understanding of HIPAA compliance requirements that have resulted in more security incidents and privacy breaches than ever before.

It is imperative that BAs take actions to meet and then maintain HIPAA compliance to not only protect their own business, but also to protect their CE clients from fines, and to protect the associated individuals from misuse of, and harms caused by mistakes with, their protected health information (PHI).

Implementing appropriate safeguards, controls and business practices starts with all BA workers knowing and understanding the current HIPAA requirements that apply to BAs. And then maintaining that knowledge and understanding with ongoing education. Such education must include taking HIPAA courses at least once a year for overall HIPAA compliance and requirements learning. Then followed up by having teams and specific roles within the CE and BA organizations taking specialized learning courses for more targeted topics.

This course provides the key information to help BAs to understand their full legal obligations for current HIPAA compliance needed in 2024.

Many businesses don’t even realize that they are a BA as defined by HIPAA. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a CE as defined by HIPAA. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities that involve generally any type of access to the PHI of a CE in support of work the BA is contracted to do for the CE. BAs are organization located in any location throughout the world.  

BA functions and activities include, but are not limited to: creating and maintaining online portals for patients and insureds; transcriptionist services; medical device manufacturers, vendors and support services; claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; marketing; research; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; financial; transcriptionists; medical device vendors; research; physical safety services; telehealth; substance abuse support; telecommunications; marketers; and technology services and support.

BAs must comply with HIPAA requirements. CEs must ensure their BAs, who are those providing CEs with services and/or products that involve in some way access to PHI, and any sub-contractors they use, also are in compliance with HIPAA.

Learners can take each Privacy & Security Brainiacs course as many times as they choose for 11 months following the business’s purchase of the course learner seats.

This training course is designed with the needs of BAs in mind. It provides an overview of the HIPAA requirements important for all BAs to know and understand. It also covers new information about temporary and proposed HIPAA changes, restrictions, satisfactory assurances BAs need to know and have available to provide to their CE clients, as required by HIPAA. Real-life examples are provided, along with common misconceptions for BAs to avoid. See the outline for more information.

Twelve valuable supplemental materials are provided to each learner, along with a quiz that randomly shows 15 questions from a question bank of at least 40 questions each time the quiz is provided to a course learner. The possible answers are also randomly shown for the associated questions. Each learner also is provided with a printable quiz report and a certificate upon successful completion of the course (completing the full video and passing the quiz) that contains the learner’s name, course name, length of the course, and date completed. The certificates document information for any learner to provide when also using the course to help fulfill professional certification continuing professional education (CPE) requirements.


  • HIPAA overview

  • Covered Entities (CEs), Business Associates (BAs) and subcontractors

  • Satisfactory assurances that BAs can provide to CEs and other BAs

  • When CEs are allowed to disclose PHI to BAs

  • HIPAA Privacy Rule overview

  • HIPAA Security Rule overview

  • HIPAA Breach Notification Rule overview

  • HHS Temporary Changes in HIPAA Requirements

  • Proposed HIPAA changes

  • Protected health information (PHI) and specific types

  • BA requirements

  • Security Rule requirements

  • Breach Notification Rule requirements

  • Tracking tech, telehealth, reproductive health, and substance abuse data breaches

  • Privacy Rule requirements

  • Where PHI needs to be protected

  • When a BA is responsible for protecting PHI

  • BA requirements for subcontractors

  • Common BA misconceptions in understanding HIPAA compliance

  • Penalties, sanctions and examples of huge fines given to BAs

Supplemental Materials:

Yes. Twelve total items.

Eleven PDFs and a pointer to a URL with information supporting the content and associated HIPAA compliance actions described within the course. Learners can refer to and download (for their own use while performing their job responsibilities) the materials at any time while the course is active.

The supplemental materials include details about temporary changes, HHS compliance guidance, real-life examples of HIPAA breach and non-compliance penalties and corrective action plans (CAPs), reference materials needed to understand PHI items and other HIPAA concepts, a document for supporting BA requirements, and an enhanced transcript of the course.

The Business Admin for each business account can also add more supplemental materials specific to the business (e.g., forms, policies, procedures, etc. that are associated with the course content).


A quiz is included for each Privacy & Security Brainiac premium/paid course.

15 randomly chosen questions from a large and growing repository of questions for this course. Each time the course quiz is provided to a learner, the questions are randomly chosen from the repository, and the answer choices for each question are also randomly shown. So, the choices will be shown in a different order each time for each question.

Results of the quiz include explanations for each question and the associated correct answer within the graded quiz report.

Certificates for passing, and special recognitions for passing with high scores, are provided to each learner.

Each learner can take the quiz an unlimited number of times.

The Business Admin for each business account

  • Has the capability to establish the passing percentage for the course for the associate business learners.

  • Has additional course reports for all students as well as for the quiz questions, and individual students.

  • Can communicate with the business account learners within the portal, assign courses to specific learners, and more.

  • Can communicate with Privacy & Security Brainiacs for questions about the course platform and capabilities.

  • Will receive a discount for consulting time and products from Privacy & Security Brainiacs.

Course Pricing Details

Number of learners/seats

Price per learner/seat