HIPAA Basics for Business Associates

From The Privacy Professor®

The number of penalties, audits, and lawsuits against HIPAA business associates (BAs) are increasing.

BAs are also increasingly recognized as the cause of HIPAA privacy breaches and security incidents.

This course provides the key information to help BAs to understand their legal obligations for current HIPAA compliance needed in 2025 and beyond.

18 supplemental materials are provided for this course, including guidance from the HHS for law enforcement access, substance use disorder data, reproductive health data, real-life examples, HIPAA regulatory definitions, and more.

HIPAA non-compliance settlements against business associates (BAs) have reached as high as $3 million in addition to 6 years of ongoing activities overseen by the regulatory agencies. All of the cases indicate lack of training was a primary factor for increasing the penalty.

The 56 US state and territory Attorneys General are taking increasingly more actions against both covered entities (CEs) and BAs. CEs are now suing their BAs for not complying with HIPAA requirements.

This course includes examples of actual Department of Health and Human Services (HHS) penalties and corrective action plans (CAPs) reports against BAs, along with the details for actual non-compliance settlements.

The HHS enforces HIPAA. In addition to the HHS, each of the 56 U.S. state and territory Attorneys General also have the ability to enforce and apply penalties and CAPs for HIPAA non-compliance. Lawsuits are also increasingly being filed following breaches, delays in patient care, and other harms, that in large part occurred because of non-compliance with HIPAA.

HIPAA contains a wide range of operational, administrative, technical and physical privacy and security requirements. Business associates (BAs) of covered entities (CEs) must comply with the HIPAA requirements.

HHS, CEs, and the US Attorneys General have indicated they will be increasingly taking action against BAs for more HIPAA compliance investigations because of the demonstrated lack of BAs’ knowledge and understanding of HIPAA compliance requirements that have resulted in more security incidents and privacy breaches than ever before.

BAs must take actions to meet and then maintain HIPAA compliance to not only protect their own business, but also to protect their CE clients from fines, and to protect the associated individuals from misuse of, and harms caused by mistakes with, their protected health information (PHI).

Implementing appropriate safeguards, controls and business practices starts with all BA workers knowing and understanding the current HIPAA requirements that apply to BAs. And then maintaining that knowledge and understanding with ongoing education. Such education must include taking HIPAA courses at least once a year for overall HIPAA compliance and requirements learning. Then followed up by having teams and specific roles within the CE and BA organizations taking specialized learning courses for more targeted topics.

Many businesses don’t even realize that they are a BA as defined by HIPAA. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a CE as defined by HIPAA. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities that involve generally any type of access to the PHI of a CE in support of work the BA is contracted to do for the CE. BAs are organization located in any location throughout the world.  

BA functions and activities include, but are not limited to: creating and maintaining online portals for patients and insureds; transcriptionist services; medical device manufacturers, vendors and support services; claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; marketing; research; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; financial; transcriptionists; medical device vendors; research; physical safety services; telehealth; substance abuse support; telecommunications; marketers; and technology services and support.

BAs must comply with HIPAA requirements. CEs must ensure their BAs, who are those providing CEs with services and/or products that involve in some way access to PHI, and any sub-contractors they use, also are in compliance with HIPAA.

Learners can take each Privacy & Security Brainiacs course as many times as they choose for 11 months following the business’s purchase of the course learner seats.

This training course is designed with the needs of BAs in mind. It provides an overview of the HIPAA requirements important for all BAs to know and understand. It also covers new information about temporary and proposed HIPAA changes, restrictions, satisfactory assurances BAs need to know and have available to provide to their CE clients, as required by HIPAA. Real-life examples are provided, along with common misconceptions for BAs to avoid. See the outline for more information.

Seventeen valuable supplemental materials are provided to each learner, along with a quiz that randomly shows 15 questions from a question bank of at least 40 questions each time the quiz is provided to a course learner. The possible answers are also randomly shown for the associated questions. Each learner also is provided with a printable quiz report and a certificate upon successful completion of the course (completing the full video and passing the quiz) that contains the learner’s name, course name, length of the course, and date completed. The certificates document information for any learner to provide when also using the course to help fulfill professional certification continuing professional education (CPE) requirements.

Outline

  • HIPAA definitions

  • HIPAA overview

  • Covered Entities (CEs), Business Associates (BAs) and subcontractors

  • Satisfactory assurances that BAs can provide to CEs and other BAs

  • When CEs are allowed to disclose PHI to BAs

  • HIPAA Privacy Rule overview

  • HIPAA Security Rule overview

  • HIPAA Breach Notification Rule overview

  • Protected health information (PHI) and specific types of PHI

  • BA requirements

  • Tracking tech, telehealth, reproductive health, and substance abuse data breaches

  • Privacy Rule requirements

  • Where PHI needs to be protected

  • When a BA is responsible for protecting PHI

  • BA requirements for subcontractors

  • Penalties, sanctions and examples of huge fines given to BAs

  • The importance of policies and procedures

Supplemental Materials:

Yes. Eighteen total items.

Eighteen PDFs with information supporting the educational content, including guidance from the HHS, and associated HIPAA compliance actions described within the course. Learners can refer to and download (for their own use while performing their job responsibilities) the supplemental materials at any time while the course is active.

The supplemental materials include HHS compliance guidance, real-life examples of HIPAA breach and non-compliance penalties and corrective action plans (CAPs), reference materials needed to understand PHI items and other HIPAA concepts, a document for supporting BA requirements, HIPAA terms definitions, and an enhanced transcript of the course.

The Business Admin for each business account can also add more supplemental materials specific to their own business (e.g., forms, policies, procedures, etc. that are associated with the course content).

Quiz

A quiz is included for each Privacy & Security Brainiac premium/paid course.

15 randomly chosen questions from a large and growing repository of questions for this course. Each time the course quiz is provided to a learner, the questions are randomly chosen from the repository, and the answer choices for each question are also randomly shown. So, the questions, and associated choices, will be shown in a different order each time for each question.

Results of the quiz include explanations for each question and the associated correct answer within the graded quiz report.

Certificates for passing, and special recognitions for passing with high scores, are provided to each learner.

Each learner can take the quiz an unlimited number of times.

The Business Admin for each business account

  • Has the capability to establish the passing percentage for the course for the associated business learners.

  • Has additional course reports for all students as well as for the quiz questions, and individual students.

  • Can communicate with the business account learners within the portal, assign courses to specific learners, and more.

  • Can communicate with Privacy & Security Brainiacs personnel for questions about HIPAA, the course platform and capabilities.

  • Can upload documents for their HIPAA activities into the business admin portal to centralize all HIPAA compliance activities within one portal.

  • Will receive a discount for consulting time and products from Privacy & Security Brainiacs.

Course Pricing Details

Number of learners/seats

Price per learner/seat

1

$19.95

2-5

$17.75

6-10

$16.95

11-30

$14.95

31-49

$12.95

50-100

$11.95

101-200

$10.95

201+

$9.95*