Which HIPAA rule expanded compliance requirements to include business associates?

The HITECH Act of 2009 and the subsequent Omnibus Rule of 2013 expanded HIPAA compliance requirements to include business associates. Before these changes, only covered entities were directly liable for HIPAA violations. Now, business associates are directly subject to HIPAA Security Rule requirements and face the same penalties as covered entities for non-compliance.

What must be included in a HIPAA Business Associate Agreement?

A HIPAA BAA must include: permitted uses and disclosures of PHI, required safeguards to prevent unauthorized use, breach notification requirements, return or destruction of PHI at contract termination, subcontractor compliance requirements, and provisions allowing the covered entity to terminate the agreement if the BA violates its terms.

What are the penalties for not having a Business Associate Agreement?

Operating without required BAAs can result in OCR enforcement penalties ranging from $141 to $2,134,831 per violation under the updated 2024 penalty tiers. Organizations can face penalties in the millions for systematic BAA failures. Notable settlements include $1.55 million (North Memorial Health Care) and $500,000 (MAPFRE Life Insurance) for BAA-related violations.

HIPAA Business Associate Agreements: Complete Guide to BAA Requirements (2026)

Q: What is a HIPAA Business Associate Agreement (BAA)?

A HIPAA Business Associate Agreement (BAA) is a legally required contract between a HIPAA covered entity and any third-party vendor (business associate) that creates, receives, maintains, or transmits protected health information (PHI) on their behalf. The BAA establishes permitted uses of PHI, requires appropriate safeguards, and defines breach notification obligations.

Q: Who qualifies as a HIPAA business associate?

A HIPAA business associate is any person or entity that performs functions or activities involving PHI on behalf of a covered entity. Common examples include: IT service providers, cloud hosting companies, billing and coding services, EHR vendors, shredding companies, attorneys, accountants, consultants, and any subcontractor that handles PHI.

TL;DR: Every HIPAA covered entity must have signed Business Associate Agreements (BAAs) with all vendors that handle PHI. The HITECH Act and 2013 Omnibus Rule made business associates directly liable for HIPAA violations with penalties up to $2.13M per violation. Medcurity’s platform tracks all your business associate relationships and BAA status for just $499/year.

60%+

of breaches involve
business associates

$2.13M

max penalty per
violation category

$499

Medcurity BA tracking
per year

Track all your business associate agreements in one place. Medcurity automates BAA management and compliance tracking.

Get a Demo

What Is a HIPAA Business Associate?

Under HIPAA, a business associate (BA) is any person or organization that performs functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information (PHI). This definition was significantly expanded by the HITECH Act of 2009 and formalized in the Omnibus Rule of 2013.

Before the HITECH Act, business associates had no direct HIPAA liability. They were only bound by their contractual agreements with covered entities. The HITECH Act changed everything by making business associates directly subject to the HIPAA Security Rule, including administrative, physical, and technical safeguards, and imposing direct penalty liability for violations.

Common Examples of Business Associates

Business Associate Type	PHI Access	BAA Required?
IT service providers / MSPs	System access, data storage	Yes
Cloud hosting (AWS, Azure, Google Cloud)	Data storage and processing	Yes
EHR / EMR vendors	Full patient records	Yes
Medical billing and coding services	Claims data, patient demographics	Yes
Document shredding companies	Physical PHI destruction	Yes
Attorneys (healthcare-related)	Case-specific PHI	Yes
Accountants / auditors	Financial records with PHI	Yes
Email encryption services	Email content with PHI	Yes
Answering services	Patient names, messages	Yes
Medical transcription services	Dictated patient records	Yes

Key distinction: A vendor is NOT a business associate if they only provide services where PHI exposure is incidental and not the purpose of the arrangement (e.g., a janitorial service that might see PHI on a desk but does not handle it as part of their work).

Which Rule Expanded HIPAA to Include Business Associates?

This is one of the most commonly searched HIPAA questions, and the answer involves two key pieces of legislation:

The HITECH Act (2009)

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was the landmark legislation that first extended HIPAA compliance requirements directly to business associates. Key changes included:

Direct liability: Business associates became directly subject to HIPAA Security Rule requirements (administrative, physical, and technical safeguards)
Direct penalties: HHS/OCR gained authority to impose civil monetary penalties directly on business associates
Breach notification: Business associates became required to notify covered entities of any breach of unsecured PHI within 60 days
Subcontractor chain: Business associates became responsible for ensuring their own subcontractors (sub-business associates) comply with HIPAA

The Omnibus Rule (2013)

The HIPAA Omnibus Rule, finalized on January 25, 2013, implemented the HITECH Act’s business associate provisions into the HIPAA regulations. It formalized:

The expanded definition of “business associate” to include subcontractors
Required BAA provisions that must be included in every agreement
Direct applicability of Security Rule requirements to business associates
Updated breach notification requirements and the “low probability of compromise” standard

Need help identifying all your business associates? Medcurity’s platform walks you through BA identification and tracking.

Start Free Trial

What Must Be Included in a Business Associate Agreement?

The HIPAA Privacy Rule at 45 CFR 164.504(e) specifies the required elements of a BAA. Every business associate agreement must address:

Required Element	Description
Permitted uses and disclosures	Specifically define what the BA can and cannot do with PHI, limited to the terms of the agreement and as required by law
Appropriate safeguards	BA must use appropriate safeguards to prevent unauthorized use or disclosure of PHI beyond what the agreement permits
Breach notification	BA must report any security incident or breach of unsecured PHI to the covered entity without unreasonable delay (within 60 days max)
Subcontractor requirements	BA must ensure any subcontractors that handle PHI agree to the same restrictions and conditions
Access to PHI	BA must make PHI available to individuals who request access under the HIPAA Privacy Rule
Amendment of PHI	BA must make PHI available for amendment and incorporate amendments when requested
Accounting of disclosures	BA must document and make available information needed for an accounting of disclosures
HHS/OCR access	BA must make internal practices and records available to HHS for compliance determination
Return/destruction of PHI	At termination, BA must return or destroy all PHI received, or if not feasible, extend protections indefinitely
Termination provisions	Covered entity may terminate the agreement if BA violates a material term

Penalties for BAA Violations

Since the HITECH Act, HHS Office for Civil Rights (OCR) has aggressively enforced BAA requirements. The penalties apply to both covered entities that fail to obtain BAAs and business associates that violate HIPAA directly.

Penalty Tier	Culpability Level	Per Violation	Annual Maximum
Tier 1	Did not know (and would not have known)	$141 – $71,162	$2,134,831
Tier 2	Reasonable cause (not willful neglect)	$1,424 – $71,162	$2,134,831
Tier 3	Willful neglect (corrected within 30 days)	$14,232 – $71,162	$2,134,831
Tier 4	Willful neglect (not corrected)	$71,162 – $2,134,831	$2,134,831

Notable BAA-Related Enforcement Actions

North Memorial Health Care ($1.55M): Failed to have a BAA with a major contractor that had access to the PHI of 289,904 patients
MAPFRE Life Insurance ($2.2M): Failed to implement required security measures and did not have compliant BAAs in place
Raleigh Orthopaedic Clinic ($750K): Transferred PHI to a potential business partner without a BAA
Care New England Health System ($400K): Used outdated BAAs that did not reflect current HIPAA requirements

Common mistake: Many organizations sign BAAs once and never review them. BAAs should be reviewed annually and updated whenever the scope of services changes, regulations are updated, or the business relationship evolves.

Business Associate Agreement Management Best Practices

1. Maintain a Complete BA Inventory

Create and maintain a comprehensive list of every vendor, contractor, and service provider that has access to PHI. This inventory should include the vendor name, services provided, types of PHI accessed, BAA execution date, and renewal date.

2. Conduct BA Risk Assessments

Evaluate each business associate’s security posture. Request their most recent risk assessment results, SOC 2 reports, or security certifications. Higher-risk BAs (those with extensive PHI access) warrant more thorough due diligence.

3. Implement Annual BAA Reviews

Schedule annual reviews of all BAAs to ensure they reflect current regulatory requirements and the actual scope of services. The 2013 Omnibus Rule added new requirements that many older BAAs still don’t include.

4. Track Subcontractor Chains

Under the Omnibus Rule, business associates are responsible for their own subcontractors. Require BAs to disclose all subcontractors that handle PHI and obtain subcontractor BAAs.

5. Document Everything

Maintain documentation of all BA identification efforts, due diligence activities, BAA negotiations, and compliance monitoring. This documentation is essential during OCR investigations.

Automate Your Business Associate Management

Medcurity’s HIPAA compliance platform includes built-in business associate tracking, automated reminders for BAA renewals, and risk assessment tools — all starting at just $499/year.

Request a Demo

Frequently Asked Questions

What is a HIPAA Business Associate Agreement (BAA)?

A HIPAA Business Associate Agreement is a legally required contract between a covered entity and any vendor that handles PHI. It establishes what the vendor can do with PHI, requires appropriate security safeguards, and defines breach notification responsibilities.

Which rule expanded HIPAA compliance requirements to include business associates?

The HITECH Act of 2009 first extended direct HIPAA liability to business associates. The Omnibus Rule of 2013 then formalized these requirements into the HIPAA regulations, making business associates directly subject to Security Rule requirements and enforcement penalties.

What must be included in a HIPAA BAA?

Required elements include: permitted uses and disclosures of PHI, safeguard requirements, breach notification procedures, subcontractor compliance provisions, PHI access and amendment rights, accounting of disclosures, HHS access provisions, PHI return/destruction at termination, and termination provisions for material breaches.

What are the penalties for not having a BAA?

Penalties range from $141 to $2,134,831 per violation, depending on the level of culpability. Multiple organizations have faced settlements exceeding $1 million for BAA-related failures.

Who qualifies as a HIPAA business associate?

Any person or entity that performs functions involving PHI on behalf of a covered entity, including IT providers, cloud services, billing companies, EHR vendors, shredding services, attorneys, and accountants.