A reference for business associates using the SecurityMetrics HIPAA Guide at their organizations. 

We released the SecurityMetrics 2018 Guide to HIPAA Compliance on November 30, 2017.

Business associates (BA) and small entities will benefit from this desk-side HIPAA reference, especially since they may have limited resources and are often self-taught.

Our HIPAA Guide was created to help business associates with some of the more challenging aspects of HIPAA compliance like the minimum necessary rule, secure data deletion, business associate agreements, and network segmentation.

If you’re a BA and in charge of HIPAA, you can use the following page numbers and HIPAA Guide highlights to help guide you through your more common HIPAA concerns and challenges.

Common business associate concerns (PP. 11-12)


Reminder: a BA is a person or entity that performs certain functions that involve the use or disclosure of PHI (e.g., IT provider). Business associates can be from legal, actuarial, consulting, data aggregation, management, administrative, accreditation, and/or financial organizations. Some possible business associate functions include:
  • Claims processing or administration
  • Data analysis, processing, or administration 
  • Utilization review
  • Quality assurance
  • Billing
  • Benefit management
  • Practice management
  • Repricing
These are some of the most basic questions business associates face when getting HIPAA compliant:
  • Do Business Associates have to be HIPAA compliant?
When it comes to responsibility, if your organization is considered a business associate, you may think you’re exempt from HIPAA compliance, especially if you don’t consider yourself a part of the healthcare industry. However, the HHS requires any business associates that create, receive, transmit, and/or maintain protected health information (PHI) in any way must be HIPAA compliant.
  • Are Business Associates responsible for patient data? 
Business associates are legally bound to protect PHI. You must comply with all data security requirements in HIPAA and follow the Security and Breach Notification Rules (unless contractually obligated to follow the Privacy Rule). You are required to protect PHI just as a covered entity would: by means of network segmentation, secure data destruction, etc.

SEE ALSO: HIPAA FAQS

Minimum necessary requirement (P. 100-102)


A large portion of the Privacy Rule is based on the minimum necessary requirement, which states that only those who need to see or access PHI to do their jobs should get to see or access it.

BAs often think their covered entity holds the sole responsibility of deciding how much data they receive. This is simply not the case. Both business associates and covered entities have a minimum necessary responsibility under HIPAA.

BAs should only accept and use the minimum amount of data necessary. Even they can face fines from HHS if they accept or demand more data than is necessary from covered entities. As a business associate, if you receive too much data from a covered entity, you are responsible for letting the covered entity know.

Check out page 102 of the HIPAA guide to learn about instances when the minimum necessary rule does not apply.

Permanently destroy or delete PHI (PP. 21, 26-27, 105)


The first step to managing/deleting old data is deciding how long you need to keep it. Many states have requirements about the amount of time that you must keep patient data. This can apply to uses and disclosures and even the patient record. Entities commonly maintain data for a minimum of a decade. If a patient has passed away, there will be additional requirements for data retention that must also be considered.

The second step is to understand how to permanently destroy or delete data. Most people understand that physical sensitive data should be destroyed permanently by shredding, burning, or pulping.

But when it comes to electronic data, merely deleting or moving sensitive information to the Trash or Recycle Bin on your computer will not permanently remove it. Your computer won’t be able to find that file, but it still exists.

The HHS has determined that for electronic PHI, overriding or clearing (i.e., using software or hardware products to overwrite media with non-sensitive data) is the best way to securely delete sensitive patient data on systems still in use.

When thinking about how to permanently delete files from your network, don’t forget about any archived data, including:
  • Time Machine backups
  • Cloud backups
  • External hard drive backups
  • CD or DVD backups
  • Email backups 
  • FTP backups
  • Server backups 
  • Mirror backups 
  • Offsite backups
If media is magnetic (e.g., tapes, hard drives), it should be degaussed or demagnetized.

But if you don’t plan to use the media again, it’s highly recommended to physically destroy it. Some third-party organizations have industrial-sized shredders to dispose of larger hardware.

Business associate agreements (PP. 110-113)


The HIPAA Final Omnibus Rule requires covered entities to implement or update a business associate agreement (BAA) when a BA creates, receives, maintains, and/or transmits electronic patient data.

In these new or revised BAAs, covered entities, business associates, and subcontractors agree to share responsibility for patient data protection and breach notification. Here are a few examples of what should be included in your business associate agreement:
  • A minimum necessary policy 
  • Business associate’s permitted use of PHI
  • Prohibited use of PHI 
  • Covered entity’s responsibility
  • Appropriate safeguards to protect PHI
  • Breach reporting guidelines
  • Contract termination provisions
Covered entities typically will not work with you if you refuse to sign a BAA or to comply with HIPAA regulations. You should know what is in the BAA you sign, and what exactly you’re liable for when it comes to protection of PHI.

SEE ALSO: Business Associate Agreements 101

Network segmentation (PP. 12, 46-47)

Business associates often set up large flat networks, where everything inside the network can connect to everything else. You may have one firewall at the edge of your network, but that’s it. Generally, the more places that have access to patient information, the higher the chances for a HIPAA violation or data breach.

Network segmentation can be achieved through use of specific firewalls and the sectioning off of systems that contain or receive PHI from the rest of the network.

Network segmentation is especially useful for you if you need to protect PHI. If done properly, it can greatly reduce time, energy, money, and potential liability related to HIPAA.

SEE ALSO: PIIscan Searches Systems for Unencrypted Data

HIPAA applies to business associates

Even though as a business associate, you may not deal with patients and their data in the same exact way as covered entities, you are still required to comply with HIPAA rules and regulations.

The SecurityMetrics 2018 HIPAA Guide provides plenty of guidance specifically for business associates to help you keep data safe and move towards HIPAA compliance. Our ultimate goal is to empower individuals at organizations to protect patient data. We want to provide resources that educate employees at all levels about HIPAA rules and regulations.

Have questions about data securityHIPAA compliance, or interested in a HIPAA audit? Contact us.