Third-Party Risk is a Growing HIPAA-HITECH Dilemma for Covered Entities and Their Business Associates

Majority of Healthcare Organizations Grappling with BA Obligations According to Clearwater Compliance Interactive Blue Ribbon Panel Web Event

During Clearwater’s most recent monthly HIPAA-HITECH Blue Ribbon Panel™ , industry leaders wrestled with the challenges and complexity of responding to Omnibus implications for Business Associates (BAs).

“Among other things, the regulations create a chain of trust that doesn’t end,” said panelist David Finn, Health IT Officer for Symantec Corporation. “As a result, third-party risk is an increasingly pressing issue for both Covered Entities and Business Associates.”

“It’s much scarier than it was a few years ago,” acknowledged panelist Elizabeth Warren, a healthcare attorney with Bass Berry & Sims. “The rules have made it easier for organizations to have penalties levied against them because of the actions of a subcontractor.”

As Warren suggests, if an organization falls short of reasonable measures to ensure BA compliance, it risks being swept up in enforcement actions that potentially result in significant financial and reputational damage.

On the other hand, if an organization gets too involved, it risks assuming more responsibility than it needs to shoulder.

“Be careful when deciding how much you want to know about the compliance practices of your BAs,” said Finn. “If you are collecting a lot of information, you have to deal with all of it, and you potentially are putting yourself at more risk.”

In addition to fielding specific questions from attendees, the Blue Ribbon Panel also offered best practices for working with Business Associates, including:

  •     Create an inventory of all your Business Associate relationships. Be as comprehensive as you can.
  •     Rank order BAs based on key variables such as the sensitivity of the patient data they have access to, the nature and frequency of that access, as well as their track record with data privacy and security.
  •     Be sure you have updated all BAAs according to the latest requirements.
  •     Conduct a BA Summit to help your partners better understand their responsibilities and how to enhance their HIPAA compliance efforts.
  •     Implement an ongoing Business Associate monitoring and management program,


An in-event poll of attendees showed that while 36 percent have an up-to-date, documented inventory of their BAs, only 25 percent reported that their Business Associate Agreements (BAAs) were up-to-date and a mere eight percent have rank ordered their BAs in terms of risk.

“Just being able to say you have BAAs in place is something to celebrate, but as you evolve, you do have to take it to the next level,” said Frank Ruelas, compliance officer for Gila River Health Care. “The real key is to work together. Covered Entities are struggling with compliance. Business Associates are brand new to this. Closer collaboration means everyone will end up in a better place.”

Among the other insights and predictions from the panel were the following:


  •     The Federal Trade Commission will become even more interested in policing and enforcing standards for protecting consumers within the context of health information privacy and security.
  •     A BA’s ability to protect health information will become a differentiator. Increasingly, BAs will compete on their track record for safeguarding information.


Interested organizations can download a full recording of this web event and sign up for next month’s panel byclicking here.

Next up for the Blue Ribbon Panel is a discussion on Preparing for OCR Enforcement Actions. The web event is scheduled for Thursday, May 1, 2014 3:30 pm – 5:00 pm CDT.

About the HIPAA-HITECH Blue Ribbon Panel
The Blue Ribbon Panel convenes monthly for 90-minute interactive sessions to discuss relevant news, updates and evolving compliance ramifications via an ongoing series of live web events. Each session features 5-6 national experts who share insight and exchange ideas while fielding questions from attendees.


About Clearwater Compliance:
Clearwater Compliance, LLC, focuses on helping healthcare organizations and their service providers become and remain HIPAA-HITECH Compliant. Owned and operated by veteran, C-suite health care executives, Clearwater Compliance provides comprehensive, by-the-regs HIPAA software and tools, risk management solutions, training, and professional services for small medical practices and healthcare startups to major healthcare systems, health plans and Fortune 100 companies. Since 2003, the company has served more than 350 organizations. Find out more about our HIPAA compliance software, solutions and consulting services at or connect with us via Twitter: @ClearwaterHIPAA.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.