Ignorance of the law will not hold up if OCR investigates or audits your organization.

Come hear our expert panel discuss why they sense that OCR is ready to find and investigate a few bad business associates.

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is quite aware that more than 40% of all reportable breaches involving PHI were caused by business associates (BA). OCR also knows although covered entities (CE) account for more than half of breaches involving PHI, breaches involving BAs impacted the most records. Due to the increase of data breaches involving BAs, the HIPAA Omnibus Final Rule (Final Rule) made substantial changes to the obligations and liabilities of BAs and their subcontractors.  These changes implement provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which sought to make BAs more accountable for the use, disclosure and security of protected health information (PHI).  BAs, and their subcontractors, now face HIPAA enforcement actions and are directly liable for violating the HIPAA Security Rule, as well as certain provisions of the Privacy and Breach Notification Rules.

However, it seems that business associates have yet to catch they actual eye of OCR enforcement. We don’t take this inaction as a free pass, we see this lull in OCR investigations and/or audits of business associates simply the calm before the storm. The Final Rule has been in effect since September 23, 2013, yet a majority of BAs and their subcontractors are not compliant, either not knowing where to start, or not even knowing if they meet the definition of a BA/subcontractor.

Register Now

Date & Time

This event has been cancelled. Please be sure to register for our newsletter below to be the first to hear about new Blue Ribbon Panel and other educational events as we add them.


This session is designed to help anyone responsible for protecting sensitive information take immediate action on identified risks.

This session is offered as a 90-minute Blue Ribbon Panel using the GoToWebinar platform. The open format encourages questions during and after the session.

Key topics include:

  • The increase in data breaches involving BAs
  • Why it’s predicted that OCR will begin investigations and audits of business associates in the near future
  • How one individual complaint or one breach can allow OCR to investigate your entire HIPAA compliance program

The Challenge

The Final Rule has been in effect since September 23, 2013, and it has been relatively quiet on the OCR enforcement front. However, data breaches involving health care organizations and their BAs continue to rise. The Final Rule makes BAs and their subcontractors directly liable to OCR for violating certain provisions of HIPAA.  Thus, BAs and their subcontractors are subject to civil and criminal penalties under HIPAA.

With the surge in the amount of sensitive information being exchanged, ensuring its protection is a huge challenge that depends on alignment of privacy and security goals. OCR is taking note that more than 40% of healthcare-related data breaches were caused by BAs. As such, OCR will begin to investigate and/or audit BAs to ensure that proper physical, technical and administrative safeguards are in place to protect the sensitive data that is in the BAs control. Listen to an expert panel discuss why they predict OCR will begin to investigate BAs and what this means for your organization.

Learning Outcomes

If you create, receive, maintain or transmit PHI, you need to attend this Blue Ribbon Panel event. This live event will educate and inform attendees, while allowing an open forum for discussion. We will have a panel of 4-5 experts engaging in meaningful discussion of BA liability, OCR enforcement and increased scrutiny over BAs.

The expert panel will provide real-life examples, share ‘war’ stories and answer attendees questions.

  • Learn the importance of BA liability under HIPAA
  • Steps you can take to prepare for an OCR audit or investigation
  • Understand that healthcare is the next cyber security battleground and BAs will be targets for both attacks and regulatory enforcement
  • All registrants will receive a copy of all presentation materials.
Register Now

Reserve your seat

Join us for this complimentary educational webinar and learn the foundations of a strong information risk management program.
Register Now