HIPAA for Business Associates



Toll Free
9AM - 5PM CST (M-F)

Faculty: Becca Kalivas, RN, MS


Successful Completion: Complete entire module, complete the exam with a passing score of 80% or better, and complete the evaluation form.


Estimated Time to Complete Activity: 90 minutes.


CEUs: HIPAA Exams is authorized by IACET to offer 0.2 CEUs for this program. CEU Information


Free Certification of Completion available instantly for download or printing upon successful completion.


This online HIPAA compliance training for business associates and office staff will ensure your knowledge and understanding of the important pieces of HIPAA requirements, standards, and regulations.

HIPAA stands for the Health Insurance Portability and Accountability Act and is a U.S. federal law.

This course provides a comprehensive look at HIPAA legislation as it applies to a Business Associate.

The Omnibus Final Rule greatly increased Business Associates’ liabilities related to HIPAA compliance. To ensure privacy of protected health information and to avoid potential civil and criminal penalties, it is imperative that Business Associates have a solid understanding of this complex legislation.

  • 2021/2022 Updates
  • ONC 21st Cures Act Final Rule
  • The CMS Final Rule

Course includes a video and audio component with stand-alone exam

Receive HIPAA Certification "Certificate of Completion" with successful completion

HIPAA for Business Associates FAQs

What is a business associate?

A business associate (BA) is a person or organization that works with or for a covered entity and may use or disclose protected health information (PHI) during those operations. To ensure PHI protection and general compliance with the Health Insurance Portability and Accountability Act (HIPAA), HIPAA-covered organizations must have a business associate agreement (BAA) in effect with each of their partners. This post will answer your questions about HIPAA for business associates (BAs). 

What does a business associate do?

Simply put, if a third-party organization has access to PHI in the typical course of their assigned tasks, they are a business associate (BA). 

The U.S. Department of Health & Human Services (HHS) lists the following BA tasks and responsibilities: 

  • Processing or managing claims
  • Processing or managing data analysis
  • Reviewing utilization
  • Ensuring quality
  • Billing
  • Managing benefits 
  • Managing practices
  • Repricing 

BA services include but are not limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial.

What is a Business Associate Under HIPAA Rules?

As mentioned earlier, a business associate (BA) is defined by the HHS as a person or entity that works for or offers services to a covered entity and performs specific tasks or activities that include using or disclosing protected health information (PHI).

Even though BAs don't interact with patients, they may still manage or access patient medical records. 

What are HIPAA's Requirements for Business Associates?

Like covered entities, BAs must comply with HIPAA to avoid severe penalties. BAs are required to: 

  • Develop and comply with valid BAAs. To comply with HIPAA, covered entities are required to sign a BAA with their BA before sharing any PHI with them for privacy and security reasons.
  • Establish legal subcontractor agreements. The BA must require that their subcontractors adhere to HIPAA regulations if they access, transfer, or otherwise encounter PHI.
  • Comply with privacy rules. Many of the policies and protections that the Privacy Rule requires for covered entities to establish, such as those that regulate how PHI is used and disclosed and how individuals have rights concerning their PHI, will generally also need to be implemented by BAs.
  • Perform a HIPAA Security Rule risk analysis. BAs must perform and document a HIPAA risk assessment of their computer and other information systems to detect potential security risks and take necessary action. 
  • Execute Security Rule safeguards. The Security Rules specify administrative, physical, and technical safeguards that BAs must implement.
  • Implement written Security Rule policies. BAs must establish and maintain the written procedures required by the Security Rule. 
  • Act immediately to a violation or breach. If a BA permits or experiences a PHI breach, they should notify the covered entity immediately.
  • Enforce HIPAA training for employees. BA employees should participate in and complete HIPAA training to fully comprehend their obligations concerning protecting PHI. 
  • Keep required documentation. BAs are required to preserve documents required by the Security Rule for six years following the document’s last effective date. 
  • Destroy or return PHI. The BA must agree to return or destroy any PHI they received from the covered entity they are working with once their services are finished. This also includes subcontractors. 
  • Examine other federal or state privacy laws. If a state or other federal law has stricter regulations than HIPAA, BAs should abide by that law.

Can two business associates share PHI?

If certain requirements are met, PHI can typically be shared directly from one BA to another BA of the same covered entity without using the covered entity as a conduit or intermediary. The conditions to be met can depend on factors such as: 

  • Whether the covered entity directed the BA to make the disclosure
  • Whether the BA contract authorized the disclosure
  • The purpose of the disclosure

What is the business associate's responsibility when it has a HIPAA breach?

Like covered entities, BAs may be held accountable for PHI exposure. By signing a BAA, BAs are required to follow HIPAA regulations or risk paying penalties for HIPAA noncompliance. 

According to the HHS, if an unsecured PHI breach occurs at or by a BA, the BA must notify the covered entity immediately upon the discovery. HIPAA allows a 60-day window upon discovery to notify the covered entity of a breach. To the extent practicable, the BA should disclose to the covered entity the identification of each person affected by the breach and such additional Information as may be required by the Covered Entity in its notice to the individuals affected by the breach. 

What is a HIPAA business associate agreement? 

HIPAA business associate agreement (BAA) is a contract between a covered entity and an organization or individual outlining the duties and responsibilities of that organization as it relates to the protection of any PHI shared between the two parties. HIPAA requires a BAA for covered entities and their BAs with access to PHI as part of their services. 

For more information on HIPAA Business Associates, visit the U.S. Department of Health & Human Services (HHS) website. 

How will HIPAA Compliance be Enforced for a Third-Party Business Associate?

The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates to protect the privacy of protected health information; however, covered entities are not required to monitor or oversee how their business associates carry out privacy safeguards.

If patient information is compromised, the healthcare industry will ultimately shoulder the burden. As a result, a third-party IT security vendor should have the knowledge and experience to meet the highest HIPAA compliance criteria.

How to Purchase

To enroll in this course, simply add the number of users you need below and ADD TO CART. Follow the steps for CHECKOUT which will include registering your account.


Course Demo

This demo video is a small example of this course’s content, it is not representative of the full course and the level of engagement required.

Learning Objectives

  • HIPAA Training
  • Explain the purpose of HIPAA legislation 
  • Explain the changes implemented to HIPAA by the Omnibus Final Rule
  • Identify the key elements of the Privacy Rule, Security Rule, and Enforcement Rule
  • Explain the process for Breach Notification
  • Describe the Unique Identifiers and Transaction and Code Set Rules
  • Illustrate how to apply these rules to his/her functions as a Business Associate
  • Understanding Business Associates Agreement ( BAA )

Target Audience

This course is designed for anyone who falls under the Business Associate category. Positions such as medical billing, medical transcription, software/IT companies, answering services, consultants, marketing agencies, cleaning services, medical device manufactures, legal services, and more.

Table of Contents

HIPAA Training for Business Associates (HIPAA Privacy, Security, and Enforcement Training)

Table of Contents:

  • HIPAA Compliance for Business Associates
  • Legal Notice
  • Objectives 
  • Purpose of Course 
  • Introduction to HIPAA 
  • What is Portability? 
  • What is Accountability? 
  • HITECH Act and Omnibus Final Rule 
  • Who must abide by HIPAA rules? 
  • Covered Entities 
  • Business Associates 
  • Expanded definition of Business Associate 
  • Business Associate Agreements 
  • HIPAA Privacy Rule 
  • Privacy Rule for Business Associates 
  • Permitted Use and Disclosure of PHI 
  • ONC Cures Act Final Rule - 2021/2022 Update
  • CMS Final Rule - 2021/2022 Update
  • "Minimum Necessary" Principal 
  • Business Associate and Privacy Rule Scenario 
  • Individual Access to Protected Health Information 
  • More Individual Rights Under the Privacy Rule 
  • Personal Representatives and Minors Under the Privacy Rule 
  • State Law and the Privacy Rule 
  • HIPAA Security Rule 
  • What Security Measures Must be Used? 
  • Administrative Safeguards 
  • Technical Safeguards 
  • Privacy and Security for Mobile Devices 
  • Transaction and Code Set Standards 
  • Unique Identifiers Rule 
  • HIPAA Enforcement Rule 
  • Enforcement Rule and Civil Money Penalties 
  • Defenses and Waivers for CMP 
  • Liabilities for Violations 
  • HIPAA Breach Notification Rule 
  • Burden of Proof for Breach Notification
  • Recent Updates to HIPAA - Cloud Computing
  • Real Life Examples of HIPAA Breaches 
  • End of Course Exam

Course Content Example 1:

HITECH Act and Omnibus Final Rule

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is a part of the American Recovery and Reinvestment Act of 2009

  • It contained incentives related to health care information technology and for the adoption of electronic health records
  • The Omnibus Final Rule modified elements of HIPAA to conform to amendments under the HITECH Act
  • It was released in January of 2013 and went into effect on March 26, 2013
  • Those impacted had until September 23, 2013 to become compliant with these changes

Some features of the HITECH/ Omnibus Final Rule:

  • Strengthened existing HIPAA requirements for Privacy and Security
  • Expanded individual's rights
  • Increased enforcement of HIPAA compliance
  • Addressed notification for breaches of Protected Health Information

Course Content Example 2:

Business Associates

If a covered entity hires an organization to provide a service that involves access to Individually Identifiable Health Information, they are considered a Business Associate and must enter into a Business Associate Agreement

What is Individually Identifiable Health Information?

Information that is created or received by a covered entity or business associate that:

  • Relates to past, present, or future health of an individual, including genetic information
  • Relates to past, present, or future treatment of an individual
  • Relates to past, present, or future payment of health care
  • And identifies or can reasonably be used to identify an individual, such as name, address, birthday, or Social Security Number
  • Also referred to as Protected Health Information (PHI)


Download Certificate of Completion Immediately

3 Attempts to Pass Your Exam

Instant Access: 100% Online - Access 24/7 from Anywhere

No Recurring Fees

HIPAA for Business Associates

What People Are Saying

"I wanted to thank you for getting everything set up for my students to take the exams through your company. HIPAA and BBP are working well!" Teri Junge, MEd, CSFA, CST, FAST - Triton College

Banner Image

Train Anywhere, Anytime

Courses can be accessed from any internet device at anytime.