The delivery of health care – and payment for that care – is a complex endeavor, and health care providers and health plans rely on third parties to help them operate as businesses and fulfill their responsibilities to patients and beneficiaries. Frequently, these third parties need access to health information in order to perform functions or services for health care entities. The Health Insurance Portability and Accountability Act or “HIPAA” permits health care providers and health plans (known as “Covered Entities”) to share health information with these third party vendors, which are referred to as “Business Associates” under HIPAA’s regulations. Historically, HIPAA regulated Business Associates by requiring Covered Entities to manage them through contractual relationships. However, in 2009, Congress made Business Associates directly accountable to regulators for compliance with most of HIPAA’s regulations, and regulations to effect that change were finalized in 2013. With this enhanced accountability come questions about the extent to which Business Associates are in compliance with HIPAA’s privacy and security rules.

In an effort to assess Business Associates’ compliance with their obligations to protect health information under HIPAA, this report provides an overview of the different types of services that Business Associates provide to Covered Entities, describes the efforts that Business Associates and Covered Entities are making to satisfy HIPAA’s various privacy and security requirements, and makes recommendations to improve these efforts. The report was informed by telephone interviews with 16 Covered Entities (representing large health systems, integrated delivery networks, small physician offices, health centers, pharmacies, health plans and government payers) and five Business Associates (representing technology and software vendors and health information networks).