Updated 2025: Looking for a Business Associate Agreement? Download our FREE template

TotalHIPAA Logo

Auditing Business Associates

Summary:

Have you Audited your HIPAA Business Associates? This question comes up frequently when we are working on HIPAA Policies and Procedures for our clients. The answer is rarely “yes”. We find that most folks don’t even know where to begin with this process, or they’ve been using the services of their various vendors who handle […]

Have you Audited your HIPAA Business Associates?

This question comes up frequently when we are working on HIPAA Policies and Procedures for our clients. The answer is rarely “yes”. We find that most folks don’t even know where to begin with this process, or they’ve been using the services of their various vendors who handle PHI for so long, they haven’t given their HIPAA compliance stance a second thought or considered auditing their business associates.

The reason this is so important for your business is the Omnibus Ruling, and specifically the “federal common law of agency” provision. This means that your business is liable for civil money penalties for a violation committed by a workforce member or a Business Associate.  Read the law itself at the end of this article.1

How To

What kind of questions should you ask? Well, we’ve put together a short questionnaire for you to give to any vendors that handle PHI. If they answer “NO” to any of these questions, it means your Business Associate isn’t HIPAA Compliant, and you have a MAJOR liability issue on your hands!

Register here to receive your free BA/Subcontractor Audit Checklist:

[zohoForms src=https://forms.zohopublic.com/totalhipaa/form/FreeBusinessAssociateChecklistRegistration/formperma/MS4mXy2DPGHOmVQG2lX6M7XdIlqx3U-czwx1bJRkr3E width=100% height=600px/]

RELATED CONTENT

Here are some previous articles we’ve written about why HIPAA Compliance is so important for your Business Associates as well as information about Phase 2 audits.

Total HIPAA specializes in HIPAA compliance services, helping businesses adhere to HIPAA guidelines and protect sensitive data. Our experts ensure your organization remains compliant with HIPAA regulations, meaning you can focus on your core operations while we handle documenting the policies and procedures that make up your HIPAA compliance plan. Trust Total HIPAA for comprehensive compliance solutions tailored to your needs. Book a clarity call today.

FOOTNOTE

  1. 45 CFR 160.402 (1) A covered entity is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member or business associate, acting within the scope of the agency.

MORE RELATED CONTENT

Business Associate Agreement: Everything Explained

Business Associates Must Take HIPAA Compliance Seriously

Sharing is caring!

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

Related Posts

Why do we need to test our Disaster Recovery Plan every year?

Why do we need to test our Disaster Recovery Plan every year?

Even if your internal software and servers remain perfectly static, the infrastructure, vendor updates, and cyber threats around them are constantly shifting. Waiting 2 or 3 years to test your backup systems leaves you vulnerable. This post breaks down the four external factors that degrade an untested playbook, explores HIPAA compliance mandates under NIST SP 800-66, and provides a granular, step-by-step example of what a compliant disaster recovery blueprint actually looks like.

How to Maintain HIPAA Compliance in Public Cloud Environments

How to Maintain HIPAA Compliance in Public Cloud Environments

Storing ePHI in the public cloud offers scalability but requires a strict “Shared Responsibility” approach. To remain HIPAA compliant, organizations must go beyond basic Business Associate Agreements (BAAs). The implementation of AES-256 encryption, multi-factor authentication (MFA), and microsegmentation are now required. This guide outlines the essential steps to securing your cloud infrastructure while meeting the latest HHS and OCR standards.

How to Stay HIPAA Compliant with Audit Logs

How to Stay HIPAA Compliant with Audit Logs

HIPAA audit logs are a mandatory technical safeguard under the HIPAA Security Rule, designed to track and record system activity across your network. To ensure complete compliance, organizations must actively maintain and routinely review these logs to detect unauthorized access to electronic protected health information (ePHI). This guide covers federal hipaa audit log requirements, the essential six-year hipaa audit log retention rules, best practices for tracking digital and physical data access, and how utilizing a structured hipaa audit log template protects your organization from catastrophic data breaches and costly federal penalties.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)