The Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified the Health Insurance Portability and Accountability Act (“HIPAA”) by expanding the definition of Business Associates (“BA”) and their responsibilities and liabilities. A BA includes:

  1. Health Information Organizations
  2. E-Prescribing Gateways
  3. Persons/entities that for, or on behalf of, a Covered Entity:
    1. Create or received PHI
    2. Maintain or store PHI even if they do not or cannot access the PHI
    3. Offer personal health records
    4. Provide data transmission services if they routinely access the PHI

The Federal Office for Civil Rights (“OCR”), which enforces HIPAA and HITECH, has identified BAs as one of its top enforcement priorities. Under HIPAA and HITECH, BAs are directly liable for compliance and subject to the following monetary penalties:

Violation Category

Each Violation

Maximum Penalty per Identical Provision Violated in Calendar Year

Did Not Know

$100 - $50,000


Reasonable Cause

$1000 - $50,000


Willful Neglect – Corrected

$10,000 - $50,000


Willful Neglect – Not Corrected



Companies that are considered BAs, or companies that are contracting with a BA, should consider the following checklist when evaluating their compliance with HIPAA and HITECH:

  1. Designate a security officer.
  2. Perform a Security Risk Assessment.
  3. Implement administrative, physical, and technical safeguards to protect PHI.
  4. Identify and report breaches of security.
  5. Develop policies for HIPAA / HITECH compliance.
  6. Impose disciplinary actions where employees or vendors violate HIPAA / HITECH obligations.
  7. Verify that a Business Associate Agreement is in-place with all service providers that handle PHI.
  8. Maintain HIPAA and HITECH relevant documentation for such periods as required by law.