In this episode we discuss the definition of a Business Associate.  How do you find your Business Associates and what should your process for managing them include.

A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.


A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations.


Notice of Privacy Practices (NPP) is the document CEs provide to patients when they begin treatment or coverage.  It is the document that defines the CEs Privacy, Security, and Breach Rule commitments to the patient.



WEDI BA Decision Tree

WEDI Business Associates & HITECH Deep Dive


Kardon Compliance



1. Anyone that CReMaTs PHI on behalf of a CE or another BA

Another way to think of it Produced, Received, Saved, Transferred

2. Upstream and Downstream BAs

3. BAAs and what they really mean

4. What are BAs supposed to do?

  •  Security Rule,
  •  Breach Plan,
  •  Portions of the Privacy rule.
  •  OCR – do what CEs are required to do.

5. BA Due Diligence

6. Finding them in your organization.

  •    1099s,
  •    subcontractors,
  •    software vendors.

7. Don’t go crazy making everyone a BA – Incidental exposure applies for electricians and others.