Yes, Dorothy a Risk Analysis is Required!

A Business Associate (BA) is someone who performs services that involve the disclosure of Protected Health Information (PHI), such as claims processing, utilization review, billing, quality assurance, or benefit managers.

Companies performing other types of services, such as legal, accounting, financial, or administrative services may also be considered BAs if they need to have access to PHI in order to perform their responsibilities.

Did you know?

BAs are required to comply with the requirements identified in the HIPAA Security Rule 45 CFR § 164.314(a)(2).

This means all BAs, no matter your size, are required to perform a complete and thorough risk analysis to identify their potential Administrative, Physical and Technical security risks to PHI; 45 CFR § 164.308(a)(1).

Remember: ANY change made to the equipment used to create, receive, maintain, or transmit, a practice’s PHI requires an update to the risk analysis.


And don’t forget to document your findings – If it’s not documented, it didn’t happen!

Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?



For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.