Health centers collect and store large amounts of Protected Health Information (PHI), which carries significant risks and responsibilities. Partnering with a business associate to assist with your health center’s work means you are entrusting a third-party with access to this sensitive information, making proper oversight essential.

In recent years, breaches involving business associates have become increasingly common. For example, ApolloMD Business Services, LLC (ApolloMD), a physician practice management services company, disclosed a security incident in which an unauthorized third party accessed its network through its website. The breach affected patients from 11 physician practice clients, all covered entities, and involved sensitive information such as names, addresses, dates of birth, diagnoses, treatment details, insurance information, and in some cases, Social Security numbers.

Incidents like this underscore the importance of effectively managing business associates. Below are key practices health centers should consider to strengthen oversight and reduce risk:

Engage in Proper Due Diligence

Selecting a reliable and compliant business associate is critical. Before entering into a business associate agreement, conduct thorough due diligence to evaluate the business associate’s security posture, compliance history, and any prior incidents. This step helps ensure adherence to HIPAA Privacy and Security Rules and reduces the risk of legal violations, financial penalties, and reputational damage.

Implement Strong Business Associate Agreements

Business Associate Agreements (BAAs) are a foundational component of HIPAA compliance. Covered entities must ensure these agreements are in place for all vendors with access to PHI. A well-structured BAA should:

• Clearly define permitted uses and disclosures of PHI
• Require appropriate administrative, physical, and technical safeguards
• Establish clear breach notification obligations

Ensure Subcontractor Compliance

Compliance responsibilities extend beyond your direct business associate. If subcontractors are involved, covered entities should verify that appropriate agreements are in place to ensure HIPAA obligations flow downstream. Any party handling PHI must meet the same security and compliance standards.

Maintain Communication with Business Associates

Open and collaborative communication with business associates is essential.  Regular engagement helps ensure security safeguards are up to date, supports timely identification of risks, and enables coordinated responses to potential breaches or compliance issues.