• Contact
  • 888-54-FIRST
  • Client Login
    • Client Portal
    • Online Store
Search
First Healthcare Compliance
  • Solutions
    • Compliance Management Software
    • Online Compliance Courses
    • Compliance Management Suite
  • Plans
  • Resources
    • Blog
    • Virtual Education Hub
    • 1st Talk Compliance Podcast
    • Connect Magazine
    • Compliance Posters
    • Healthcare Compliance Books
    • Newsletter Signup
  • News & Events
    • Press Releases
  • Our Team
  • Request Demo
  • Menu Menu
  • Shopping Cart Shopping Cart
    0Shopping Cart

Blog

Q&A: HIPAA: A Timely Overview & Update

January 20, 2021/in Blog, Business Associate, HIPAA

HIPAA compliance review

Grant Elliott, CEO and chairman of Ostendio, a collaborative integrative risk-management SaaS platform, presented the webinar “HIPAA: A Timely Overview & Update” and a recording can be viewed here. Grant returned to answer many commonly asked questions from the webinar.

My Covered Entity customer is asking me to sign a BAA (Business Associate Agreement) even though I do not have access to PHI.  What should I do?

Whether you are a Business Associate or not is defined by what you do, not by any contract you sign.  If you are not handling PHI then you are not a Business Associate and HIPAA does not apply.  But just remember, if you handle any PHI at all on behalf of a Covered Entity, even unintentionally or accidently, then HIPAA will apply and so will the HIPAA related terms of the BAA.  This is the case regardless of whether you have signed a BAA or not.   

It is also critically important to remember that a BAA is a legal document in its own right, and any additional terms you sign as part of that agreement, whether HIPAA applies or not,  may be legally binding.  I see many BAAs that overreach in terms of adding audit rights, breach notifications rights and other rights beyond those required by HIPAA.  Often a BAA will include a right to cancel and add language which stipulates the BAA takes precedence over any other part of the overall agreement.  Failure to adhere to any part of this addendum, including any non-HIPAA elements, could provide your customer with a back door mechanism to cancel your contract.  

So the short answer is: understand what PHI you will have access to and read the BAA carefully for additional terms before signing.  If you are not sure, I would recommend speaking to a HIPAA lawyer. 

How do I know if I have done enough to be HIPAA compliant?

The tough answer is that you don’t know because unfortunately there is no formal adjudication authority that can provide you with a certificate of compliance to HIPAA.  The Office of Civil Rights (OCR), a department within Health and Human Services (HHS), regulates HIPAA but they do not provide a formal certification.  Many audit firms will offer to conduct a HIPAA audit or assessment but it is important to bear in mind that the result of this audit or assessment is an opinion only, as they are not authorized to certify you as compliant.  However, you can take steps to ensure your organization is operating in line with applicable HIPAA regulations and conducting a HIPAA risk assessment is a requirement of HIPAA.  OCR has shown that they consider not conducting an appropriate HIPAA Risk Assessment to be an egregious violation.  So the best course of action is to work with an organization that understands HIPAA,  to conduct a HIPAA Risk Assessment and then work to ensure you remediate any risks identified.  While you can never officially claim to be “HIPAA Compliant” you can be confident in knowing you are taking all reasonable and appropriate steps to operate in line with HIPAA regulations. 

Do I need to be HIPAA compliant if I don’t have access to PHI?

The short answer is no you don’t need to be HIPAA compliant if you don’t have access to PHI. However, as discussed above in my answer to the first question, make sure you are not accessing PHI unintentionally.  There are many reasons companies should be looking to invest in operating an effective security program to ensure other data is protected e.g. PII (Personally Identifiable Information).

How responsible am I for my vendors compliance under HIPAA?

OCR has stopped short at holding organizations directly responsible for a vendor’s breach of PHI, so long as the organization has taken reasonable steps to ensure their vendor has executed a BAA in line with HIPAA.  However, while there may not be any regulatory impact on you for your vendors behavior, clearly there is likely to be a significant impact to your company’s reputation following a breach, so there remains a strong business imperative to ensure your vendors are acting responsibly and to verify they have an appropriate security program in place. 

Grant Elliott photoGrant Elliott is the CEO and co-founder of Ostendio. The Ostendio MyVCM platform is an industry leading, collaborative Integrated Risk Management SaaS platform. Ostendio works with hundreds of companies and thousands of users to build security programs that are audit ready for complex audits such as SOC 2, HITRUST, FedRAMP and HIPAA.  He is a thought-leader in enterprise cybersecurity and speaks regularly about how organizations can implement effective cybersecurity and Risk Management programs.  Elliott is the former COO and CISO of Voxiva (acquired by WellTok), an integrated messaging and patient engagement platform and former business executive at AT&T. He has over 15 years of experience developing and managing cybersecurity programs and supporting regulatory audits.  Elliott is also an Adjunct Professor at the Pratt Institute, New York, where he teaches management theory and leadership.

Be sure to view a recording of this webinar on YouTube. Take a look at our book: HIPAA Privacy and Security, and our online compliance training courses such as What is HIPAA?, and HIPAA Business Associate Agreements Under HITECH. And check out Grant’s other recordings and blogs with us Q&A:  Basics of GDPR Compliance in the Healthcare Setting, Concerned about GDPR compliance?, and audio versions of his webinars found here.

Tags: BAA, business associate, covered entity, healthcare compliance, HHS, HIPAA, OCR, PHI, PII
Share this
  • Share on Facebook
  • Share on X
  • Share on LinkedIn
  • Share on Reddit
  • Share by Mail
https://1sthcc.com/wp-content/uploads/2021/01/hipaa-review-ft.jpg 758 1200 Catherine Short https://1sthcc.com/wp-content/uploads/2022/10/1sthcc-logo-1024x378.jpg Catherine Short2021-01-20 08:57:542025-04-15 12:43:33Q&A: HIPAA: A Timely Overview & Update
You might also like
pop quiz Healthcare Compliance Pop Quiz: Test Your Knowledge
New Stark Law and AKS Final Rules -Valuation Considerations
HIPAA Privacy and Security Summit 2020 “The Night Before Christmas”
HIPAA Privacy and Security Summit 2020 Are Your Patients Involved In Medical Record Accuracy?
HIPAA Privacy and Security Summit 2020 Widener University Delaware Law School and First Healthcare Compliance Announce Speakers for Virtual HIPAA Privacy and Security Summit on November 12, 2020
HIPAA Privacy and Security Summit 2020 ICD-10 Implementation FAQs

Subscribe to Weekly eNewsletter

Get the latest healthcare compliance updates straight to your inbox.

Subscribe to Newsletter

Recent Posts

  • Navigating the HIPAA Security Landscape: A Comprehensive Guide to Security Risk Assessments
  • OSHA Recordkeeping in Healthcare: Answers to Frequently Asked Questions
  • Naughty or Nice? The Rules of Giving and Receiving in Healthcare
  • fraud waste abuse healthcare compliance
    FWA in Healthcare: How to Respond Appropriately to Detected Offenses
  • Infographic: 6 Areas of Potential Liability for Healthcare Providers
    6 Areas of Potential Liability for Healthcare Providers
  • 5 Benefits of Automating Incident Reporting in Healthcare

 

First Healthcare Compliance is a division of Panacea Healthcare Solutions. Learn more

Subscribe

Get the latest healthcare compliance updates straight to your inbox.

Subscribe to Newsletter

Connect

Get started: Request Demo

Call: 1-888-54-FIRST

E-mail: Contact us

  • Link to Instagram
  • Link to Youtube
  • Link to Facebook
  • Link to LinkedIn
  • Link to X
© Copyright 2026 Panacea Healthcare Solutions, LLC | Disclaimer | Privacy Policy and Copyright Notice
Scroll to top Scroll to top Scroll to top

We and our third-party partners use cookies to improve and personalize your experience on the site and with our services in addition to delivering and reporting on ads. Please visit our Privacy Statement for more information. By continuing to browse the site, you are agreeing to our use of cookies. Read Privacy Statement.

OKDismiss

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Privacy Policy and Copyright Notice
Accept settingsHide notification only