Do business associates need to comply with HIPAA?

HIPAA, an acronym for the Health Insurance Portability and Accountability Act, is a set of laws that require businesses with access to patient health data to take extra precautions to ensure the security of those records.

HIPAA can require businesses to:

• Use encryption while transferring data
• Go to extra lengths to secure their network
• Strictly limit access to data
• Take extra measures to protect hard drives, laptops, and mobile devices from being stolen

While HIPAA requirements directly protect individual health information, the privacy rules don’t just apply to medical providers and hospitals. Many small businesses and consultants also fall under the “business associate” umbrella.

If your business isn’t compliant with HIPAA regulations, you could face consequences like expensive fines, criminal charges, and reputational harm. However, certain types of small business insurance can protect independent contractors and subcontractors against these risks.

According to the U.S. Department of Health and Human Services (HHS), a business associate is defined as: “A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

Some examples of business associates under HIPAA are:

• IT service providers that have access to medical records
• Billing service providers that process payments from patients
• Legal offices or accounting firms that handle patient data

You might be wondering, does HIPAA apply to consultants? The answer is yes. Business consultants are typically considered business associates under HIPAA because they’re working for a covered entity.

For example, if you get hired by a hospital to do a utilization review, you’ll get access to the hospital's data, files (physical and digital), and network. In this case, you’d have to sign a BAA requiring that you know and follow HIPAA guidelines.

It’s important to note that being a business associate can be unintentional. If you get hired by a covered entity and you’re required to use PHI, or you have access to patient data, you’ll most likely have to comply with HIPAA.

HIPAA business associate compliance is required for any individual or entity that handles PHI. If you violate HIPAA privacy rules, you can face serious financial and/or legal consequences.

Civil penalties for violations: The HHS Office for Civil Rights (OCR) can impose civil money penalties that range from $100 to $50,000 per violation, depending on the severity of the violation and the business associate's knowledge of the violation. Civil penalties are assigned based on a tiered system of negligence. The fine for an unknowing violation is lower than the fine for willful neglect.

Criminal penalties for violations: If you knowingly misuse PHI, you can receive a maximum fine of $50,000 and face imprisonment for up to one year. The penalties increase to $100,000 and up to five years imprisonment for violations committed under false pretenses. Fines can reach $250,000 and 10 years' imprisonment for violations intended for commercial advantage, personal gain, or malicious harm.

Over the last several years, numerous covered entities have been penalized for violating HIPAA’s privacy regulations.

In 2025, Warby Parker was ordered to pay a penalty of $1.5 million after the OCR investigated multiple data breaches involving unauthorized access to PHI from nearly 200,000 people. The OCR also determined the company hadn’t conducted a HIPAA-compliant risk analysis and wasn’t regularly reviewing activity logs in systems that stored electronic PHI (ePHI).

In 2024, Children’s Hospital Colorado Health System was fined $548,265 after a phishing attack exposed the ePHI for 10,840 patients. In addition to the breach, the OCR investigation found the hospital didn’t provide HIPAA training to more than 6,600 staff members, including 3,495 nursing students.

These are examples of large covered entities that have been penalized for violating HIPAA, but even small consultants can face financial consequences for non-compliance.

Imagine you run an accounting firm that processes payments for a local hospital. Someone breaks into your office after hours and steals your computer, which contains payment information for patients. Even worse, you forgot to log out before you went home. Now, the burglar has easy access to the data, and you could get fined for violating the HIPAA security rule.

To be a HIPAA-compliant consultant, not only will you need to make sure you’re adhering to the proper security protocols for data transfer, storage, emails, and data entry, but you'll need to avoid simple mistakes like this, which could lead to million-dollar fines.

Most small businesses can benefit from having business insurance, especially if you’re required to comply with HIPAA.

Cyber insurance covers costs associated with a data breach, ransomware attack, PHI exposure, or HIPAA breach. There are two types of cyber liability insurance: First-party coverage, which pays for things like customer notification and ransomware payments, and third-party coverage, which pays for legal fees and regulatory fines.

Some cyber liability policies can be tailored for healthcare businesses and often include specific HIPAA breach coverage.

Professional liability insurance for consultants and independent contractors covers expenses related to HIPAA violations that arise from negligence, work errors, breach of contract, or unsatisfactory work. If a client sues your business, professional liability insurance can help pay for your legal defense costs, settlements, and judgments.

Some professional liability insurance policies include HIPAA-related coverage or offer endorsements for HIPAA proceedings, which can potentially pay fines.

Technology errors and omissions (E&O) insurance is beneficial for IT service providers. This policy covers work oversights and mistakes, negligence, and third-party cyber liability for data breach lawsuits. Tech E&O insurance combines cyber insurance with professional liability insurance for less than it would cost to buy the policies separately.

Directors and officers (D&O) insurance is important for covered entities and business associates who handle PHI. D&O insurance primarily covers board members and executives if they get sued for a decision they make that causes the business financial loss. However, it may also include coverage for HIPAA violations.

Although insurance can protect your business against various liabilities and certain HIPAA penalties, there can be exclusions. For example, some policies may not cover HIPAA breaches if the organization isn’t compliant, which is why it’s important to create and maintain a comprehensive HIPAA compliance program.

Before you purchase insurance, it’s a good idea to speak with a knowledgeable insurance agent about your business's unique needs and risk exposure. An agent can help you find a policy that provides adequate protection for HIPAA policies, as some policies have limitations on coverage.

If your business is required to comply with HIPAA, having the right types of insurance can provide valuable financial and legal protection in case something goes wrong. Remember, even the smallest businesses can face significant fines for violating HIPAA.

Complete Insureon’s easy online application today to get quotes for business insurance from top-rated U.S. insurance providers. Our team of licensed insurance agents can help you find the best policies for your situation and get the most affordable coverage.

Once you find the right policy for your small business, you can begin coverage in less than 24 hours and get a certificate of insurance (COI).