ABSTRACT
HIPAA is designed to protect the communication and handling of PHI between CEs and their BAs. As stated in the Security Rule, the overall responsibility of a BA originally was
e Department of Health and Human Services (HHS) succinctly summarized the expanded responsibilities of BAs within the 2013 Omnibus Rules1 by emphasizing that
• BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule and are directly liable for violations.