Certified HIPAA Security Business

Business Associate are defined in HIPAA 45 CFR §160.103 as a person or entity that performs functions in behalf of a covered entity that involve the use or access to Personal Health Information (PHI). Covered entities may be classified as Business Associate of other Covered Entities depending on the tasks they perform. Also, as modified under the Omnibus Rule, a Business Associate may be a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.


  • A Business Associate may be a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” (45 C.F.R. § 160.103). 
  • The Omnibus Rule categorizes maintenance of PHI as a function of a Business Associate even if such subcontractor never views the PHI.

HIPAA Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it creates, receives, maintains or transmit on behalf of the covered entity.  In other words, Covered Entities, and Business Associates, when dealing with Subcontractors should take the appropriate steps to ensure their Business Associates and their subcontractors are in compliance with HIPAA or risk penalties of $50,000 per day per violation in addition to civil actions and the cost of mitigation.

We recognize the overwhelming amount of resources required to monitor the compliance requirements of Business Associates and their Subcontractors. We have also seen settlements that exceed the $5 million-dollar mark where the lack of “proper” Business Associate Agreement was cited. As a result of the above we have created our own Certified HIPAA Security Business program where we examine the actions of a Business Associates and based on the collected data determine if they meet the basic requirements of HIPAA Security.

Our approach as we conduct the accreditation process is quite simple; we look at all data as auditors but provide tools and resources before and after to assist interested organizations in obtaining their accreditation and keeping up with the standards.

Who should apply for accreditation?

Any Subcontractor of a Business Associate or Covered Entity looking to provide assurances to their Clients.  Accreditation requirements may vary in scope based on size, number of Subcontractors and services offered. As a rule, we recommend anyone dealing with Healthcare Providers or Organizations to go thru the process or contact one of our specialists to see if accreditation is for you.

What are the costs?

Costs for accreditation vary depending on the type of services you provide, the number of subcontractors and the number of locations where you provide them. Accreditation is valid for a period of three years.

  • Application Fee: $900
  • Accreditation Fee: $3,600*

*Hospitals, Government Organizations and Businesses with more than 100 employees call for quote

  • Site Visit Daily Rate: $1,500
  • Multiple Locations: $1,500 per additional site
  • Subcontractor Review: $1,000 or $300 per subcontractor (whichever is more)

Note: Pricing provided is just an estimate and the same may change once the application is reviewed.

What does accreditation entails?

The first step is a review of the application to ensure the proper guidance is provided as well as the resources needed to complete the accreditation process.

Once the application is reviewed we will send a contract with the final price and terms. Application dues are payable once the agreement is signed.

Upon receipt of a signed agreement and payment we will assign a specialist to guide you thru the process. We will also be requesting information to initiate a desk review prior to our visit.

Normally you will be given 30 days to provide the requested information.

After the desk review is completed we will schedule an onsite visit.

After the onsite visit, we will assign one of our senior specialists to review and assess your compliance status. Based on these findings you will receive one of these notices:

CONGRATULATIONS! Your results are satisfactory and your accreditation status has been approved for a period of ___ years.

Deficiencies have been noted and identified. Please provide corrective action plan within 30 days.

Note: that if deficiencies are noted and a corrective action plan is needed the same may result in either a shorter accreditation status or a follow-up visit with the corresponding charges.

How do I apply for accreditation?

In order to apply for accreditation simply contact us via e-mail. Provide the Contact Name, email and telephone and we will get back to you.

Where do I go for help?

If you need support or have additional questions simply contact us via email and one of our associates will contact you within 24 hours.

Benefits of accreditation

We consider HIPAA Security compliance a cost of doing business and recommend any Covered Entity and Business Associate to take advantage of the tools we provide as part of the HIPAA Security Certification process. In addition to that guidance certified businesses also benefit of:

  • Objective assessment of compliance efforts;
  • Guidance and resources to facilitate efforts;
  • Badge demonstrating your commitment to compliance;
  • Company name and accreditation status available in our database and website;
  • Access to standards and recommended evidence;
  • Online media kit to help you market your achievements;
  • Access to guidance as they same is developed.


The Department of Health and Human Services (HHS) does not endorse or otherwise recognize HIPAA Security Certifications.

Obtaining a Certifications does not absolve Covered Entities of their legal obligations under the Security Rule.

Changes in software, business model, additional facilities or activities such as new services may invalidate certification if not handle in accordance with guidelines.