Business Associates in the Cross-Hairs: the Unpredictable Breach.

Your organization has taken every precautionary and necessary step available as a Covered Entity (CE) under HIPAA to remain proactively risk averse, with regards to your clients’ PHI and ePHI. But what about that IT vendor you hired to set up a new email system? Or the Clinical QA/QC hired to review patient file history?

Under HIPAA, it is generally required for CEs to sign contracts with their Business Associates (BAs) to ensure that the BA in question will appropriately safeguard whatever protected health information they can access.

A professional headshot of Jan Elezian, SunHawk Consulting

On October 19, 2018 at the HCCA Denver Regional, Jan Elezian (MS, RHIA, CHC, CHPS), Director & HIPAA Practice Leader at SunHawk Consulting, presented on the parameters and limitations of BA contracts under HIPAA, addressed breach notification best practices, and also suggested protocols for risk analysis that provide valuable insights into how best CEs can manage and maintain healthy contractual relationships with existing and potential BAs.

Jan has extensive experience in the Healthcare Health Information Management (HIM)/Compliance/HIPAA/Meaningful Use and Revenue Cycle areas. During her 40 years in the Healthcare industry Jan has provided Healthcare Regulatory, Compliance and Investigative services, serving in various administrative roles at integrated health systems and other healthcare providers.

Most recently, Jan served as Associate Vice-President and Corporate Compliance Officer of an integrated health system. Responsibilities included Compliance activities in a research institute, inpatient and outpatient therapy departments, home health, cancer center, residency program, multiple ambulatory surgery centers, and physician practices. Duties included Board presentations, revenue integrity audits, compliance and privacy investigations, annual regulatory reviews, and development/management of the annual compliance plan.

Jan has experience in various HIPAA Privacy and Security and Meaningful Use assessments which included workflow reviews, data flow reviews, strategy formation, and governance decision and guidelines. Jan has performed or overseen over 200 privacy investigations and was involved in the development of an integrated HIPAA Security breach response plan.

Jan can be reached at