Why business associates can be a weak link in email security

HIPAA compliance does not stop at the healthcare provider's firewall. Every vendor that processes, stores, or transmits protected health information (PHI) on behalf of a covered entity becomes an extension of that organization's compliance obligations, yet vendor security remains one of the most poorly managed dimensions of healthcare email security. The 2025 Paubox Healthcare Email Security Report found that 16% of email-related breaches involved business associates.

Business associates, billing services, email providers, cloud platforms, EHR add-ons, managed service providers, handle PHI at every stage of the healthcare workflow. When their security fails, the covered entity may still be held liable.

Understanding business associates

HIPAA defines a business associate as any person or entity that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity. As HHS guidance specifies, business associate functions include "claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing." The definition extends to subcontractors that create, receive, maintain, or transmit PHI on behalf of another business associate.

In practice, the business associate category encompasses a broad range of vendors:

• email hosting providers
• billing companies
• cloud storage services
• telehealth platforms
• medical transcription services
• IT managed service providers

RTI International's HIPAA compliance policy illustrates this reach, noting that "any third party vendors (e.g., subcontractors, consultants or other vendors) who work on such projects and have access to Protected Health Information (PHI) must also comply with HIPAA and HITECH regulations."

The legal mechanism for managing this relationship is the Business Associate Agreement. HIPAA requires that covered entities obtain "satisfactory assurances" from business associates that they will appropriately safeguard PHI. The BAA must describe permitted uses of PHI, prohibit unauthorized disclosure, and require appropriate safeguards. Yet as the OCR stated at the 2024 NIST HHS OCR Conference, investigations of large data breaches identified "both numerous covered entities without business associate agreements with their vendors and overall poor vendor management." The contract exists as a compliance requirement, but without enforcement and monitoring, it functions as symbolic protection.

Go deeper: What is the purpose of a business associate agreement?

Why business associates create security gaps

The risks business associates introduce to healthcare email security operate at multiple levels: technical, organizational, and structural.

At the technical level, certificate hygiene failures represent a persistent vulnerability. The 2025 Paubox certificate analysis of 803,378 unique outbound email relays found that roughly 4% of connections went to servers with unverifiable certificates, including expired or self-signed. When a business associate's mail server presents an invalid certificate, cloud platforms like Microsoft 365 deliver the message anyway rather than blocking it. The covered entity has no visibility into the failure yet retains HIPAA liability for the transmission. As Bodipudi's research on healthcare email encryption documents, "While TLS is effective in preventing interception during transmission, it does not encrypt the email content at rest, meaning it can still be accessed by email service providers." When this limitation combines with permissive certificate handling, the business associate's infrastructure becomes a compliance liability the covered entity cannot see.

At the organizational level, shared liability creates asymmetric risk. HIPAA holds covered entities responsible for ensuring their business associates safeguard PHI, but providers often lack the tools to verify that protection. Clarke and Martin's research on healthcare cybersecurity identifies a core problem where healthcare systems are also seen as inherently less secure and a softer target for attack. When the business associate's security posture is weaker than the covered entity's, the entire relationship operates at the level of the weakest participant.

At the structural level, vendor ecosystems multiply exposure. The MedTechNews research report on vendor risk management describes how "a vulnerability or a breach within a seemingly minor vendor can cascade throughout the entire healthcare ecosystem." Healthcare organizations rarely audit the certificate infrastructure or security controls of downstream subcontractors. Schneller and Abdulsalam's research confirms that supply chains receive minimal attention in healthcare management literature despite being the second-largest expense category after labor. Email infrastructure, where business associates handle PHI daily, operates within this same blind spot.

Learn more: Blind spots in security methods

Compliance risks in healthcare email

When a business associate's email security fails, the compliance consequences fall on both parties but disproportionately affect the covered entity.

HIPAA's Security Rule requires technical safeguards to protect ePHI during transmission. When a business associate transmits PHI over an unverifiable connection, through an expired certificate, a misconfigured server, or a TLS downgrade, the transmission violates this standard regardless of who caused the failure. The Paubox certificate report found that "HIPAA doesn't spell out 'no self-signed certs,' but the Security Rule requires organizations to verify the integrity of the connection." A business associate using a self-signed certificate on their mail server cannot provide that verification, and the covered entity cannot prove the transmission was secure.

Under HITECH, business associates must notify covered entities of breaches, and covered entities must notify affected individuals and HHS. However, as the BakerHostetler conference report documents, OCR found that "most of its recent investigations of large data breaches revealed that the covered entity or business associate did not have a compliant risk analysis." Without a compliant risk analysis, organizations cannot demonstrate they understood their risks before a breach occurred, which worsens the regulatory position.

The MedTechNews vendor risk management report notes that breach costs extend well beyond fines to include "remediation costs, notification costs, legal fees and litigation, increased insurance premiums," and reputational damage.

Clarke and Martin observe that "healthcare data is reliable and accurate" and "tends to contain multiple permanent patient identifiers that cannot be reset." When a business associate's failure exposes this data, patients cannot change their medical histories the way they can change a password. The damage is permanent, and the trust is difficult to rebuild.

Mitigating risk through secure practices

Closing the business associate gap requires moving from symbolic compliance to verified security.

Vetting vendors before engagement

OCR has made risk analyses a major enforcement priority, and this scrutiny extends to vendor relationships. The BakerHostetler report notes that OCR "will not be providing examples of compliant risk analyses," meaning organizations must develop assessment processes independently. Before signing a BAA, covered entities should evaluate the vendor's encryption standards, access controls, incident response capabilities, and certificate management practices. The MedTechNews research recommends requiring "proof of certifications such as ISO 27001, SOC 2 Type II reports, and HITRUST CSF certifications" as independent assurance of a vendor's control environment.

Certificate verification and encryption enforcement

Most healthcare providers assume their email is secure because TLS is enabled. TLS only works when certificates are valid. Paubox Email Suite addresses this gap by verifying encryption certificates before transmitting PHI. When a recipient's server presents an expired, self-signed, or otherwise invalid certificate, Paubox blocks the standard delivery path and automatically sends the message as a secure Paubox message instead. This eliminates the silent failure mode that allows PHI to reach business associates through unverifiable connections.

Continuous monitoring over point-in-time audits

The MedTechNews report emphasizes that "vendor risk management is not a one-time event but a continuous process." Security ratings, automated vulnerability scanning, and real-time certificate monitoring provide ongoing visibility. Organizations that only assess vendors at contract signing or annual reviews miss certificate expirations, configuration changes, and emerging vulnerabilities.

Contractual controls with enforcement

BAAs should mandate breach notification within 24–48 hours, grant audit rights, require flow-down clauses for subcontractors, and specify indemnification for breaches caused by vendor negligence. HHS guidance requires that BAAs "describe the permitted and required uses of protected health information" and "require the business associate to use appropriate safeguards." Where a covered entity knows of a material breach by the business associate, HHS requires "reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract."

Read more: Why HITRUST certification matters

What the future looks like

The BakerHostetler conference report confirmed that OCR announced a Notice of Proposed Rulemaking for the HIPAA Security Rule, with one goal being "to provide a baseline of safeguards informed by changes in the healthcare cybersecurity landscape and OCR's extensive experience investigating data breaches." Business associate management is likely to feature prominently in any updated requirements.

The MedTechNews vendor risk management report identifies blockchain-based frameworks that create "immutable and verifiable audit trails" for vendor assessments and compliance certifications. AI and machine learning can deliver "predictive risk analysis" by identifying patterns in breach data and vendor security ratings before incidents occur. Automated VRM platforms centralize vendor information, streamline assessment workflows, and integrate with security rating services for continuous monitoring.

Clarke and Martin's research argues that effective cybersecurity requires "collaboration between information technology, clinical, and administrative leaders." Vendor oversight is no longer solely an IT function. It demands executive visibility, clinical input on workflow impacts, and administrative enforcement of contractual obligations. Healthcare organizations that treat business associate management as a major compliance function rather than a procurement checkbox will be positioned to withstand the growing sophistication of supply chain attacks.

The question is no longer whether business associates create risk. It is whether healthcare organizations are willing to manage that risk with the same rigor they apply to their own systems.

Related: Third-party risk management (TPRM) as the next HIPAA compliance frontier

FAQs

What is a covered entity?

A covered entity is a health care provider that transmits health information electronically in connection with a covered transaction, a health plan such as a health maintenance organization or private health insurer, or a health care clearinghouse that processes nonstandard health information into a standard format. Covered entities are directly subject to HIPAA's Privacy and Security Rules and bear primary responsibility for protecting PHI.

Who qualifies as a business associate under HIPAA?

Any person or entity that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity. This includes billing services, email providers, cloud storage vendors, IT managed service providers, legal and accounting firms with PHI access, and subcontractors of business associates.

What is a subcontractor under HIPAA?

A subcontractor is a person or entity that creates, receives, maintains, or transmits PHI on behalf of a business associate. Under the Omnibus Rule, business associates must enter into BAAs with their subcontractors, extending HIPAA's security and privacy obligations down the supply chain. A breach at the subcontractor level creates liability for both the business associate and the covered entity.