The new HIPAA rules have expanded the definition of a business associate, greatly increasing the number of vendors that hospitals must have agreements with. Business associate data breaches can be expensive and damaging to a hospital's reputation. Hospitals often underestimate the number of business associates they have, leaving many unidentified and unmanaged, increasing risk. Effective board oversight requires understanding compliance challenges and risks, and ensuring hospitals have policies and agreements in place with all identified business associates.