According to current HIPAA regulations, the definition of a "business associate" is any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI. [45 CFR § 160.103.] Download this easy flow chart to determine if you or your organization is a Business Associate.
Examples of functions or activities that involve the use of disclosed PHI given in the HIPAA regulations include:
[45 CFR § 160.103.] In addition, HIPAA regulations specifically identify the following services which, if they involve PHI and if they are performed by a non-workforce member, will make that person or entity a business associate:
HIPAA Privacy and Security rules require covered entities to enter into special agreements with business associates that come into contact with protected health information (PHI). These rules require business associates to agree to treat PHI similarly to the way a covered entity must treat it. HIPAA requires "satisfactory assurances" from a business associate that the business associate will appropriately safeguard PHI. Those assurances take the form of required contract language. Covered entities may not disclose protected health information to their business associates (or allow business associates to create or receive protected health information on their behalf) unless the required contract language is in place. [45 CFR § 164.504(e)(1).] Click here to download a sample agreement.
HIPAA requires business associate contracts to contain specific terms. Those terms are listed below. The required provisions are:
Regarding the treatment of protected health information, Business Associates shall use all appropriate safeguards to prevent use or disclosure of Protected Health Information received from, or created or received on behalf of, the Covered Entity other than as provided for in the Business Associate Agreement or as required by law.