HIPAA Business Associate. Definition

According to current HIPAA regulations, the definition of a "business associate" is any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI. [45 CFR § 160.103.] Download this easy flow chart to determine if you or your organization is a Business Associate.

BridgeFront Business Associate

Examples of a Business Associate

Examples of functions or activities that involve the use of disclosed PHI given in the HIPAA regulations include:

  • Claims Processing
  • Benifit Management
  • Data Analysis
  • Practice Management
  • Utilization Review
  • Re-Pricing
  • Qualtiy Assurance
  • Billing


[45 CFR § 160.103.] In addition, HIPAA regulations specifically identify the following services which, if they involve PHI and if they are performed by a non-workforce member, will make that person or entity a business associate:

  • Legal
  • Actuarial
  • Accounting
  • Consulting
  • Data Aggregation
  • Management
  • Administrative
  • Financial
  • Accreditation
Generic placeholder image

HIPAA Business Associate Agreements 101

HIPAA Privacy and Security rules require covered entities to enter into special agreements with business associates that come into contact with protected health information (PHI). These rules require business associates to agree to treat PHI similarly to the way a covered entity must treat it. HIPAA requires "satisfactory assurances" from a business associate that the business associate will appropriately safeguard PHI. Those assurances take the form of required contract language. Covered entities may not disclose protected health information to their business associates (or allow business associates to create or receive protected health information on their behalf) unless the required contract language is in place. [45 CFR § 164.504(e)(1).] Click here to download a sample agreement.

PHI Safeguards BridgeFront Compliance

HIPAA requires business associate contracts to contain specific terms. Those terms are listed below. The required provisions are:

  1. A statement of permitted and required uses and disclosures. [45 CFR § 164.504(e)(2)(i).]
  2. A limitation on the business associate using or disclosing protected health information other than as stated in the contract or as required by law. [45 CFR § 164.504(e)(2)(ii)(A).]
  3. A statement that the business associate will use appropriate safeguards to prevent the inappropriate use or disclosure of protected health information. [45 CFR § 164.504(e)(2)(ii)(B).]
  4. A statement that the business associate will report uses or disclosures of protected health information that violate the business associate agreement. [45 CFR § 164.504(e)(2)(ii)(C).]
  5. A statement ensuring that the business associate’s agents and subcontractors agree to the same restrictions and conditions that apply to the business associate. [45 CFR § 164.504(e)(2)(ii)(D).]
  6. A statement that the business associate will make protected health information available as required by the Privacy Rules’ “right to access” provision. [45 CFR § 164.504(e)(2)(ii)(E).]
  7. A statement that the business associate will make protected health information available for amendment and will incorporate amendments as required by the Privacy Rules’ “right to request an amendment” provision. [45 CFR § 164.504(e)(2)(ii)(F).]
  8. A statement that the business associate will provide an accounting of uses and disclosures as required by the Privacy Rules’ “right to an accounting” provision. [45 CFR § 164.504(e)(2)(ii)(G).]
  9. A statement that the business associate will let HHS audit it to determine compliance with the business associate agreement provisions. [45 CFR § 164.504(e)(2)(ii)(H).]
  10. A statement that the business associate will return or destroy all protected health information at the termination of the contract (or, if that is not feasible, continue to protect the information while maintaining the protected health information). [45 CFR § 164.504(e)(2)(ii)(I).]
  11. A statement authorizing the group health plan to terminate the contract upon a determination that the business associate breached the contract. [45 CFR § 164.504(e)(2)(iii).]

Appropriate PHI Safeguards. Includes Training, Policies, Procedures.

Regarding the treatment of protected health information, Business Associates shall use all appropriate safeguards to prevent use or disclosure of Protected Health Information received from, or created or received on behalf of, the Covered Entity other than as provided for in the Business Associate Agreement or as required by law.

Business Associate HAndshake
  1. These safeguards will include, but not be limited to: Training:
    • Providing annual training to relevant employees, contractors and subcontractors on how to prevent the improper use or disclosure of Protected Health Information;
    • Update and repeat training on a regular basis;
  2. Administrative Safeguards:
    • Adopting policies and procedures regarding the safeguarding of Protected Health Information;
    • Enforcing those policies and procedures, including sanctions for anyone found not in compliance
  3. Technical and Physical Safeguards:
    • Implementing appropriate technical safeguards to protect Protected Health Information, including access controls, authentication and transmission security; and
    • Implementing appropriate physical safeguards to protect Protected Health Information, including workstation security and device and media controls.