Business Associates and HIPAA – The Basics

In the Business Associate Category, we will be discussing issues that surface as organizations develop business relationships with outside agents and vendors. Let’s start with some basics first -

The HIPAA Privacy Rule applies only to covered entities (health plans, healthcare clearinghouses, and certain healthcare organizations). However, most healthcare organizations and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses (Business Associates).

The Privacy Rule allows covered entities and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

Aside from the obvious users of identifiable health information (hospitals, clinics, nursing homes etc.), others may be referred to as Business Associates (agents and vendors) that also come in contact with identifiable health information. For Business Associates, HIPAA requires hospitals, clinics, insurance companies and others that use agents and vendors to use a Business Associate Agreement. The regulation states –

(Business associate contracts or other arrangements)

§ 164.314 Organizational requirements.
(a)(1) Standard: Business associate contracts or other arrangements.(2) Implementation specifications (Required).

(i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will—

(A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart;

(B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;

(C) Report to the covered entity any security incident of which it becomes aware;

(D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract… for complete regulation click here:

Watch for future posts on developing issues regarding Business Associates and the clients they serve.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us