Business associate

Business Associate

A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information (PHI). Business associates are crucial in the healthcare industry, particularly in the context of the Health Insurance Portability and Accountability Act (HIPAA) regulations.

Definition and Role[edit | edit source]

Under HIPAA, a business associate is defined as a person or organization, other than a member of a covered entity's workforce, that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. These functions or activities include claims processing, data analysis, utilization review, and billing.

Business associates can also include subcontractors that create, receive, maintain, or transmit PHI on behalf of another business associate. The HIPAA Privacy Rule allows covered entities to disclose PHI to business associates if the covered entities obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity's duties under the Privacy Rule.

Business Associate Agreement[edit | edit source]

A business associate agreement (BAA) is a contract between a HIPAA-covered entity and a business associate. The BAA protects PHI in accordance with HIPAA guidelines. The agreement must establish the permitted and required uses and disclosures of PHI by the business associate, provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law, and require the business associate to use appropriate safeguards to prevent unauthorized use or disclosure of the information.

Responsibilities and Compliance[edit | edit source]

Business associates are directly liable for compliance with certain provisions of the HIPAA Rules. They must:

• Ensure the confidentiality, integrity, and availability of all PHI they create, receive, maintain, or transmit.
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule.
• Ensure compliance by their workforce.

Business associates must also report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI.

Examples of Business Associates[edit | edit source]

Examples of business associates include:

• Third-party administrators that assist a health plan with claims processing.
• A CPA firm whose accounting services to a healthcare provider involve access to PHI.
• An attorney whose legal services to a health plan involve access to PHI.
• A consultant that performs utilization reviews for a hospital.
• A health information organization that provides data transmission services to a healthcare provider.

Also see[edit | edit source]

• Health Insurance Portability and Accountability Act
• Protected health information
• Covered entity
• Privacy Rule
• Security Rule

Template:HIPAA