business associate (HIPAA)

HIPAA defines a business associate as an individual or corporate "person" that:

  • is not a member of the covered entity's workforce.

The definition of "function or activity" is all encompassing: legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, financial services and anything else for which a covered entity might contract out are included, if access to PHI is involved.

Business associate requirements do not apply to disclosures by a covered entity to a health care provider for treatment purposes -- for example, PHI exchanged between a hospital and physicians with admitting privileges. However, a covered entity may be a business associate of another covered entity for non-treatment functions and activities, and will be bound by the contractual assurances it gave as part of that relationship.

The business associate requirements also do not apply to:

  • disclosures to the plan sponsor by a group health plan, or a health insurance issuer or HMO with respect to a group health plan (if other requirements are met); nor to
  • the collection and sharing of PHI by a health plan that is a public benefits program and an agency other than the agency administering the health plan, in order to determine eligibility or enrollment.

A covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive PHI on its behalf only if the covered entity executes a satisfactory contract or other written agreement (such as a memorandum of understanding) that details permitted activities.

Such agreements must also provide that the business associate will:

  • not use or further disclose the PHI other than as permitted by the contract or as required by law;
  • report to the covered entity any unauthorized use or disclosure of which it becomes aware;
  • ensure that any agents, including subcontractors, to whom it provides PHI agree to the same restrictions and conditions that apply to the business associate; and
  • on termination of the contract, return or destroy all PHI in its possession, or, where that is not possible, extend the protections of the contract for as long as the information is retained.

Business associates must cooperate with the covered entity to provide access to PHI for the subjects of that information, allow for amendment or correction, and assist in accounting for PHI disclosures.

Business associates must also be prepared to make their internal practices, books, and records relating to the use and disclosure of PHI available to DHHS for purposes of determining compliance.

DHHS has taken the position that covered entities are not liable for the privacy violations of business associates. However, if a covered entity becomes aware of a pattern of activity or practice by a business associate that constitutes a material breach, it must:

  • take reasonable steps to remedy the situation;
  • if such steps are not successful, terminate the contract or arrangement; or
  • if termination is not feasible, report the problem to DHHS.

Notwithstanding these provisions, failure to execute a business associate contract with "satisfactory assurances," or to take these corrective actions when the assurances are not met, could result in liability.

See also:

Last modified: 10-May-2005 [RC]


   © 2002-2006 Contributing authors and University of Miami School of Medicine