Table of Contents:
- What is a Business Associate?
- Role of a Business Associate
- Are employees of a Covered Entity considered Business Associates?
- Is it possible to be both a Covered Entity and a Business Associate?
- Subcontractors and Business Associates
- Purpose of a Business Associate Agreement
- Do Business Associate Agreements expire?
What is a Business Associate?
Simply put, a Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity.
By law, the HIPAA Privacy Rule applies only to Covered Entities. Covered Entities are typically health plans, health care clearinghouses, and certain health care providers.
Most Covered Entities however, do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other organizations.
If these services involve the use of protected health information, that means that organization is a Business Associate.
Learn more: Business Associates [HHS]
What is the Role of a Business Associate?
In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.
Here are some examples of services provided by Business Associates:
- Claims processing or administration
- Data analysis, processing or administration
- Utilization review
- Quality assurance
- Email security
- Benefit management
- Practice management
Are employees of a Covered Entity considered Business Associates?
No. Employees of a Covered Entity are not considered Business Associates.
Is it possible to be both a Covered Entity and a Business Associate?
Yes, it is possible to be classified as both a Covered Entity and a Business Associate.
For example, a covered entity such as a health care provider, health plan, or health care clearinghouse can also be a business associate of another covered entity.
Subcontractors and Business Associates
Any subcontractor of a Business Associate that creates, receives, maintains, or transmits protected health information on behalf of the BA is itself also a Business Associate.
This distinction is often overlooked.
What is the purpose of a Business Associate Agreement?
A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a Business Associate Agreement (BAA).
If you are a covered entity entrusting protected health information to a third party, then a Business Associate Agreement is required by law.
Read full article: Business Associate Agreement Provisions
Do Business Associate Agreements expire?
A Business Associate Agreement (BAA) is required to be in place for the entire duration of services provided by a Business Associate to a Covered Entity.
If a BAA has an expiration date in it, that’s a red flag and is the same as not having one at all.