Mobile Logo in White
Report a Concern Search/Quicklinks


Business Associates

By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses.

The Privacy Rule allows covered providers and health plans to disclose protected health information (PHI) to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose PHI to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.

How the Rule Works

The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the PHI it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

What Is a “Business Associate?” A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.  A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.  The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of PHI.

Business associate functions and activities include but are not limited to:

  • Accounting Services
  • Accreditation Services
  • Actuarial Services
  • Administrative Services
  • Benefit Management
  • Billing
  • Claims Processing or Administration
  • Consulting Services
  • Data Aggregation Services
  • Data Analysis, Processing or Administration
  • Financial Services
  • Information Technology Services
  • Legal Services
  • Management Services
  • Practice Management
  • Quality Assurance
  • Repricing
  • Utilization Review

See the definition of “business associate” at 45 CFR 160.103.

Examples of Business Associates.

  • A third party administrator that assists a health plan with claims processing.
  • A CPA firm whose accounting services to a health care provider involve access to PHI.
  • An attorney whose legal services to a health plan involve access to PHI.
  • A consultant that performs utilization reviews for a hospital.
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
  • An independent medical transcriptionist that provides transcription services to a physician.
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.

Exceptions to the Business Associate Standard. The Privacy Rule includes the following exceptions to the business associate standard. See 45 CFR 164.502(e). In these situations, a covered entity is not required to have a business associate contract or other written agreement in place before PHI may be disclosed to the person or entity.

    • Disclosures by a covered entity to a health care provider for treatment of the individual. For example:
      • A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
      • A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual.
      • A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.
    • Disclosures to a health plan sponsor, such as an employer, by a group health plan, or by the health insurance issuer or HMO that provides the health insurance benefits or coverage for the group health plan, provided that the group health plan’s documents have been amended to limit the disclosures or one of the exceptions at 45 CFR 164.504(f) have been met.
    • The collection and sharing of PHI by a health plan that is a public benefits program, such as Medicare, and an agency other than the agency administering the health plan, such as the Social Security Administration, that collects PHI to determine eligibility or enrollment, or determines eligibility or enrollment, for the government program, where the joint activities are authorized by law.

Other Situations in Which a Business Associate Contract Is NOT Required.

  • When a health care provider discloses PHI to a health plan for payment purposes, or when the health care provider simply accepts a discounted rate to participate in the health plan’s network. A provider that submits a claim to a health plan and a health plan that assesses and pays the claim are each acting on its own behalf as a covered entity, and not as the “business associate” of the other.
  • With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of PHI, and where any access to PHI by such persons would be incidental, if at all.
  • With a person or organization that acts merely as a conduit for PHI, for example, the US Postal Service, certain private couriers, and their electronic equivalents.
  • Where one covered entity purchases a health plan product or other insurance, for example, reinsurance, from an insurer. Each entity is acting on its own behalf when the covered entity purchases the insurance benefits, and when the covered entity submits a claim to the insurer and the insurer pays the claim.
  • To disclose PHI to a researcher for research purposes, either with patient authorization, pursuant to a waiver under 45 CFR 164.512(i), or as a limited data set pursuant to 45 CFR 164.514(e). Because the researcher is not conducting a function or activity regulated by the Administrative Simplification Rules, such as payment or health care operations, or providing one of the services listed in the definition of “business associate” at 45 CFR 160.103, the researcher is not a business associate of the covered entity, and no business associate agreement is required.
  • When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.

Business Associate Agreement

The HIPAA Regulations require the University, as a covered entity, to have a business associate agreement (“BAA”) whenever a non-University person or entity provides services to the University involving the use or disclosure of the University’s PHI. HIPAA requires that agreements with business associates include specific provisions. The University has standard HIPAA BAA’s that should be used whenever a business associate agreement is required.

Please refer any questions concerning the necessity for a BAA in a particular situation to the Institutional Compliance and Privacy Office at compliance@uthscsa.edu or (210) 567-2014.

For more information, visit the U.S. Department of Health and Human Services pages: Frequently Asked Questions on Business Associates as well as other Frequently Asked Questions about the Privacy Rule.

References:

Business Associates | HHS.gov