HIPAA: Business Associates
Business Associates [45 CFR 164.502(e), 164.504(e)]
Rule: Covered entities may only disclose PHI to business associates under a written Business Associate Agreement (BAA) that establishes permitted uses and required safeguards.
What is a Business Associate?
A person or entity that:
- Performs functions or activities on behalf of a covered entity, AND
- Involves the use or disclosure of PHI
Common Business Associate Examples
| Category | Examples |
|---|---|
| Technology | EHR vendors, cloud hosting, IT support with PHI access |
| Administrative | Billing companies, claims processing, collections |
| Professional services | Attorneys, accountants, consultants with PHI access |
| Management | Practice management, PHRs, patient portals |
| Other | Shredding companies, transcription services |
NOT Business Associates
| Category | Reason |
|---|---|
| Janitorial services | Incidental access, not using PHI |
| Electrical/plumbing | No access to PHI |
| Courier services | Transport only, not accessing content |
| Patients’ family/friends | Not performing services for CE |
| Other covered entities | CE-to-CE disclosure rules apply |
Business Associate Agreement Requirements [§164.504(e)]
Every BAA must include:
| Requirement | Description |
|---|---|
| Permitted uses | Describe what BA may do with PHI |
| Prohibited uses | May not use or disclose except as permitted |
| Safeguards | Require appropriate safeguards |
| Reporting | Report breaches and security incidents |
| Subcontractor compliance | Ensure subcontractors comply |
| Individual rights | Support covered entity’s obligations |
| Access to records | Make information available for HHS |
| Return/destroy | At termination, return or destroy PHI |
| Termination | Authorize termination for violation |
Business Associate Direct Obligations
Under HITECH, business associates are directly liable for:
| Obligation | Citation |
|---|---|
| Privacy Rule limits on use/disclosure | §164.502(a) |
| All Security Rule requirements | §164.302-318 |
| Breach notification to covered entity | §164.410 |
| Subcontractor BAA requirements | §164.502(e)(1)(ii) |
Subcontractor Requirements
Business associates must:
- Enter BAAs with subcontractors who access PHI
- Ensure subcontractors agree to same restrictions
- Remain responsible for subcontractor compliance
Penalties for Non-Compliance
Business associates are subject to same penalties as covered entities:
- Civil monetary penalties up to $1.9M per violation category
- Criminal penalties for knowing violations
- State attorneys general enforcement