Who Are HIPAA Business Associates and Why You Should Care

By: Dr. Jeff Brown | updated on

A HIPAA business associate is a person or entity that performs a service on your behalf in which the service itself involves the use or disclosure of protected health information (PHI). In other words, if an entity is doing anything for your office to create, receive, use, disclose or maintain (store) your PHI, then they are a business associate according to the HIPAA.

Common business associate examples include:

  • Clearinghouse
  • EHR / PM software
  • PI attorney
  • Transcription service
  • Billing service
  • Online patient scheduling
  • Appointment reminder service
  • Email provider
  • Online data backup

You should care about knowing who is, and is not, a business associate because compliance is severely jeopardized if you get this wrong. Too many offices get in trouble with the Office for Civil Rights (the HIPAA police), not because they mess up, but because an organization they contract with messes up.

Good news! The HIPAA provides a protection for you in the form of a Business Associate Agreement (BAA).

According to the HIPAA law, a business associate is permitted to create, receive, maintain, or transmit electronic protected health information on your behalf only after satisfactory assurances are obtained, in writing, that the business associate will appropriately safeguard the information.

A signed BAA is the instrument through which you are able to obtain "satisfactory assurances." Additionally, in many situations the BAA will pass liability from yourself to the business associate. Therefore, it's paramount you get a signed BAA from every on one of your business associates.

The BAA is a fairly standard document. Here is a slightly modified version of the BAA H.H.S. provides on its website (here's the original BAA).

Business associates with hundreds of customers typically have a pre-signed BAA as part of their Terms of Service. Meaning, they don't physically sign a BAA with each individual customer; instead, they post a "pre-signed" agreement online for everyone. We recommend documenting the website link to the actual agreement as part of your HIPAA compliance record keeping.

What about non-business associates?

Everyone else who has regular contact with your PHI falls into one of two categories. Either they are a workforce member or not.

Workforce member: Workforce consists of everyone whose conduct is under the direct control of the business (covered entity or business associate) and their job involves the use of patient information. For example a provider, employee, therapist, contractor, volunteer, and spouse or family member would all be workforce members if their conduct is under the direct control of the covered entity or business associate and the work they perform involves patient information.

Who pays the workforce member is irrelevant—HIPAA does not subscribe to IRS employee vs. contractor definitions when determining whether or not someone is a workforce member. Don't assume someone is a business associate just because the covered entity isn't paying him or her.

Read this article to learn what HIPAA document needs to be singed by your workforce.

Not workforce member: Generally, a person or vendor is not a business associate if they do not create, receive, use, disclose or maintain your PHI as part of the relationship they have with your business. The two most common examples are an office cleaning service and the various scenarios in which office space is shared or rented.

Read this article to learn why a confidentiality agreement is better suited than a BAA for these folks.

DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice.

Read More Articles

Watch HIPAA Webinars