Business Associates Agreement

HIPAA requires that you obtain assurances that your business associates will appropriately safeguard your patients' protected health information (PHI) it receives or creates on your behalf.

Business Associates Agreement

Business associate: A "business associate" is a person or organization:

  • who is not an employee or part of your workforce, and
  • performs certain functions for your practices that involve the use or disclosure of PHI. These functions include, but are not limited to:
    • claims processing,
    • data analysis,
    • utilization review, and
    • billing

Examples of business associates include:

Business Associates do NOT include:
  • A third party administrator that assists a health plan with claims processing
  • A CPA firm whose accounting services to a health care provider involve access to PHI
  • An attorney whose legal services to a health plan involve access to PHI
  • A consultant that performs utilization reviews for a hospital
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer
  • An independent medical transcriptionist that provides transcription services to a physician
  • Your employees/workforce
  • Any organization/person that does NOT use your patients' PHI
  • Postal Service or certain private curriers
  • Other providers involved in treating your patients
  • Substitute doctor or patients' doctors from other practices
  • Contracted insurance companies
  • Laboratories—glasses or contact lenses
  • Third party discussions regarding sale of practice
  • Janitorial services who do not have access to PHI

Business Associate Agreements: For each of your business associates, you are required to obtain an agreement that requires them to appropriately safeguard your patients' protected health information (PHI) that they receive or create on your behalf. All Business Associates Agreement must contain the following assurances:

  • Permissions to use & disclose PHI
    Establish the permitted and required uses and disclosures of protected health information by the business associate;

  • Limits to the use & disclosure of PHI
    Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;

  • Safeguards to protect PHI
    Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;

  • Reports of breaches and violations
    Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;

  • Require Disclosure of PHI when needed
    Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity's obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;

  • Comply to the privacy rule
    To the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;

  • Provide records during audits
    Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity's compliance with the HIPAA Privacy Rule;

  • Destroy PHI after contract termination
    At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;

  • Agreement applies to Business Associate's subcontractors
    Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and

  • Contract will be terminated if violated
    Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements.


AOA Business Associate Resources

HHS Business Associate Resources: