Skip to content
Ntro

Which company below is considered a business associate in HIPAA?

4 min read

According to the Department of Health and Human Services (HHS), any organization that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a HIPAA-covered entity is a business associate. This critical distinction helps determine which companies must sign a Business Associate Agreement (BAA) and adhere to HIPAA's Privacy and Security Rules.

Quick Summary

This article explains the definition of a HIPAA business associate and provides clear examples of third-party vendors who fit this role. It distinguishes between business associates and covered entities, details the purpose of a Business Associate Agreement (BAA), and highlights the importance of compliance for safeguarding protected health information (PHI).

Key Points

  • Definition: A business associate is a company that creates, receives, maintains, or transmits protected health information (PHI) for a HIPAA-covered entity.

  • Examples: Cloud storage providers, billing companies, and IT service providers are common examples of business associates.

  • Business Associate Agreement (BAA): Covered entities must have a BAA with any business associate, a contract outlining PHI protection responsibilities.

  • Direct Liability: Following the HITECH Act, business associates can be held directly liable for HIPAA violations, not just contractually.

  • Subcontractors: The HIPAA rules and BAA requirements also extend to subcontractors of business associates who handle PHI.

  • Function-Based Determination: The business associate status depends on the function performed for the covered entity, not just the vendor's industry.

In This Article

Understanding the Business Associate Role in HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect sensitive patient information, known as Protected Health Information (PHI). While covered entities—such as hospitals, health plans, and healthcare clearinghouses—are directly responsible for HIPAA compliance, the rules extend to third-party vendors who handle PHI on their behalf. These third parties are known as business associates.

A company becomes a business associate when it performs services for a covered entity that involve the creation, receipt, maintenance, or transmission of PHI. A crucial element of this relationship is the Business Associate Agreement (BAA), a legally binding contract that ensures the business associate will protect the PHI they access. Without a BAA in place, a covered entity risks non-compliance and faces potential penalties.

Examples of Companies Considered Business Associates

Identifying a business associate is not always straightforward, as the relationship is defined by the function the vendor performs, not just their industry. Here are some common examples of companies that are typically considered business associates under HIPAA:

  • Cloud Storage Providers: Any company that stores electronic PHI (ePHI) on its servers for a healthcare provider is a business associate. Even if the provider claims not to access the data, the act of maintaining and storing it is sufficient to establish a business associate relationship.
  • Billing and Claims Processing Companies: Organizations that process and submit claims on behalf of a hospital or physician's office must handle PHI to do their job. This makes them business associates.
  • IT Service Providers: A technology company that manages a hospital's servers, provides cybersecurity services, or performs system maintenance often has access to ePHI. Therefore, they are business associates and must be HIPAA compliant.
  • Legal or Accounting Firms: When an accounting firm audits the financial records of a healthcare provider and needs access to PHI, or when a law firm handles malpractice cases involving patient records, they are considered business associates.
  • Medical Transcription Services: An external transcription company that processes dictated medical notes and reports receives and transmits PHI, making it a business associate.
  • Third-Party Administrators (TPAs): For health plans, TPAs who handle claims processing or other administrative functions that involve PHI are business associates.
  • Shredding or Document Destruction Companies: If a company collects and destroys physical or digital PHI for a covered entity, it is a business associate. The vendor is handling the PHI during the process, and an appropriate BAA must be in place.

Key Functions Defining a Business Associate

To determine if a company is a business associate, a covered entity should consider if the vendor's role involves any of the following HIPAA-regulated activities:

  • Creates: Generates PHI, such as a company that creates reports based on patient data.
  • Receives: Collects PHI from a covered entity.
  • Maintains: Holds or stores PHI, as in the case of a data center or cloud provider.
  • Transmits: Sends PHI on behalf of the covered entity.

Comparison Table: Covered Entity vs. Business Associate

Feature Covered Entity (CE) Business Associate (BA)
Definition A health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically for certain transactions. A person or entity that performs a service for a CE that involves creating, receiving, maintaining, or transmitting PHI.
Direct HIPAA Liability Yes, directly responsible for complying with all HIPAA rules. Yes, directly liable for HIPAA violations, including failure to safeguard PHI and unauthorized disclosures.
Workforce Inclusion Workforce members of a CE are not BAs; they are covered under the CE's own HIPAA compliance program. A BA is not a member of the CE's workforce but an external vendor or contractor.
Key Agreement Directly subject to HIPAA regulations. Must have a Business Associate Agreement (BAA) with the CE.
Example A hospital, an insurance company, a doctor's office. An IT security vendor, a billing company, a cloud storage provider.

What About Subcontractors?

It is important to note that the HIPAA rules also apply to subcontractors of a business associate. If a business associate hires another company to handle PHI on their behalf, that subcontractor becomes a business associate of the original business associate. This creates a chain of responsibility, where each entity in the chain must have a BAA with the entity it directly contracts with. For example, a cloud storage provider (the BA) must have a BAA with the healthcare provider (the CE), and if that cloud provider uses a different data center (the sub-BA), they must have a BAA with the data center.

The Critical Role of the Business Associate Agreement (BAA)

The BAA is the cornerstone of the relationship between a covered entity and a business associate. It legally obligates the business associate to comply with HIPAA regulations. The BAA outlines the permissible and required uses of PHI, requires the business associate to implement appropriate safeguards, and mandates breach notification protocols. It is not merely a formality but a critical component of risk management. Covered entities must perform due diligence on potential business associates to ensure they are capable of complying with HIPAA before signing a BAA.

Conclusion

For any covered entity, properly identifying and managing business associates is a fundamental part of maintaining HIPAA compliance. By understanding the definition of a business associate and ensuring that a legally sound Business Associate Agreement is in place, healthcare organizations can protect themselves from breaches and penalties. When evaluating a potential vendor, the primary question to ask is whether their service requires them to create, receive, maintain, or transmit PHI on your behalf. If the answer is yes, they are a business associate, and a BAA is non-negotiable.

Visit the official HHS.gov Business Associate webpage for further guidance on compliance requirements.

Frequently Asked Questions

A covered entity (e.g., a hospital or health plan) is directly subject to HIPAA. A business associate is a third-party vendor that performs a service for a covered entity that involves accessing protected health information (PHI).

Generally, no. The Office for Civil Rights (OCR) considers a medical courier a 'mere conduit' for information, meaning they only transmit information, and a BAA is not required.

A BAA is a legally binding contract between a covered entity and a business associate that specifies the protections the business associate must implement to safeguard PHI.

Yes, if an attorney provides legal services to a covered entity and their work requires access to protected health information (PHI), they are considered a business associate.

Failure to obtain a BAA can result in significant civil penalties for the covered entity from the Office for Civil Rights (OCR).

Yes, cloud service providers that store or maintain electronic protected health information (ePHI) for a covered entity are considered business associates, regardless of whether they access the data.

No, a business associate is a vendor external to the organization. Members of a covered entity's own workforce are covered under the entity's HIPAA compliance policies, not considered business associates.

References

  1. 1
    Understanding Business Associate Agreements (BAAs) - Sirion
  2. 2
    How to Know if Your Vendor is a Business Associate Under HIPAA - HIPAAtrek
  3. 3
    Business Associate Agreements: Requirements and Suggestions - Holland & Hart LLP
  4. 4
    Complying With HIPAA: A Checklist for Business Associates - Holland & Hart LLP
  5. 5
    HIPAA Regulations: Definitions - Business Associate - Bricker Graydon

Related Topics:

#HIPAA #business associate #covered entity #protected health information #PHI #business associate agreement #cloud storage #healthcare regulations

Medical Disclaimer

This content is for informational purposes only and should not replace professional medical advice.