What is a "business associate" under HIPAA?
The term "business associates" refers specifically to a person or organization that conducts business with the covered entity that involves the use or disclosure of individually identifiable health information. Business associates include those that perform services on behalf of the covered entity, such as claims processing, data analysis, utilization review, and billing, or provide services to the covered entity, such as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. To be a business associate, the work of an organization must deal directly with the use or disclosure of protected health information.
The HITECH Act also specifies that an organization that provide data transmission of PHI to a covered entity and that requires access to PHI on routinely will be treated as a business associate. Such an organization may include: a Health Information Exchange Organization, a Regional Health Information Organization (RHIO), an e-Prescribing Gateway, or a PHR vendor that contracts to have its product included as part of a covered entity's EHR.
Summary of the HIPAA Privacy Rule: Business Associates - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2003). This site provides a summary of the HIPAA Privacy Rule.
E-mail the HealthIT e-mail box: firstname.lastname@example.org