What is a "business associate" under HIPAA?

Health IT Adoption Toolbox

What is a "business associate" under HIPAA?

The term "business associates" refers specifically to a person or organization that conducts business with the covered entity that involves the use or disclosure of individually identifiable health information. Business associates include those that perform services on behalf of the covered entity, such as claims processing, data analysis, utilization review, and billing, or provide services to the covered entity, such as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. To be a business associate, the work of an organization must deal directly with the use or disclosure of protected health information.

The HITECH Act also specifies that an organization that provide data transmission of PHI to a covered entity and that requires access to PHI on routinely will be treated as a business associate. Such an organization may include: a Health Information Exchange Organization, a Regional Health Information Organization (RHIO), an e-Prescribing Gateway, or a PHR vendor that contracts to have its product included as part of a covered entity's EHR.

Related Resources:
Summary of the HIPAA Privacy Rule: Business Associates - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2003). This site provides a summary of the HIPAA Privacy Rule.

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.

About

Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care. More>

Stay Informed

Comments?
E-mail the HealthIT e-mail box: healthit@hrsa.gov