Who is a Business Associate?

Under the Health Information Privacy and Accountability Act (HIPAA) Omnibus Rule, business associates of covered entities are now primarily and directly liable for compliance with HIPAA requirements and are subject to enforcement by the Department of Health and Human Services.[1] Covered entities may also be liable for the HIPAA violations of their business associates. So, whom does HIPAA consider to be a “business associate”?

The statute defines a “business associate” as a someone who 1) creates, receives, maintains, or transmits protected health information (PHI) on behalf of a HIPAA-covered entity; or 2) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services that involve the disclosure of PHI.

A “business associate” can include:

  • A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
  • A person that offers a personal health record to one or more individuals on behalf of a covered entity.
  • A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

A “business associate” is not defined as:

  • A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
  • A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor.
  • A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
  • A covered entity participating in an organized health care arrangement that creates, receives, maintains, or transmits protected health information (PHI) on behalf of the entity or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services that involve the disclosure of PHI.

A covered entity may be the business associate of another covered entity.  For more information and to answer any questions you may have about compliance with the new, stricter HIPAA rules, contact Feldman Kieffer today via email or at 716-852-5875.



[1] 45 CFR § 160.300 (2013).

Comments are closed.