Recommended reading
Who Needs to be HIPAA Compliant? Covered Entities vs Business Associates Explained
Welcome to our list of commonly used security and compliance terms.
A HIPAA business associate is a person or organization that provides certain services or functions that involve access to protected health information (PHI) on behalf of a covered entity. Covered entities are healthcare providers, health plans, and healthcare clearinghouses that are subject to the HIPAA Privacy and Security Rules.
Examples of HIPAA business associates may include:
Under HIPAA regulations, covered entities are required to enter into written agreements with their business associates to ensure that they protect the privacy and security of PHI in accordance with HIPAA requirements. These agreements, called business associate agreements (BAAs), must be signed before any PHI is shared with the business associate. The BAA specifies the permitted uses and disclosures of PHI by the business associate, as well as the business associate's obligations with respect to protecting the PHI.
Business associates are also directly subject to certain provisions of the HIPAA Privacy and Security Rules, and may be subject to penalties and fines for non-compliance with these requirements. In addition, the HIPAA Omnibus Rule, which went into effect in 2013, expanded the definition of business associates to include subcontractors, meaning that a business associate's downstream contractors and vendors that have access to PHI are also subject to the same HIPAA requirements as the business associate.
Who Needs to be HIPAA Compliant? Covered Entities vs Business Associates Explained