Home Products Most Popular Contact
No items in your cart.
The page below is a sample from the LabCE course HIPAA Privacy and Security Rules. Access the complete course and earn ASCLS P.A.C.E.-approved continuing education credits by subscribing online.

Learn more about HIPAA Privacy and Security Rules (online CE course) »

Business Associate Agreement

A business associate is a person or organization that is not a member of the covered entity's workforce but provides services to the covered entity and the services involve the use or disclosure of PHI. A business associate contract must be in place between covered entities and their business associates. This contract defines the processes that will be implemented and clarifies and limits the permissible uses and disclosures of PHI by the business associate. A business associate may use or disclose PHI only as permitted or required by the business associate contract or as required by law.
Business associate functions or activities on behalf of a covered entity include:
  • Claims processing
  • Data analysis
  • Utilization review
  • Billing
Business associate services to a covered entity are limited to:
  • Legal
  • Actuarial
  • Accounting
  • Consulting
  • Data aggregation
  • Management
  • Administrative
  • Accreditation
  • Financial services
A subcontractor who creates, receives, maintains, or transmits PHI on behalf of a business associate is also considered a business associate.
    Business Associate agreements are not generally required between two covered entities involved in treatment, payment, or health care operations.
    The US Department of Health and Human Services (HHS) has sample business associate contract provisions available on its website to guide covered entities in creating their own business associate contracts. These samples are available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. Accessed January 3, 2019.