What Is a "Business Associate?"
A "business associate" is a person or
entity that performs certain functions or activities that involve the use or
disclosure of protected health information on behalf of, or provides services
to, a covered entity. A member of the covered entity's workforce is not a
business associate. A covered health care provider, health plan, or health care
clearinghouse can be a business associate of another covered entity. The Privacy
Rule lists some of the functions or activities, as well as the particular
services, that make a person or entity a business associate, if the activity or
service involves the use or disclosure of protected health information. The
types of functions or activities that may make a person or entity a business
associate include payment or health care operations activities, as well as other
functions or activities regulated by the Administrative Simplification Rules.
Business associate functions and activities include: claims processing or
administration; data analysis, processing or administration; utilization review;
quality assurance; billing; benefit management; practice management; and
re-pricing. Business associate services are: legal; actuarial; accounting;
consulting; data aggregation; management; administrative; accreditation; and
financial. See the definition of "business associate" at 45 CFR 160.103.
Examples of Business Associates.
- A third party administrator that assists a health plan with
- A CPA firm whose accounting services to a health care
provider involve access to protected health information.
- An attorney whose legal services to a health plan involve
access to protected health information.
- A consultant that performs utilization reviews for a
- A health care clearinghouse that translates a claim from a
non-standard format into a standard transaction on behalf of a
health care provider and forwards the processed transaction to a
- An independent medical transcriptionist that provides
transcription services to a physician.
- A pharmacy benefits manager that manages a health plan's
Business Associate should be aware that the federal American
Recovery and Reinvestment Act (ARRA), commonly known as the
federal stimulus package, requires all business associates to
comply with the security and privacy requirements of the Health
Insurance Portability and Accountability Act (HIPAA). Typical
business associates include medical billing and information
technology. As of February 17, 2010, all business associates
will become subject to criminal and civil liability for not
complying with HIPAA.
If a covered entity shared protected health information (PHI)
with a business associate, the two parties would enter into a
business associate agreement. The agreement would contractually
require the business associate to protect the PHI. However, the
only liability the business associate faced for a violation was
contractual liability to the covered entity, rather than
sanctions by the federal government.
Now, however, business associates face federal monetary fines
and even criminal liability if their use of PHI violates HIPAA.
The new law also requires the Department of Health and Human
Services to begin conducting audits of covered entities and
business associates to ensure HIPAA compliance. Therefore, if
you are a business associate, you will want to make sure you are
fully in compliance before the law goes into effect.
HIPAA law was revised in 2009 to apply directly to Business
Associates, and the penalties for violations are severe.
Penalties for Business Associates for violations of HIPAA can be
as high as $1.5 Million per year, and can include prison time
for the most serious criminal offenses.
We offer two different packages for business associates to help
them achieve compliance.
Business Associate Compliance Tool (Less than 50 Employees)
Business Associate Compliance Tool (More than 50 Employees)
We also offer HIPAA Certification for Business Associate and
products used by healthcare industry. Many covered entities are
request a proof of your product being HIPAA complaint or your
company achieving HIPAA compliance before entering into business
with them. Our certification will help you in proving your
For details on how to achieve HIPAA compliance seal
for your company, services and products, feel free to contact us at
Bob@training-hipaa.net or call