Can business associates use protected health information for their own purposes?

Generally no. The purpose of the business associate provision is to allow covered entities to use business associates to support the cover entities' operations. The relationship between a covered entity and business associate, and the ability to use protected health information, is not for the benefit of the business associate.

HIPAA does allow business associates to use protected health information for their own purposes, but those permitted uses and disclosures are very narrow and should not be read to include a business associate using protected health information for its own commercial purposes, such as conducting marketing activities, training an algorithm or large language model, or similar activity.

What are those permitted uses and disclosures?

A business associate can use protected health information:

• For the proper management and administration of the business associate.

• To carry out the legal responsibilities of the business associate.

In addition, where a disclosure is not required by law, a business associate disclosing protected health information for either of the permitted purposes must obtain certain satisfactory assurances from the recipient.

Beyond that, a business associate's use of protected health information is largely to provide the functions, activities, or services to the covered entity.

Can a covered entity allow a business associate to use protected health information for other purposes?

No. The Privacy Rule restricts how a business associate may use and disclose protected health information, a covered entity cannot override those restrictions.