What is a "business associate"?

A "business associate" is one of the two types of entities regulated by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").

Put simply, a business associate is a vendor or contractor for a covered entity (the other type of entity regulated by HIPAA). Put more technically, a business associate is:

• A person or entity;

• Who is not a member of the covered entity's workforce;

• Who provides or performs certain functions, activities, or services;

• To, for, or on behalf of a covered entity; and

• Creates, receives, maintains, or transmits protected health information for, from, or on behalf of a covered entity in the performance of those functions, activities, or services.

Common examples of business associates are:

• Law firms

• CPAs

• Consultants

• Accreditation associations

• IT vendors

• Medical billing companies

• Pharmacy benefit managers

• Transcription companies

Are all vendors or subcontracts considered a "business associates"?

No. First, the vendor has to be performing or providing specific functions, activities, or services to, for, or on behalf of a covered entity.

So what are those functions, activities, and services?

The functions and activities include:

• Claims processing or administration

• Data analysis

• Processing or administration

• Utilization review

• Quality assurance

• Certain patient safety activities

• Billing

• Benefit management

• Practice management

• Repricing

• Other functions and activities regulated by HIPAA

The services are:

• Legal

• Actuarial

• Accounting

• Consulting

• Data Aggregation

• Management

• Administrative

• Accreditation

• Financial services

If the vendor or contractor is not performing one of the above function, activities, or services, it is not a "business associate" and a covered entity cannot disclose protected health information to the vendor or subcontractor unless the disclosure is otherwise permitted by the Privacy Rule.