Businesses that have access to protected health information (PHI) on behalf of a covered entity (for example, an employer’s group health plan) typically qualify as “business associates” under the HIPAA Privacy, Security and Breach Notification Rules (HIPAA Rules).

If a covered entity uses a business associate, it must have a written business associate agreement with the business associate that requires the business associate to protect the privacy and security of PHI. In addition to these contractual obligations, business associates are directly liable for compliance with many of the HIPAA Rules’ requirements. For example, among other compliance steps, business associates must:

  • Enter into business associate agreements with any subcontractors who create or receive PHI on their behalf;
  • Implement reasonable and appropriate safeguards for protecting electronic PHI (ePHI); and
  • Not use or disclose PHI, except as permitted by the Privacy Rule and business associate agreements.
HIPAA Compliance for Business Associates

Download the complete “HIPAA Compliance for Business Associates”