HIPAA Definition of a Business Associate
- Entities covered under HIPAA typically rely on third parties, known as business associates, to complete certain health transactions. A business associate typically performs tasks for a covered entity in order to process personal health information. These tasks may include: claims processing or administration; data analysis, processing or administration; utilization review, billing or benefit management.
- HIPAA allows covered entities to disclose the minimum amount of personal health information to a business associate in order to complete its work. The minimum disclosure relates to personal health information provided for health care treatment or payment and operations. Treatment includes the coordination and management of health care; payment includes insurance coverage eligibility and determination; operations include administrative or financial activities necessary for business.
- HIPAA requires covered entities to receive assurances from business associates that personal health information remains confidential. The law requires a form of written agreement between a covered entity and business associates protecting the confidentiality of the divulged personal health information. The written agreement can be a contract or other form of writing.
- HIPAA requires written agreements between covered entities and business associates to contain specific information concerning the disclosure and protection of personal health information. The law requires the agreement to limit disclosure of personal health information to the minimum necessary to complete a task. The agreement must contain information on methods for protecting personal health information and remedies for unintentional disclosure.
- HIPAA provides certain exemptions to the business associate requirement, including patient referrals for medical treatment. For example, when a hospital refers a patient to a specialist for treatment, the law does not require a written agreement. Additionally, when a physician refers a patient to a laboratory for testing, the law does not require a written agreement.