Business associates are third parties who create, receive, maintain, or transmit PHI on behalf of a covered entity.
A business associate is generally not a member of the covered entities workforce, though it may create, receive, or use PHI on behalf of a covered entity.
It is a person or company with whom you share PHI and that may access, use, or disclose PHI to perform a function or activity on behalf of the covered entity.
Examples are consultants, electronic medical record companies, lawyers, accountants, IT software companies & medical billing companies.
A covered entity can be the business associate of another covered entity.
Persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of PHI and where any access to PHI by such persons would be incidental, if at all.
When a covered entity uses a business associate to provide services or activities on its behalf, the HIPAA Rules require that the covered entity include certain protections for the PHI in a written contract or business associate agreement.
A Business Associate is required to safeguard the privacy and security of protected health information in the same manner as the covered entity. Under HITECH they are now directly liable if there is a breach.
In the business associate contract, a covered entity must impose specified written safeguards on the PHI used or disclosed by its business associate.
A covered entity may not contractually authorize the business associate to make any use or disclosure of protected health information that would violate HIPAA.