Business Associate, Yes or No?
The HIPAA Privacy Rule requires Covered Entities to take certain steps to ensure that contractors and vendors requiring access to Protected Health Information (PHI) manage and use that information safely and responsibly. Such a vendor or contractor, of course, is called a “business associate” (BA). While most of us think we know what a BA is, do we know exactly who is a BA?
When your organization runs into a new sort of vendor or contractor, you may wonder if the expectations of a BA applies. To protect your organization and your patients’ data, don’t guess. Be sure you know when a BA Agreement (BAA) is required and when it may not be necessary. The table below show a few examples of companies, partners, and vendors who may or may not be considered BAs.[one_sixth][/one_sixth][two_third]
Common Types of
Not Usually Considered
Note that these examples are somewhat generalized. There may be circumstances that alter the nature of the relationship between your organization and a potential BA from what is generally described above.
Keep in mind that your organization’s liability in the case of a data breach or incident does not stop with what happens within your own facility or systems. The security of patients’ PHI in the possession of your BA is your organization’s responsibility as well. Do not guess or rely on vague information. If you have further questions about the requirements of the Privacy Rule, it is important to seek expert advice based on the nature of your relationships with other companies, their need for patient data and how shared data is used by each entity.