Vendor Risk Management

HIPAA Business Associate Checklist

According to HHS; a Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to a covered entity.

Vendor risk

Common examples of business associate relationships include claims processing, billing, data analysis, data processing, practice management, UR, QA, benefit management, claims re-pricing, legal, actuarial, accounting, consulting, management, technical support, administrative, and accreditation. A business associate is obligated not to use or further disclose Protected Health Information (PHI) other than as permitted or required by the BA agreement or as Required By Law.

The business associate must sign the organization’s BA agreement (BAA) prior to performing any services which obtains satisfactory written assurance that the business associate will appropriately maintain the privacy and security of the PHI and fulfill HIPAA business associate obligations.

To help determine if you or one of your vendors is a business associate (and whether they need to have a BAA in place), please refer to our free Business Associate Checklist.

This checklist is provided for information purposes only and does not constitute legal advice.  Loricca recommends also reviewing the status of each of your vendors with your legal counsel.