A business associate is a person or organization that is not a member of the covered entity's workforce but provides services to the covered entity and the services involve the use or disclosure of PHI. A business associate contract must be in place between covered entities and their business associates. This contract defines the processes that will be implemented and clarifies and limits the permissible uses and disclosures of PHI by the business associate. A business associate may use or disclose PHI only as permitted or required by the business associate contract or as required by law.
Business associate functions or activities on behalf of a covered entity include:
- Claims processing
- Data analysis
- Utilization review
Business associate services to a covered entity are limited to:
- Data aggregation
- Financial services
A subcontractor who creates, receives, maintains, or transmits PHI on behalf of a business associate is also considered a business associate.
Business Associate agreements are not generally required between two covered entities involved in treatment, payment, or health care operations.