DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Per HHS, yes. The HIPAA Privacy Rule explicitly defines organizations that accredit covered entities as business associates. See the definition of “business associate” at 45 CFR 160.103.
Like other business associates, accreditation organizations provide a service to the covered entity which requires the sharing of protected health information. Accreditation organizations may include those listed here, among others.
As business associates of covered entities, accreditation organizations must generally enter business associate agreements with covered entities with whom they share PHI. As an alternative to the business associate agreement or contract, covered entities may disclose a limited data set of protected health information, not including direct identifiers, to an accreditation organization, subject to a data use agreement. See 45 CFR 164.514(e).
If only a limited data set of protected health information is disclosed, the satisfactory assurances required of the business associate are satisfied by the data use agreement.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article