When is a Business Associate Agreement NOT Required?

Modified on Tue, 5 Mar at 11:18 AM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Entities that are not HIPAA business associates are not required to enter into HIPAA business associate agreements. Examples of entities that are not business associates include:

1. Entities that don't create, receive, maintain, and/or transmit PHI.  Under the HIPAA Privacy Rule, to meet the definition of "business associate," an entity must create, maintain, receive, and/or transmit PHI for or on behalf of a covered entity.  An entity that does not use or disclose PHI is not a business associate. Examples of entities that do not use or disclose PHI include cleaning crews and janitorial services. These entities, if they happen to access PHI, do so incidentally (such as, for example, when they are placing a trash bag in a dumpster, and accidentally view PHI on a piece of paper that falls out of the trash bag). The difference with respect to PHI between a business associate and a non-business associate is that a business associate performs work for or on behalf of a covered entity for which access to PHI is required, while a non-business associate's access to PHI only occurs as a by-product of, or incidental to, work it performs for a covered entity. 

One type of vendor whose business associate status is not always easily discerned is a software company that simply sells or provides software to the covered entity. The mere act of selling or providing software is insufficient to confer business associate status on the seller or provider. That seller or provider must have access to the covered entity's PHI to qualify as a business associate. An entity that does not require PHI access to perform work for a covered entity and that does not in fact access PHI is not a business associate.

2. Entities acting on their own behalf or on behalf of the patient. The business associate requirements only apply to entities who are performing a function involving PHI on behalf of a covered entity or its business associate


Entities handling PHI for their own purposes are not business associates. For example, a provider that submits a claim to a health plan and a health plan that assesses and pays the claim are each acting on its own behalf as a covered entity, and not as the ‘business associate’ of the other.

Similarly, a bank or financial institution is not a business associate of a covered entity when it “processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums." In these cases, “the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity” and is not a business associate.

Researchers are not business associates of covered entities even if the researcher is hired by the covered entity to conduct research. 

Where a physician or other provider has staff privileges at an institution, neither party to the relationship is a business associate based solely on the staff privileges because neither party is providing functions or activities on behalf of the other.

Covered entities that simply provide PHI for another covered entity’s healthcare operations are not business associates of the other entity. 

Finally, an entity performing services on behalf of the patient, not on behalf of the healthcare provider, is not a business associate (e.g., an attorney who requests health information to represent the patient, or a company that collects and interprets data on behalf of a patient).

3. Entities performing management or administrative functions for business associates. Covered entities may allow business associates to use PHI for the business associate’s own management and administration or legal responsibilities If so, "disclosures by a business associate … for its own management and administration or legal responsibilities do not create a business associate relationship with the recipient of the [PHI] because such disclosures are made outside of the entity’s role as a business associate."

In contrast, disclosures of PHI by the business associate to a person who will assist the business associate in performing a function, activity, or service for a covered entity or another business associate may create a business associate relationship depending on the circumstances.


However, even if no BAA is required, because an entity is assisting the business associate in its own management or administration functions, HIPAA still restricts the use or disclosure of PHI by the entity:


"For [any] such disclosures that are not required by law, [HIPAA] requires that the business associate obtain reasonable assurances from the person to whom the [PHI] is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person and the person notifies the business associate of any instances of which it is aware that the confidentiality of the information has been breached."

Such “reasonable assurances” may be obtained through a limited confidentiality agreement; a full-blown BAA is not required.


4. Entities who are mere “conduits” for PHI. Entities that transmit PHI for a covered entity are not business associates if they are not required to access the PHI on a routine basis, i.e., they are merely “conduits” of the PHI (e.g., internet service providers, phone companies, etc.).
   

Regarding what it means to have “access on a routine basis” to [PHI] with respect to determining which types of data transmission services are business associates versus mere conduits, such a determination will be fact-specific based on the nature of the services provided and the extent to which the entity needs access to [PHI] to perform the service for the covered entity. The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or UPS and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services. As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law. For example, a telecommunications company may have occasional, random access to [PHI] when it reviews whether the data transmitted over its network is arriving at its intended destination. Such occasional, random access to [PHI] would not qualify the company as a business associate. In contrast, an entity that requires access to [PHI] to perform a service for a covered entity, such as a Health Information Organization that manages the exchange of [PHI] through a network on behalf of covered entities through the use of record locator services for its participants (and other services), is not considered a conduit and, thus, is not excluded from the definition of business associate.


5. Members of a covered entity's or contractor's workforce. The definition of "business associate" under HIPAA specifically excludes members of a covered entity's or contractor's workforce. 

The HIPAA regulations define "workforce" as "employees, volunteers, trainees, and other persons whose conduct, in performance of work for a covered entity or a business associate, is under the direct control of such entity or business associate, whether or not they are paid by the covered entity or business associate.

A contractor and a covered entity may agree to classify the contractor as a member of the covered entity's workforce. If a contractor is classified as a workforce member of the covered entity, the contractor is, by definition, not a business associate of the covered entity. Note that the contractor and covered entity must agree to the classification as a workforce member. A covered entity may resist the classification; classifying someone as a workforce member usually means that the covered entity would be vicariously liable for negligent acts of the contractor committed during and within the scope of the business relationship. Whether this vicarious liability can be imposed depends upon the state law of agency (the law governing the relationship between an agent and principal).  If a covered entity refuses to treat an entity that desires to create, maintain, receive, and/or transmit PHI on the covered entity's behalf as a business associate, the entity would likely be regarded as a business associate.

6. Healthcare providers to whom a covered entity provides PHI to treat patients. 
A healthcare provider is not a business associate of other covered entities while rendering treatment to patients. The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. Therefore, any covered health care provider (or other covered entity) may share PHIwith a health care provider for treatment purposes without a business associate contract.

For example,

  • A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
  • A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual.
  • A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.

    This exception only applies to the extent that the healthcare provider is using the PHI for treatment purposes; it would not apply if the healthcare provider is using the information to perform other functions on behalf of the covered entity. For example, a hospital may enlist the services of another healthcare provider to assist in the hospital’s training of medical students. In this case, a business associate contract would be required before the hospital could allow the health care provider access to PHI. Even in that example, however, the hospital and physician would not need a BAA if they were members of an organized healthcare arrangement (OHCA).


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article