DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
A HIPAA business associate (sometimes referred to as a “HIPAA vendor”) is:
“[A] person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. A [BA] also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another [BA].”
Specifically, if a vendor is performing a function, activity, or service for or on behalf of a covered entity, and that function, activity, or service involves the vendor’s creation, transmission, receipt, or maintenance of PHI, the vendor is a HIPAA business associate.
Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
Examples of business associates include (but are not limited to):
A third-party administrator that assists a health plan with claims processing.
A CPA firm whose accounting services to a healthcare provider involve access to protected health information.
An attorney whose legal services to a health plan involve access to protected health information.
A consultant who performs utilization reviews for a hospital.
A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
An independent medical transcriptionist that provides transcription services to a physician.
A pharmacy benefits manager that manages a health plan’s pharmacist network.
If a business associate is performing these functions, activities, or services on behalf of another business associate (who, in turn, is performing these functions, activities, or services on behalf of a covered entity), the business associate performing the functions on behalf of the other business associate, is referred to as a business associate subcontractor. Both business associates and business associate subcontractors must comply with HIPAA.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article