Business Associates
By law, the HIPAA Privacy Rule applies
only to covered entities – health plans, health care clearinghouses, and
certain health care providers. However, most health care providers and
health plans do not carry out all of their health care activities and
functions by themselves. Instead, they often use the services of a
variety of other persons or businesses. The Privacy Rule allows covered
providers and health plans to disclose protected health information to
these “business associates” if the providers or plans obtain
satisfactory assurances that the business associate will:
- Use the information only for the purposes for which it was engaged by the covered entity;
- Safeguard the information from misuse; and
- Help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.
Covered entities may disclose protected
health information to an entity in its role as a business associate only
to help the covered entity carry out its health care functions – not
for the business associate’s independent use or purposes, except as
needed for the proper management and administration of the business
associate.
How the Rule Works
General Rule
The Privacy Rule requires that a covered
entity obtain satisfactory assurances from its business associate that
the business associate will appropriately safeguard the protected health
information it receives or creates on behalf of the covered entity. The
satisfactory assurances must be in writing, whether in the form of a
contract or other agreement between the covered entity and the business
associate.