Am I A Healthcare Business Associate?

Episode 68: Know The Rules! Am I A Healthcare Business Associate?

How Do I Know – Am I A Healthcare Business Associate?

These days’ doctors and dentists, known as Covered Entities (CE), outsource their business activities to service providers.

Health & Human Services (HHS) defines a “Business Associate” (BA) is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a CE.

Are you paid with a 1099?





A member of the CE’s workforce is not a BA; however, if paid by 1099 they are a BA! A covered healthcare provider, health plan, or healthcare clearinghouse can be a BA of another CE.







Examples of BA services include (not a complete list of services):

  • • Legal
  • • Marketing
  • • Actuarial
  • • Accounting
  • • Consulting
  • • Data Aggregation
  • • Management
  • • Administrative
  • • Accreditation
  • • Managed Service Providers
  • • Information Technology Contractors
  • • Financial

Examples of BA functions and activities include (not a complete list of functions and activities):

  • • Claims Processing, and/or Administration
  • • Data Analysis, Processing, and/or Administration
  • • Utilization Review
  • • Quality Assurance
  • • Billing, Coding, Transcription
  • • Benefit Management
  • • Practice Management and/or Repricing

Examples of BA’s (not a complete list of examples):

  • • A third party administrator that assists a health plan with claims processing.
  • • A marketing consultant and/or agency collecting even minimal contact information; such as Name, Address, and Email the top 3 of the 18 types of PHI identifiers.
  • • A CPA firm whose accounting services to a health care provider involves access to PHI.
  • • An attorney whose legal services to a health plan involve access to PHI.
  • • A consultant that performs utilization reviews for a hospital.
  • • A healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a CE and forwards the processed transaction to a payer.
  • • An independent medical transcriptionist that provides transcription services to a physician.
  • • A pharmacy benefits manager that manages a health plan’s pharmacist network.


What Should You Do FIRST!!

Before CE’s request a BA to create, receives, maintain, store, and/or transmit PHI they are required to:

  1. Identify each of their BA’s
  2. Confirm there is a current signed Business Associate Agreement (BAA) for each BA

The BAA must limit the BA’s access to PHI allowing only what is necessary to carry out their activities defined by the CE.

BA’s Hire Subcontractors

It is not uncommon that BA’s outsource their work to subcontractors. BA must obtain a signed BAA from each subcontractor before exchanging PHI.

Subcontractors are entities that a BA delegates a function, activity, or service, other than as a member of the BAs workforce.

There is no limit to the number of subcontractors that may be liable, because a subcontractor might delegate functions to other subcontractors, creating a chain of BA entities.


Why Does This Matter?

Simple, because BAs can be and have been held directly liable and subject to civil and, in some cases, criminal penalties for making uses and/or disclosures of PHI that were not authorized.

I am just scratching the surface of what what activities make them BAs.

Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility!

Covered Entities and their Business Associates need to understand patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?


That’s right, I am hosting a free webinar on Wednesday, February 20, 2019 @ 1p E/10a P

Don’t forget to registerHope To See You There!!



4 thoughts on “Episode 68: Know The Rules! Am I A Healthcare Business Associate?

  1. […] Business Associates (BAs) were invited to the HIPAA party in February 2013, when the Final Omnibus Rule was introduced and finalized in September 2013. Even after two decades, HIPAA compliance still remains a challenge for many Covered Entities (CEs) and their BAs alike. […]

  2. […] Had their PHI compromised through a third-party vendor (a.k.a. Business Associate). […]

  3. […] know Covered Entities (CEs) are required to obtain a Business Associate Agreement (BAA) with each Business Associate (BA) before handing off ANY protected health information (PHI) to a third party vendor. […]

  4. […] and signed BAAs need to be in place BEFORE any protected health information (PHI) is exchanged with Business Associates (BAs) to comply with […]