Who Are Your Business Associates?

By Jack Anderson, Posted 12/29/09    

Since just before HIPAA went actively into effect I've done a lot of HIPAA compliance work for covered entities (CEs). In the past few years I've done around 200 business associate (BA) information security and program reviews for just one CE, and these don't even scratch the surface for how many BAs each CE has...

There are MANY different types of BAs that do work for CEs. A large portion of them do business in other industries besides the healthcare industry. In the BA information security and privacy program reviews I've performed, the BAs were of all sizes, providing a very wide range of services (some I had never even thought of before), and provided their services to many different industries.

I've been asked if a comprehensive list of BAs exists. Not only do I doubt a comprehensive list of BAs exists, I doubt if one could even could exist; the companies that become a BA and leave being a BA is constant.

The numbers of BAs used by CEs can be huge. As just one example, one CE I did the work for (with approximately 15,000 employees) had identified over 2,000 business partners, and of these they identified around 600 "high risk" BAs....those with access to PHI.

These BAs did a wide range of services, such as:

  • Call center work
  • Application development
  • Archiving
  • Backup vaulting
  • Physical files maintenance
  • Employee background checks
  • Job candidate background checks
  • Test data creation
  • Hot site hosting
  • And many, many more...

Many organizations wonder, so what is a "business associate"?

HIPAA defines a business associate as follows within § 160.103 Definitions:

  • (1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:
  • (i) On behalf of such covered entity or of an organized health care arrangement (as defined in §164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
  • (A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
  • (B) Any other function or activity regulated by this subchapter; or
  • (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
  • (2) A covered enlitity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.
  • (3) A covered entity may be a business associate of another covered entity."

The HITECH Act references this as being the definition it uses as well.

So, the common denominator is that a BA handles or otherwise has access to protected health information (PHI).

Think about all the possible types of organizations you outsource different types of business activities to. If you are CE, and they have access in any way to PHI, then they are most likely considered to be BAs.

It's worth noting that CEs are *COMMONLY* BAs of other CEs.

See my blog post, "HITECH Impacts Over 734,178 "Small Business" HIPAA Covered Entities" to see how exponentially many more BAs there probably are than there are CEs.


Add Your Comments

(not published)