Who in the World are my Business Associates?

by  Christine Woolstenhulme, QCC, QMCS, CPC, CMRS
August 29th, 2014

The associates in the provider’s world and healthcare society are filled with loads of potential business associates and endless Individual identifiable health information.

 We have had so many questions about business associates I thought I would go to the source and put together some information from HHS.gov, otherwise known as U.S. Department of Health & Human Services. Maybe I can clear up a few common questions and give you some other resources to do your own research if you would like.   

 First of all … what is PHI or Individually Identifiable Health Information (HHI)?   Basically; it is any information used to identify an individual patient as well as information created or received that has anything to do with a patient. Including demographics as well as past present or future health condition. Specifically; anything that can be used to reasonably identify an individual or treatment.

Why do I need a contract with my Business Associates?

The reason behind the Privacy rule is to obtain assurances from your business associates that they will safeguard the protected health insurance information. This is now required in writing in the form of a contract, called Business Associate Agreement. To learn more about this InstaCode (Instacode.com)  has written a book called “Complete and Easy HIPAA COMPLIANCE”   the third edition is the most recent. To order your book go to   https://instacode.com/node.  Your Business Associate Contracts must contain the elements specified at 45 CFR 164.504(e), such as describing the permitted and required uses of PHI by the associate, and that they will not use or disclose the PHI for anything other than as required by law. Also, if there is a breech the covered entity must make the appropriate steps to cure the breech or end the violation it must be made clear how the issue will be resolved.


Who is a covered entity?  

The HIPPA Privacy Rule only applies to covered entities – Health Plans, Health Care Clearinghouses and certain health care providers.  

 Examples and Potential Business Associates:

(This is not a complete list – Examples only)

Who is not a business associate?

(This is not a complete list – Examples only)

 An External researcher

 FAQ’s from HHS.gov


Q. Is a physician or other provider considered to be a business associate of a health plan or other payer?

 A.  Generally, providers are not business associates of payers. 

Q. Is a software vendor a business associate of a covered entity?

A. YES; if your software vendor has access to the PHI, however you may chose to treat the covered entity as an employee, rather than a business associate. http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/256.html

Q. Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule?

A. No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/237.html


Q. Do physicians with hospital privileges have to enter into business associate contracts with the hospital?

A. No. https://www.hhs.gov/hipaa/for-professionals/faq/248/do-hospital-medical-staffs-have-to-enter-into-contracts/index.html


Q. Are accreditation organizations business associates of the covered entities they accredit?

A. YES. http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/238.html


Q. Is a health insurance issuer or HMO who provides health insurance or health coverage to a group health plan a business associate of the group health plan?

A. NO http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/254.html


Q. When is a health care provider a business associate of another health care provider?

A. NO http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/240.html


Q. Is a business associate contract required for a covered entity to disclose protected health information to a researcher?

A. NO http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/239.html


For more information on Exceptions to the Business Associate Standard andother situations in which a business associate contract is NOT required check out these resources:




Who in the World are my Business Associates?. (2014, August 29). Find-A-Code Articles. Retrieved from https://www.findacode.com/articles/who-in-the-world-are-my-business-associates-1828.html

© InnoviHealth Systems Inc

Article Tags  (click on a tag to see related articles)

Publish this Article on your Website, Blog or Newsletter

This article is available for publishing on websites, blogs, and newsletters. The article must be published in its entirety - all links must be active. If you would like to publish this article, please contact us and let us know where you will be publishing it. The easiest way to get the text of the article is to highlight and copy. Or use your browser's "View Source" option to capture the HTML formatted code.

If you would like a specific article written on a medical coding and billing topic, please Contact Us.


innoviHealth Systems, Inc.
62 East 300 North
Spanish Fork, UT 84660
Phone: 801-770-4203 (9-5 Mountain)
free demo
request yours today
for any budget
sign IN
welcome back!

Thank you for choosing Find-A-Code, please Sign In to remove ads.