What is a Business Associate, and the importance of a Business Associate Agreement?

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information.  A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.  The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.   

Examples of Business Associates
  • A third-party administrator that assists a health plan with claims processing. 
  • A CPA firm whose accounting services to a health care provider involve access to protected health information. 
  • An attorney whose legal services to a health plan involve access to protected health information. 
  • A consultant that performs utilization reviews for a hospital. 
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. 
  • An independent medical transcriptionist that provides transcription services to a physician.
  • A pharmacy benefits manager that manages a health plan’s pharmacist network. 
  • A Cloud Services Provider (CSP) that stores only encrypted ePHI and does not have a decryption key. 

Signing a Business Associates agreement is but the first step in terms of what you have to do. Under the Omnibus Rule, which was effective March 26, 2013, a covered entity must obtain assurances that a Business Associate, and any subcontractor of them that have access to your PHI, is meeting with the requirements of HIPAA. The law requires a Business Associate Agreement.  It also states that covered entities must obtain assurances from their Business Associates indicating they are compliant with HIPAA. 

The Business Associate Attestation Form must be completed annually to provide these "assurances.” This is all related to the Business Associate, not your training and policies. Consider the attestation form an affidavit where the Business Associate is confirming the completion of their contract requirements. In other words, the Business Associates must meet the same requirements you do regarding HIPAA, which include, among everything else, the Risk Assessment, training, policies and procedures, and everything else we cover in this compliance program. 


For questions or concerns, contact us via the following:
  • Chatbox/window on your Complete Compliance Suite screen.
  • Telephone: 877-560-4261
  • Email: support@epicompliance.com