A Business Associate is an individual or entity that performs functions, activities, or services for a covered entity involving the use or disclosure of protected health information (PHI). Business Associates are not part of the covered entity's workforce and must comply with specific security and privacy obligations under applicable regulations.
Business Associate
Regulatory Definitions
- HIPAA Privacy Rule (45 CFR §160.103): A person who, on behalf of a covered entity or another business associate, but other than in the capacity of a member of the workforce of such covered entity or business associate, uses or receives protected health information to perform functions, activities, or services related to the covered entity's healthcare operations. Examples include billing services, claims processing, data analysis, and legal services.
- HIPAA Security Rule (45 CFR §164.103): The same definition applies; business associates must implement safeguards required by the Security Rule, including administrative, physical, and technical safeguards.
- HIPAA Breach Notification Rule (45 CFR §164.400): Business Associates must notify covered entities of breaches of unsecured PHI and comply with breach notification requirements under 45 CFR §164.410.