If you are a health plan, health care clearinghouse, or health care provider, you are a HIPAA Covered Entity (CE). If health plans or health care providers use services of other persons or businesses-business associates (BAs)-to carry out health care activities and functions, the HIPAA Privacy Rule allows CEs to disclose protected health information (PHI) to these BAs if:
- The CE obtains satisfactory assurance from the BA that the PHI will only be used for purposes for which CE engaged BA.
- Satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the CE and the BA. (BA Agreement).
- The BA will safeguard the PHI from misuse.
- The BA will assist the CE comply with duties under the Privacy Rule.
- CE may not disclose PHI to a BA for the BA's independent use or purposes, except as needed for the proper management and administration of the BA.
