If you are a health plan, health care clearinghouse, or health care provider, you are a HIPAA Covered Entity (CE). If health plans or health care providers use services of other persons or businesses-business associates (BAs)-to carry out health care activities and functions, the HIPAA Privacy Rule allows CEs to disclose protected health information (PHI) to these BAs if:
- The CE obtains satisfactory assurance from the BA that the PHI will only be used for purposes for which CE engaged BA.
- Satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the CE and the BA. (BA Agreement).
- The BA will safeguard the PHI from misuse.
- The BA will assist the CE comply with duties under the Privacy Rule.
- CE may not disclose PHI to a BA for the BA’s independent use or purposes, except as needed for the proper management and administration of the BA.
The April 2014 Key Notes of Health Care Compliance will review Business Associate Agreements and provide samples that comply with the HIPAA Omnibus Rule.