A business associate performs services for a covered entity involving the use or disclosure of PHI. Before HITECH they were bound only by contract; after HITECH, HIPAA privacy and security rules apply directly to business associates, in addition to the required business associate agreement.
A Business associate includes cloud storage providers handling PHI and performs services such as claims processing, data analysis, billing, legal, actuarial, accounting, consulting, and data aggregation. A Business associate agreement (BAA) must be in writing (electronic signature allowed if valid under state law).
🔑 The HITECH shift
Before HITECH, business associates were bound only by their contracts. Under HITECH, HIPAA privacy and security rules are codified and apply directly to business associates - they must implement reasonable safeguards in addition to signing a BAA.
Key terms - quick answers
What is “Business associate”?
Any person or organization, other than a covered entity's workforce member, that performs services for or on behalf of a covered entity involving the use or disclosure of PHI.
What is “Business associate agreement (BAA)”?
A written contract requiring a business associate to meet the privacy and security obligations applicable to the covered entity.