What is a Business Associate?

A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of your patient's PHI.  A member of your workforce is not a business associate.  A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.  The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of PHI.

Business associate functions and activities include: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing. Business associate services are: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial. See the definition of “business associate” at 45 CFR 160.103.


Examples of Business Associates:

• A third-party server and workstation administrator

• A third-party network administrator

• A third-party administrator that assists a health plan with claims processing.

• A CPA firm whose accounting services to a health care provider involve access to PHI.

• An attorney whose legal services to a health plan involve access to PHI.

• A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.

• An independent medical transcriptionist that provides transcription services to a physician.

• A pharmacy benefits manager that manages a health plan’s pharmacist network.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

What is a Security Risk Analysis?

All medical practices and business associates must conduct a HIPAA Security Risk Analysis under...

What is PHI and ePHI?

PHI stands for Protected Health Information. There are 18 identifiers and includes patient...

What is the HIPAA Security Rule?

The National Institute of Standards and Technology (NIST) wrote the Security Rule. The...

What is the OIG exclusions list?

OIG (Office of Inspector General) Exclusions list: It is very important to make sure you do not...

What is Recognized Security Practices?

When an organization is investigated by the Office for Civil Rights a minimum of a one year look...