Skip to content

Brought to you by

Dentons On Call

Making health law a little more accessible and a lot less daunting.

open menu close menu

Dentons On Call

  • Home
  • About Us

Ep. 29 – Do I need a HIPAA business associate agreement?

By Susan Freed
August 21, 2024
  • Podcast
Share on Facebook Share on Twitter Share via email Share on LinkedIn

One of the fundamental compliance requirements for healthcare providers is protecting the confidentiality and security of the patient health information you maintain. Most healthcare providers are subject to a federal law called the Health Insurance Portability & Accountability Act, commonly known as HIPAA, which implemented a national standard for the confidentiality and security of protected health information maintained by covered entities.

Covered entities include healthcare providers who conduct covered transactions electronically, such as claims submissions. If your organization is subject to HIPAA, you may only use or disclose individually identifiable health information (often referred to as “protected health information” or “PHI”) without the patient’s written authorization if the disclosure is for one of the following purposes:

  • Treatment
  • Payment
  • Healthcare operations
  • Specifically required or authorized by law (such as abuse reporting)

This is where the business associate agreement comes in. If you are disclosing PHI to a third party for “health care operations,” that third party is considered a “business associate” and required to sign a business associate agreement agreeing to comply with HIPAA’s privacy and security requirements as a condition of receiving the PHI.  “Health care operations” are defined as certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. Information technology, legal, accounting, and consulting services are examples of “health care operations” that, if performed by a third party for the covered entity and require access to PHI, require that third party to sign a HIPAA business associate agreement.

Essentially, HIPAA requires covered entities to contractually bind third parties that provide services and access the entity’s PHI to comply with HIPAA. The covered entity itself can face HIPAA penalties if it does not sign and enforce a business associate agreement with these third parties. Here is where the confusion occurs, there are a number of exceptions to the business associate agreement requirement, so it is not always readily apparent when you need one.

For example, the business associate agreement requirement does not apply to third parties accessing a covered entity’s PHI solely for “treatment purposes.” If you contract with another healthcare provider to assist you in treating your patients and the only access the provider has to your PHI is for these treatment purposes, you do not need a business associate agreement with that provider. If, however, the other provider is also providing you with administrative services, such as medical director services, and requires PHI to perform those administrative services, a business associate agreement is required.

Ultimately it is the covered entity’s responsibility under HIPAA to ensure it has a signed business associate agreement with third parties that qualify as “business associates.” The covered entity can be penalized for failing to implement this requirement. For help determining who is a “business associate” requiring a business associate agreement, check out this week’s podcast!

Free Resource:

Ep 29 – HIPAA Business Associate Agreement Decision TreeDownload

  

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Susan Freed

About Susan Freed

Susan helps health care providers and health plans operate successfully in a challenging regulatory and reimbursement landscape. She approaches each client’s problems with practical solutions tailored to the individual client’s needs.

All posts Full bio

RELATED POSTS

  • Podcast

Ep. 48 – Preparing for ICE

By Susan Freed
  • Podcast

Ep. 24 – Defensive Documentation to Avoid False Claims Act Liability

By Susan Freed
  • Podcast

Ep. 9 – Building a Compliance Dream Team

By Susan Freed

About Dentons

Redefining possibilities. Together, everywhere. For more information visit dentons.com

Categories

  • Anti-Kickback Statute
  • Compliance
  • Corporate
  • Digital Health
  • Digital IT
  • Fraud & Abuse
  • Health Care IT
  • Hospitals & Health Systems
  • Managed Care
  • Medicaid
  • Medicare
  • News Flash
  • Pharmaceuticals
  • Podcast
  • Privacy & Security
  • Reimbursement
  • Stark Law
  • US Health Care

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

© 2025 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site