A business associate is any person or organization that creates, receives, maintains or transmits PHI on behalf of a covered entity. Previously, business associates’ HIPAA liability was indirect, by way of a contract known as a business associate agreement (BAA) with a covered entity to adhere to the HIPAA regulations. A BAA is still required, but business associates are now directly liable under parts of the HIPAA Privacy Rule and all of the Security Rule, including for:
- Impermissible uses and disclosures of PHI;
- Failure to notify a covered entity of a breach of PHI;
- Failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the BA contract);
- Failure to disclose PHI when the Department of Health and Human Services (HHS) requires it for an investigation into a business associate’s compliance w/ HIPAA;
- Failure to provide an accounting of disclosures; and
- Failure to comply with the applicable requirements of the security rule.
Business associates remain contractually liable for other requirements of the BAA.
There is currently no content classified with this term.