Business Associates are generally defined under HIPAA as third parties who create, receive maintain or transmit "protected health information" (PHI) on behalf of a health care provider or health plan, or who provide other services that involve the use or disclosure of PHI. Business Associates typically include claims processors, billing services providers, legal and accounting firms, and technology providers.
Business Associates must handle PHI appropriately, and are specifically subject to the Security Rules under HIPAA. Business Associates are also subject to enforcement action by government oversight agencies if they fail to comply with the Security Rules.
Business Associates of the University are required to enter into a Business Associate Agreement, which outlines the responsibilities of the Business Associate with respect to handling PHI. The University's standard form Business Associate Agreement is available in the University's Contracts Library. If you believe you have a vendor who meets the definition of a Business Associate, you should ask the vendor to sign the University's Business Associate Agreement.
At times the University may act as a Business Associate for another health care provider or health plan. In that case the University may have to sign a Business Associate Agreement provided by the health care provider or health plan. Contact the Health Information Privacy & Compliance Office if you have questions about these types of relationships and for review of another party's Business Associate Agreement.