The trusted source for
healthcare information and
Know HIPAA’s definition of business associates
[Editor’s note: This is a periodic column that will address specific questions related to Health Insurance Portability and Accountability (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Hospital Home Health, American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: firstname.lastname@example.org.]
Question: What is a business associate under the HIPAA privacy rule?
Answer: In essence, it is someone who is not a part of your work force, who provides services to you (not to your patients), and who needs individually identifiable health information to provide those services, says John C. Gilliland II, an Indianapolis-based attorney. The complete detailed definition is in the privacy rule.
Question: What are some examples of business associates?
Answer: A business associate is anyone who needs individually identifiable health information to perform his or her services for you, says Gilliland. Examples include: computer software vendors, consultants, accreditation organizations, attorneys, accountants, answering services, and billing companies.
Question: What about our referral sources or providers to whom we refer?
Answer: A referral source or provider to whom you refer is not a business associate. Business
associates do not include health care providers to whom a provider discloses information about an individual for treatment of the individual, he says.
Question: What about our cleaning staff?
Answer: No. They generally are not your business associates because they do not need individually identifiable health information to perform the cleaning services for you, Gilliland explains.
Question: So what’s the significance of someone being a business associate?
Answer: If someone is your business associate, it is OK for him or her to have access to individually identifiable information, provided you have a written contract or other form of written arrangement, with them that contains at least the provisions required by the privacy rule, he says.
Question: What does the privacy rule require to be in the contract?
Answer: Quite a few things, Gilliland says:
If both the health care provider and the business associate are governmental entities, the privacy rule contains different provisions for the arrangement than what is stated above, Gilliland says.
Exceptions also exist if the business associate is required by law to perform the functions involved, he adds. Sample business associate contract language can be downloaded from the HHS Office of Civil Rights web site at www.hhs.gov.
Question: When do we have to have these contracts in place?
Answer: With one exception, arrangements with business associates must be in writing and contain the HIPAA-required provisions by April 14, 2003. The exception involves a transition period with respect to a written business associate agreement that:
1. was in existence prior to Oct. 15, 2002;
2. is not renewed or modified from Oct. 15, 2002 until April 14, 2003.
The exception includes contracts that renew automatically without any change in terms or other action by the parties. It is not available for oral contracts. If the contract with the business associate meets these requirements, it is deemed to be in compliance with HIPAA until the earlier of:
1. the time the contract is renewed or modified after April 14, 2003;
2. April 14, 2004. In other words, if the exception applies, you gain up to an additional year to enter into a new, HIPAA-compliant contract with that business associate.
[For more information on HIPAA privacy, contact:
• John C. Gilliland II, Attorney at Law, Gilliland & Caudill, LLP, 6650 Telecom Drive, Suite 100, Indianapolis, IN 46278. Telephone and fax: (317) 616-3647. E-mail:
is the author of HIPAA Privacy Compliance Resource Manual. For more information about the manual, go to: www.gilliland.com.]