Skip Navigation

 

Search

Font Size Reduce Text SizeEnlarge Text Size     Print Send this page to printer     Download Reader  Download PDF readerHHS Home|HHS News|About HHS

Health Information Privacy

Office for Civil RightsCivil RightsHealth Information Privacy

OCR Home > Health Information Privacy > Frequently Asked Questions

HIPAA

Understanding HIPAA Privacy

HIPAA Administrative Simplification Statute and Rules

Enforcement Activities & Results

How to File a Complaint

News Archive

Frequently Asked Questions

PSQIA

Understanding PSQIA Confidentiality

PSQIA Statute & Rule

Enforcement Activities & Results

How to File a Complaint

Business Associates

Who are Business Associates
Business Associate Contracts
Requirements for Business Associates
Limited Data Set Usage
Responsibilities of Covered Entities
Statutory Authority of HIPAA

Who are Business Associates

Are accreditation organizations business associates of the covered entities they accredit?

Are the following entities considered "business associates" under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?

Is a health insurance issuer or HMO who provides health insurance or health coverage to a group health plan a business associate of the group health plan?

Is a physician or other provider considered to be a business associate of a health plan or other payer?

Is a reinsurer a business associate of a health plan?

Is a software vendor a business associate of a covered entity?

When a covered entity, such as a doctor, uses a certified Telecommunications Relay Service to contact patients with hearing or speech impairments, is the Relay Service a business associate of the doctor?


When is a health care provider a business associate of another health care provider?


Business Associate Contracts

 Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule?

Is a business associate contract required for a covered entity to disclose protected health information to a researcher?

What are a covered entity's obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period?

Are covered entities that engage in joint activities under an organized health care arrangement (OHCA) required to have business associate contracts with each other?

Is a business associate contract required with organizations or persons where inadvertent contact with protected health information may result - such as in the case of janitorial services?

Is a physician required to have business associate contracts with technicians such as plumbers, electricians or photocopy machine repairmen who provide repair services in a physician's office?

I have an existing contract with a business associate that will renew automatically before April 14, 2003. Does this automatic renewal mean I have to modify the contract by April 14, 2003, to make it compliant with the HIPAA Privacy Rule's business associate contract provisions or can I still take advantage of the transition period?

Would business associate contracts in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule's business associate contract requirements?

Do physicians with hospital privileges have to enter into business associate contracts with the hospital?

Requirements for Business Associates

 Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?


Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?

Limited Data Set Usage

Under the HIPAA Privacy Rule, may a covered entity contract with a business associate to create a limited data set the same way it can use a business associate to create de-identified data?

I want to hire the intended recipient of a limited data set to also create the limited data set as my business associate. Can I combine the data and use agreement and business associate contract?

May a covered entity hire a business associate to create a limited data set, and may the public health authority be a business associate for that purpose, even if the public health authority is also the intended recipient of the limited data set?

Responsibilities of Covered Entities

 Is a covered entity liable for, or required to monitor, the actions of its business associates?

May a covered entity share protected health information directly with another covered entity's business associate?

Must a covered health care provider obtain an individual’s authorization to use or disclose protected health information to an interpreter?

When may a covered health care provider disclose protected health information, without an authorization or business associate agreement, to a medical device company representative?

Statutory Authority of HIPAA

 Has the Secretary exceeded the HIPAA statutory authority by requiring "satisfactory assurances" for disclosures to business associates?

Has the Secretary exceeded the HIPAA statutory by requiring "business associates" to comply with the Privacy Rule, even if that requirement is through a contract?


Were there Privacy Rule compliance deadlines in 2004?



horizontal line

HHS Home | Questions? | Contacting HHS | Accessibility | Privacy Policy | FOIA | Disclaimers | Inspector General | No FEAR Act | Viewers & Players
The White House | USA.gov | HHS Archive | Pandemic Flu

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201