A “business associate” is a person or entity that uses a covered entity’s protected health information (PHI) to perform some service for hat covered entity. “Covered entities” are defined by the Health Insurance Portability and Accountability Act (HIPAA) ruling as: health plans, healthcare clearing houses, and healthcare providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health and Human Services (HHS) has adopted standards. The keys are that the service involves PHI; that the PHI is used for the benefit of the covered entity (rather than for the benefit of the physician or the patient); and that the PHI is the covered entity’s, not the physician’s.
The following examples help illustrate these points:
- When a physician acts as the medical director of a hospital department, the physician typically uses the hospital’s PHI to perform that service, and would therefore be a business associate.
- When a physician treats a patient in the hospital, the physician is using the hospital’s PHI to treat the patient (not for the hospital’s benefit), and would therefore not be a business associate. Medical staff membership alone doesn’t make a physician a business associate of the hospital.
- When a physician serves on the hospital’s strategic planning committee, those services typically don’t involve PHI and the physician would therefore not be a business associate.
The most common exceptions to the business associate definition involve employment and treatment. In other words, the medical director described above would not be a business associate if he or she was an employee of the hospital. The second example bulleted in the list above illustrates the treatment exception.
So what does it mean to be a business associate? For a physician, it’s typically not a big issue since the HIPAA requirements for business associates are actually a subset of the privacy and security rules that he or she already has to comply with. A physician generally need only sign a business associate agreement and use, disclose and protect the covered entity’s PHI according to the physician’s HIPAA privacy and security compliance program.