A business associate is any person or entity that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. Under the HITECH Act (2009), business associates are directly liable for HIPAA compliance and subject to enforcement actions and penalties.

What Is a Business Associate?

Common examples of business associates include:

  • Cloud service providers hosting ePHI (e.g., EHR vendors, data centres)
  • Billing and claims processing companies
  • Managed IT service providers with access to ePHI
  • Consultants performing utilisation review or quality assurance
  • Attorneys, accountants, and actuaries whose services involve PHI access
  • Health Information Exchanges (HIEs)
  • Shredding and document destruction companies

Business Associate Agreements (BAAs)

A covered entity must have a written Business Associate Agreement (45 CFR 164.502(e) and 164.504(e)) with each business associate. The BAA must include:

  • Permitted and required uses and disclosures of PHI
  • Prohibition against further use or disclosure except as permitted
  • Requirement to implement appropriate safeguards
  • Requirement to report breaches of unsecured PHI
  • Requirement that subcontractors agree to the same restrictions
  • Availability of PHI to the covered entity for individual access rights
  • Availability of PHI for amendment requests
  • Accounting of disclosures provisions
  • Availability of records to HHS for compliance investigation
  • Return or destruction of PHI upon termination
  • Authorisation for termination if the BA violates material terms

Tracking BAAs in Venvera

For each business associate, record:

  • Organisation Name — Name of the business associate entity
  • Contact Information — Primary contact, phone, email
  • Services Provided — Description of the function or service involving PHI
  • PHI Categories Accessed — Link to PHI Inventory items the BA can access
  • BAA Status — Draft, Under Review, Executed, Expired, Terminated
  • BAA Execution Date — Date the agreement was signed
  • BAA Expiration/Renewal Date — When the agreement is due for renewal
  • Subcontractors — Whether the BA uses subcontractors with PHI access
  • Last Review Date — When the BA relationship was last reviewed
  • Risk Rating — Assessed risk level based on PHI volume, sensitivity, and access type

Subcontractor Requirements

Under the HITECH Act and the Omnibus Rule, business associates must:

  • Enter into BAAs with their own subcontractors who handle PHI
  • Ensure subcontractors implement appropriate safeguards
  • Be liable for the acts of their subcontractors, just as covered entities are liable for the acts of their BAs

Venvera allows you to document the subcontractor chain for each BA, tracking whether downstream BAAs are in place.

Breach Notification for Business Associates

Business associates must report a breach of unsecured PHI to the covered entity without unreasonable delay and no later than 60 days after discovering the breach (45 CFR 164.410). Track BA-reported breaches in the Breach Notification module and link them to the relevant business associate record.