Who are Business Associates?
"Business associate" is a term used in both the Privacy and Security Rules. A business associate is a person or entity, other than a member of the workforce, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access to PHI. A business associate may be a subcontractor who creates, receives, maintains, or transmits PHI on behalf of another business associate.
A business associate is directly liable under HIPAA rules and subject to civil and, in some cases, criminal penalties for using and disclosing protected health information that is not authorized by its agreement or required by law. If a provider, plan, or other entity shares PHI with an attorney, billing agent, or other person, it needs to execute a Business Associate Agreement (BAA) to cover the PHI.