When considering a HIPAA business associate agreement, the first step is to determine if such an agreement is necessary. Along with the examples listed below, a provider must answer the following questions in making the determination.
When is a HIPAA Business Associate Agreement Required
- Does the person or organization perform a function on your behalf that requires the use or disclosure of PHI (protected health information)?
- If the answer is no, this is not a business associate
- If the answer is yes, continue with the next step
- Is the person or organization being considered a covered entity according to HIPAA?
- If no is your answer, a HIPAA business associate agreement should be completed
- If yes, go to the next step
- Does the individual or organization perform task(s) directly related to treatment?
- If the answer is no, a HIPAA BAA should be completed
- If the answer is yes, this is not a business associate
For further clarification, note the example lists below of who/what is considered a HIPAA business associate and would need the agreement with you – and those who do not qualify.
Examples of HIPAA Business Associates
- Accreditation agencies
- Billing services
- Cleaning Services
- Copying companies
- Data entry services
- Document management solutions providers
- Healthcare clearinghouses
- IT service providers
- Management companies/consultants
- Quality assurance providers
- Shredding companies
- Third party administrators
- Transcription entities
- Utilization review entities
Examples of Entities that are not HIPAA Business Associates
- Board members
- Courier/delivery services
- Financial institutions that process consumer conducted financial transactions which pay for healthcare services
- On-site volunteers
- Professional staff
- Providers that are considered part of an Organized Healthcare Arrangement with your organization
Need a HIPAA BAA Template?
If it is determined that the entity you are dealing with requires a HIPAA business associate agreement, download a BAA template here to use as a guide. This is what we and our parent company use. All identifying information has been removed. You can edit as necessary for each instance where a HIPAA business associate agreement is required.