Are Accreditation Organizations Business Associates of the Covered Entities They Accredit?

Modified on Mon, 11 Dec, 2023 at 2:37 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Per HHS, yes. The HIPAA Privacy Rule explicitly defines organizations that accredit covered entities as business associates. See the definition of “business associate” at 45 CFR 160.103.

Like other business associates, accreditation organizations provide a service to the covered entity which requires the sharing of protected health information. Accreditation organizations may include those listed here, among others. 

As business associates of covered entities, accreditation organizations must generally enter business associate agreements with covered entities with whom they share PHI. As an alternative to the business associate agreement or contract, covered entities may disclose a limited data set of protected health information, not including direct identifiers, to an accreditation organization, subject to a data use agreement. See 45 CFR 164.514(e).

If only a limited data set of protected health information is disclosed, the satisfactory assurances required of the business associate are satisfied by the data use agreement.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article