When is a Business Associate Agreement or Contract Generally NOT Required?

Modified on Mon, 11 Dec, 2023 at 4:00 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

The HIPAA Privacy Rule includes certain exceptions to the business associate standard.  In these situations, a covered entity is not required to have a business associate agreement or other written agreement in place before protected health information may be disclosed to the person or entity:

  • Disclosures by a covered entity to a health care provider for treatment of the individual. For example:
    • A hospital is not required to have a business associate agreement with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes
    • A physician is not required to have a business associate agreement with a laboratory as a condition of disclosing protected health information for the treatment of an individual. 
    • A hospital laboratory is not required to have a business associate agreement to disclose protected health information to a reference laboratory for treatment of the individual.  
  • Disclosures to a health plan sponsor, such as an employer, by a group health plan, or by the health insurance issuer or health maintenance organization (HMO) that provides the health insurance benefits or coverage for the group health plan, provided that the group health plan’s documents have been amended to limit the disclosures or one of the exceptions at 45 CFR 164.504(f) have been met.  
  • The collection and sharing of protected health information (PHI) by a health plan that is a public benefits program, such as Medicare, and an agency other than the agency administering the health plan, such as the Social Security Administration (SSA), that collects protected health information to determine eligibility or enrollment, or determines eligibility or enrollment, for the government program, where the joint activities are authorized by law.  


Other Situations in Which a Business Associate Agreement Is NOT Required.

  • When a health care provider discloses protected health information to a health plan for payment purposes, or when the health care provider simply accepts a discounted rate to participate in the health plan’s network. A provider that submits a claim to a health plan and a health plan that assesses and pays the claim are each acting on its own behalf as a covered entity, and not as the “business associate” of the other.  
  • With persons or organizations (e.g., janitorial services or electricians) whose job functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. 
  • With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents. 
  • Among covered entities who participate in an organized health care arrangement (OHCA) to make disclosures that relate to the joint health care activities of the OHCA. 
  • Where a group health plan purchases insurance from a health insurance issuer or HMO. The relationship between the group health plan and the health insurance issuer or HMO is defined by the Privacy Rule as an OHCA, with respect to the individuals they jointly serve or have served. Therefore, these covered entities are permitted to share protected health information that relates to the joint health care activities of the OHCA. 
  • Where one covered entity purchases a health plan product or other insurance, for example, reinsurance, from an insurer. Each entity is acting on its own behalf when the covered entity purchases the insurance benefits, and when the covered entity submits a claim to the insurer and the insurer pays the claim. 
  • To disclose protected health information to a researcher for research purposes, either with patient authorization, pursuant to a waiver under 45 CFR 164.512(i), or as a limited data set pursuant to 45 CFR 164.514(e). Because the researcher is not conducting a function or activity regulated by the Administrative Simplification Rules, such as payment or health care operations, or providing one of the services listed in the definition of “business associate” at 45 CFR 160.103, the researcher is not a business associate of the covered entity, and no business associate agreement is required. 
  • When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities (and only these activities), the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.  Note that a banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity, such as: Performing accounts receivable functions on behalf of a health care provider. or sending an invoice to a client regarding a bank transaction.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article