Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            When is a Vendor of a Covered Entity Not a Business Associate?

            Modified on Fri, 8 Aug at 9:53 AM

            DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

            Introduction

            A business associate of a covered entity is a type of vendor that creates, maintains, receives, and/or transmits PHI for the covered entity or on the covered entity's behalf. Not all vendors (entities that perform services for covered entities) are business associates of those covered entities. This article provides examples of vendors that are not business associates.

            What Types of Vendors are Not Business Associates?

            Generally, a vendor of a covered entity is not a business associate if it does not receive, use, disclose, or maintain PHI for or on behalf of the covered entity in the course of performing specific services.

            Examples of vendors of covered entities that are not business associates include:

            1. A cleaning service with access to staff offices, medical record rooms, or other areas in which PHI may exist. 
            2. A consultant who is granted limited access to quality, compliance, or other internal reports which include only aggregate information.
            3. Employees or members of a healthcare provider's workforce, including volunteers or others over whom the healthcare provider has control.
            4. Another healthcare provider, while rendering treatment.
            5. People who do not work with PHI as part of their job duties even though they may periodically see PHI (e.g., landlords).
            6. Entities that are mere conduits for PHI. A conduit is an entity that is not creating, receiving, maintaining, and/or transmitting PHI, and that does not require access on a routine basis to the PHI it transmits. An examples of a conduit is the the United States Postal Service. Another example is a telecommunication service provider (TSP) that does not create, receive, transmit maintaining PHI on behalf of a covered entity, and that does not require access on a routine basis to the PHI it transmits during a call.

            7. Entities acting on their own behalf, and not on behalf of the covered entity (examples include payers, credit card companies, and other financial institutions).
            8. Government agencies performing their required functions (e.g., police, courts).


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0