DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
HIPAA requires that business associates of covered entities enter into business associate agreements with those covered entities. To be a business associate vendor ("vendor," as used here, is synonymous with "service provider") of a covered entity, an entity must perform one or more of the following activities for the covered entity: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; or repricing. Additional business associate activities include providing these services: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial services.
For an entity performing one of these services to qualify as a business associate (as opposed to a vendor that is NOT a business associate), these above-listed services must involve the creation, transmission, maintenance, and/or receipt of PHI by the business associate, on behalf of the covered entity.
In many situations, the BA (BA 1) hires another business associate (BA2) to perform work for the BA, involving the same PHI that is created, maintained, transmitted, and/or received by BA1.The name of the entity that the BA hires is called a business associate subcontractor vendor. (Again, the word "vendor," as used here, is used synonymously with "service provider").
Here is an example that illustrates the difference between a covered entity, a BA vendor, and a BA subcontractor/BA subcontractor vendor:
A covered entity hires a billing firm to prepare its bills. This requires access to PHI. The billing form is therefore a BA vendor of the CE.
The billing company (BA vendor) hires a cloud storage provider to store the billing PHI in the cloud. The cloud storage provider, who is accessing PHI the BA vendor gives to it, is a BA subcontractor vendor. It does not have a direct contract relationship with the covered entity. However, it does have one with the BA vendor. The BA subcontractor creates, maintains, receives, and/or transmits PHI on behalf of the BA vendor.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article