DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses the difference between a business associate (BA) and a business associate subcontractor (BA subcontractor or vendors).
What is the Relationship Between Business Associates and Business Associate Subcontractors?
HIPAA requires that business associates of covered entities enter into business associate agreements with those covered entities. To be a business associate (sometimes called "business associate vendor") of a covered entity, an entity must perform one or more of the following activities for the covered entity: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; or repricing. Additional business associate activities include providing these services: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial services.
For an entity performing one of these services to qualify as a business associate, these above-listed services must involve the creation, transmission, maintenance, and/or receipt of PHI by the business associate, for or on behalf of the covered entity.
In many situations, the BA (let's call the BA "BA 1") hires another business associate (let's call this BA "BA 2") to perform work for BA 1, involving the same PHI that is created, maintained, transmitted, and/or received by BA1 on behalf of a covered entity.
The name of the entity that the BA hires is called a business associate subcontractor.
Here is an example that illustrates the difference between a covered entity, a BA vendor, and a BA subcontractor/BA subcontractor vendor:
A covered entity hires a billing firm to prepare its bills. This requires access to PHI. The billing form is therefore a BA vendor of the CE.
The billing company (BA) hires a cloud storage provider to store the billing PHI in the cloud. The cloud storage provider, who is accessing PHI the BA vendor gives to it, is a BA subcontractor. The BA subcontractor does not have a direct contract relationship with the covered entity. However, it does have one with the BA vendor. The BA subcontractor creates, maintains, receives, and/or transmits PHI on behalf of the BA vendor. Therefore, the business associate and business associate subcontractor must enter into a business associate agreement, in addition to the covered entity and business associate (BA 1) having to enter into one.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article