Question: Could you please explain how HIPAA defines a company as a “business associate” or not? Hawaii Subscriber Answer: The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule clearly outlines what data covered entities (CEs) must protect when it comes to patients’ data. However, most physicians rely on business associates (BAs) to successfully address administrative responsibilities involving patients, and the compliance of those vendors is essential for you to stay out of hot water. To make sure your practice remains HIPAA-compliant, you must know what protected health information (PHI) can be disclosed, and to whom, and when. “A ‘business associate’ is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity,” says the HHS Office for Civil Rights (OCR). “A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.” Tip: Those who may have access to PHI include not only attorneys and accountants, but also computer and medical hardware repair businesses, EHR software vendors, off-site billing and coding companies, physical security providers, and cleaning crews who might have access to your documentation or patients. Here are some examples of BAs, as outlined by the OCR: