Question: We recently hired a cloud storage outsourcing company for our medical records, and our administrator said we need to have them sign privacy agreements due to their status as a business associate. How can we determine whether a company is a business associate or not? Codify Subscriber Answer: The HIPAA Privacy Rule clearly outlines what data covered entities (CEs) must protect when it comes to patient data – and your practice counts as a “covered entity.” However, most practitioners rely on business associates (BAs) to successfully address administrative responsibilities involving patients, and the compliance of those vendors is essential for you to stay out of hot water. Make sure your practice remains HIPAA-compliant in business by knowing what protected health information (PHI) can be disclosed, and to whom, and when. “A ‘business associate’ is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity,” says the HHS Office for Civil Rights (OCR). “A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.” Tip: Those who may have access to PHI include not only attorneys and accountants, but also computer and medical hardware repair businesses, her software vendors, off-site billing and coding companies, physical security providers, and cleaning crews who might have access to your documentation or patients. Most practices almost definitely work with at least one BA — but probably utilize many others, too. Here are some examples, as outlined by the OCR: