Due to the increasing emphasis on HIPAA privacy regarding Protected Health Information (PHI), Covered Entities are pressured to confirm that vendors or contractors requiring access to health records use the information responsibly. These vendors or contractors are called “Business Associates,” and many companies and vendors fall into this category. However, most people are unsure of who or what is considered a Business Associate when accessing medical records.
Types of Business Associates
Some of the most common business associates compliance include medical claims processing services, utilization review consultants, medical transcriptionist services as well as independent contractors, and attorneys or Certified Public Accountants who are providing litigation services. All of these businesses or organizations, regardless of why they need access to the records, are held to very strict HIPAA privacy guidelines that must be adhered to whenever a patient’s record is accessed. Otherwise, they are in violation of the HIPAA Privacy Act and can be subject to various aspects of financial penalties or litigation.
Non-Business Associates
Typically, there are individuals or organizations that are considered non-Business Associates. These can include 
delivery services such as the United States Postal Service or private delivery companies such as United Parcel Service, both of whom are considered only conduits for data. Other examples include physicians working with a health plan, in which both are considered Covered Entities and assume responsibility independently of one another; telecommunications relaying services for hearing-impaired patients, which act merely to facilitate doctor-patient communication.
While these are examples of what is considered a Business Associate and what is not, circumstances can occur, that may alter the relationship one way or another. Regardless of the circumstances, an organization’s liability in the event of a data breach does not stop simply within one’s facility. Instead, it is each organization’s responsibility to safeguard the security of patient’s PHI as much as possible. Otherwise, serious lapses in security may occur, and the integrity of the facility and its Business Associate relationships may be questioned.
hipaa regulations|HIPAA risk assessment software|how to be hipaa compliant|hipaa compliance software|what is hitech act|hipaa omnibus rule 