IDENTIFY YOUR BUSINESS ASSOCIATES
Guidance to Covered Entities

The HIPAA Privacy regulation allows you to share patient information with your Business Associates in order to conduct health care operations, but only if you have a Business Associate contract with them. The regulation defines Business Associates as persons outside of your workforce who:

• On your behalf, perform or assist in the performance of a function or activity involving the use or disclosure of individually identifiable health information (e.g., claims processing, data analysis, quality assurance, billing, practice management); or
• Provide legal actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services, where the service involves the disclosure of individually identifiable health information.

Some examples of your Business Associates may be:

• Accountants
• Attorneys
• Billing companies
• Clearinghouses
• Consultants
• Collection agencies
• Transcription services
• Data analysis or aggregation services
• Information technology service providers
• Temporary staffing agencies
• Copy services
• Document storage and destruction vendors
• Professional liability insurers
• Insurance agents and brokers

This list is not exhaustive. Think broadly when you are identifying your Business Associates.

The attached form will help you identify the Business Associates of your organization and document your relationship with them. Ask yourself:

• Who are your Business Associates?
• What function do they serve?
• What information is disclosed to them?
• Do you currently have some form of contract with them?
• If so, when is the contract due to be renewed or renegotiated?

THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW AN ORGANIZATION CAN START. THIS DOCUMENT IS PROVIDED AS GENERAL GUIDANCE AND DOES NOT CONSTITUTE LEGAL ADVICE.
(Document provided to MIEC policyholders with permission from the
Physician Insurers Association of America)

Return to MIEC HIPAA "Starter Kit"