A Business Associate is a person or entity who, on behalf of a HIPAA Covered Entity, or Hybrid Covered Entity like UA, performs or assists in the performance of a function or activity or provides support services, while not a member of the workforce, to the Covered Entity involving the use or disclosure of individually identifiable health information.
Some Business Associate functions or activities that may be performed on behalf of a Covered Entity/Hybrid Covered Entity include:
-
-
data processing
-
data analysis
-
utilization review
-
billing
-
cloud storage vendor services
-
transcription services
-
legal services
-
data aggregation
-
administrative functions
-
financial services
-
management services
-
consulting services
-
accounting services
-
legal services
-
actuarial services
-
accreditation services
-
An individual or organization is only considered a Business Associate if they perform a function or service on behalf of the Covered Entity/Hybrid Covered Entity (such as UA) and handle or are expected to Protected Health Information (PHI) as a part of the job function or service they perform/provide on behalf of the Covered Entity/Hybrid Covered Entity.
In some cases, UA may serve as a Business Associate of another Covered Entity if UA is performing services, functions or activities on behalf of the other Covered Entity and handling PHI as part of the services performed. When UA is acting in its capacity as a Business Associate and will be disclosing any of the Covered Entity’s PHI to a third party, a Subcontractor, to perform any of its services—UA is required to enter into Business Associate Agreement with any downstream Subcontractor that will have access to the Covered Entity’s PHI.