Standards for Privacy of Individually Identifiable Health Information

Guidance issued July 6, 2001

Background

By law, the Privacy Rule applies only to health plans, health care clearinghouses, and certain health care providers. In today's health care system, however, most health care providers and health plans do not carry out all of their health care activities and functions by themselves; they require assistance from a variety of contractors and other businesses. In allowing providers and plans to give protected health information (PHI) to these "business associates," the Privacy Rule conditions such disclosures on the provider or plan obtaining, typically by contract, satisfactory assurances that the business associate will use the information only for the purposes for which they were engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with the covered entity's duties to provide individuals with access to health information about them and a history of certain disclosures (e.g., if the business associate maintains the only copy of information, it must promise to cooperate with the covered entity to provide individuals access to information upon request). PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions - not for independent use by the business associate.

What is a "business associate"

• A business associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI.
• A business associate is not a member of the health care provider, health plan, or other covered entity's workforce.
• A health care provider, health plan, or other covered entity can also be a business associate to another covered entity.
• The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes - for example, information exchanges between a hospital and physicians with admitting privileges at the hospital.