Am I a Business Associate and, if so, what does it mean for me?

You are a Business Associate if you receive PHI from a Covered Entity in order to provide services on behalf of the Covered Entity. Examples of Business Associates include an accounting firm whose services involve access to PHI, a consultant who provides quality assurance or other administrative services, or a person who provides transcription services.

Covered Entities are required to sign written Business Associate Agreements ("BAA"s) with all of their Business Associates. A BAA must meet all of the requirements for BAAs in HIPAA's Privacy Rule. Among other things, the BAA must describe the ways in which the Business Associate is permitted, or required, to use the PHI and prohibit other uses and disclosures. Business Associates are required to implement certain safeguards to prevent unauthorized use or disclosure of PHI. Business Associates are also responsible for notifying the Covered Entity of any breach of PHI so that the Covered Entity may notify any affected individuals.

Under the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"), Business Associates may be directly liable for violations of HIPAA.