Vendor Management

Published May 10, 2016

Determining Who is a Business Associate

How to determine who is a business associate:

Definition of Business Associate: A Business Associate is a person or entity to which CAO discloses protected health information so that the person/entity can carry out, assist with the performance of, or perform a function or activity for CAO.

Protected Health Information (PHI): A patient's or participant's (in the case of research) health information that identifies the person or can be used to identify the person.


Business Associate Test

  1. Is CAO disclosing PHI?
  2. Does the recipient of the PHI provide a service to, for, or on behalf of CAO?

If the answer to both of the above questions is "yes", you may have a relationship that requires a business associate agreement.

Not Business Associates

  • CAO’s Workforce: Employees, faculty, residents, students
  • Health care workers and Providers providing treatment
  • Labs
  • Individuals or companies with very limited and incidental exposure to health information, such as telephone company, electrician, etc.
  • Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.

Potential Business Associates

  • Lawyers
  • External auditors or accountants
  • Professional translator services
  • Answering services
  • Consultants hired to conduct audits, perform coding reviews, etc.
  • Accreditation agencies
  • Shredding and/or documentation storage companies
  • Data processing firms or software companies that may be exposed to or use PHI.
  • Medical transcription services, even if you contract with an individual rather than a company.
  • Medical equipment service companies handling equipment that holds PHI.
  • E-prescribing Gateways
  • Health information organizations

Purpose of Business Associate Agreements
Any person or company that is a Business Associate will be required to sign a contract with special language mandated by the privacy rules. Business Associate agreements will assist CAO in protecting our patients' health information when it is released to someone outside our organization.  

Return to Newsletter