Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?


No. However, a covered entity must ensure through its contract with the business associate that the business associate's uses and disclosures of protected health information and other actions are consistent with the covered entity's privacy policies, as stated in covered entity's notice. Also, a covered entity may use a business associate to distribute its notice to individuals.

Date Created: 02/17/2003
Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013