• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate?


No. A CSP is not a business associate if it receives and maintains (e.g., to process and/or store) only information de-identified following the processes required by the Privacy Rule.  The Privacy Rule does not restrict the use or disclosure of de-identified information, nor does the Security Rule require that safeguards be applied to de-identified information, as the information is not considered protected health information. See the OCR guidance on de-identification for more information.[1]


Content created by Office for Civil Rights (OCR)
Content last reviewed on October 6, 2016