Skip to main content
This is archived HHS content.
HHS
.gov
Health Information Privacy
Search
U.S. Department of Health & Human Services
Search
Close
A-Z Index
HIPAA for Individuals
Filing a Complaint
HIPAA for Professionals
Newsroom
Breadcrumb
HHS
>
HIPAA Home
>
For Professionals
>
FAQ
> Business Associates
Text Resize
A
A
A
Print
Share
Authorizations (30)
Business Associates (41)
Compliance Dates (2)
Covered Entities (14)
Decedents (8)
Disclosures for Law Enforcement Purposes (5)
Disclosures for Rule Enforcement (1)
Disclosures in Emergency Situations (2)
Disclosures Required by Law (6)
Disclosures to Family and Friends (28)
Disposal of Protected Health Information (6)
Facility Directories (7)
Family Medical History Information (3)
FERPA and HIPAA (10)
Group Health Plans (3)
Health Information Technology (41)
Incidental Uses and Disclosures (10)
Judicial and Administrative Proceedings (8)
Limited Data Set (6)
Marketing (18)
Marketing - Refill Reminders (16)
Mental Health (35)
Minimum Necessary (14)
Notice of Privacy Practice (20)
Personal Representatives and Minors (12)
Preemption of State Law (10)
Privacy Rule: General Topics (12)
Protected Health Information (2)
Public Health Uses and Disclosures (13)
Research Uses and Disclosures (20)
Right to Access and Research (58)
Right to an Accounting of Disclosures (8)
Right to File a Complaint (1)
Right to Request a Restriction (3)
Safeguards (13)
Security Rule (24)
Smaller Providers and Businesses (145)
Student Immunizations (8)
Telehealth (11)
Transition Provisions (3)
Treatment, Payment, and Health Care Operations Disclosures (30)
Workers Compensation Disclosures (5)
Business Associates
What were the major modifications to the HIPAA Privacy Rule that the Department of Health and Human Services (HHS) adopted in August 2002?
Has the Secretary exceeded the HIPAA statutory authority by requiring "satisfactory assurances" for disclosures to business associates?
Is a covered entity liable for, or required to monitor, the actions of its business associates?
Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule?
Are accreditation organizations business associates of the covered entities they accredit?
Is a business associate contract required for a covered entity to disclose protected health information to a researcher?
When is a health care provider a business associate of another health care provider?
May a covered entity share protected health information directly with another covered entity's business associate?
Are covered entities that engage in joint activities under an organized health care arrangement (OHCA) required to have business associate contracts with each other?
Is a business associate contract required with organizations or persons where inadvertent contact with protected health information may result - such as in the case of janitorial services?
Are the following entities considered "business associates" under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?
Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?
Would business associate contracts in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule's business associate contract requirements?
Do physicians with hospital privileges have to enter into business associate contracts with the hospital?
Under the HIPAA Privacy Rule, may a covered entity contract with a business associate to create a limited data set the same way it can use a business associate to create de-identified data?
I want to hire the intended recipient of a limited data set to also create the limited data set as my business associate. Can I combine the data and use agreement and business associate contract?
If the only protected health information a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate?
Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity's business associate as the minimum necessary?
Is a physician or other provider considered to be a business associate of a health plan or other payer?
Is a health insurance issuer or HMO who provides health insurance or health coverage to a group health plan a business associate of the group health plan?
Is a reinsurer a business associate of a health plan?
Is a software vendor a business associate of a covered entity?
Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?
May a covered entity hire a business associate to create a limited data set, and may the public health authority be a business associate for that purpose, even if the public health authority is also the intended recipient of the limited data set?
When may a covered health care provider disclose protected health information, without an authorization or business associate agreement, to a medical device company representative?
Were there Privacy Rule compliance deadlines in 2004?
When a covered entity, such as a doctor, uses a certified Telecommunications Relay Service to contact patients with hearing or speech impairments, is the Relay Service a business associate of the doctor?
In providing legal services to a covered entity, must a lawyer who is a business associate require that those persons to whom it discloses protected health information agree to abide by the privacy restrictions and conditions that apply to the lawyer?
Must a covered health care provider obtain an individual’s authorization to use or disclose protected health information to an interpreter?
May a business associate of a HIPAA covered entity block or terminate access by the covered entity to the protected health information (PHI) maintained by the business associate for or on behalf of the covered entity?
May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?
If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?
Which CSPs offer HIPAA-compliant cloud services?
What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
If a CSP experiences a security incident involving a HIPAA covered entity’s or business associate’s ePHI, must it report the incident to the covered entity or business associate?
Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?
Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?
Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?
Do the HIPAA Rules require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates?
If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate?
Back to
T
op
This is archived HHS content.