Can a health information organization (HIO) operate as a business associate of multiple covered entities participating in a networked environment?

Yes. A HIO can operate as a business associate of multiple covered entities participating in a networked environment. The HIPAA Privacy Rule does not prohibit an entity from acting as a business associate of multiple covered entities and performing functions or activities that involve access to protected health information for the collective benefit of the covered entities. In addition, the Privacy Rule would not require separate business associate agreements between each of the covered entities and the business associate. Rather, the Privacy Rule would permit the covered entities participating in a networked environment and the HIO to operate under a single business associate agreement that was executed by all participating covered entities and the common business associate.


Created 12/15/08