Inside TDV - The Data Vault Blog

HIPAA Q & A for Business Associates

Business Associates are responsible for the privacy, confidentiality, security, and integrity of Protected Health Information (PHI) under the HIPAA Privacy and Security Rules. My recent experience conducting HIPAA training for Business Associates at The Data Vault led to a few questions that required a double-check. The answers are posted here for training attendees and all business associates looking for answers about HIPAA compliance:

Is the Post Office (or UPS or other conduit for PHI) considered a Business Associate under HIPAA?

No. According to a HIPAA FAQ replylast updated 3/14/2006, Health & Human Services maintains:

The Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal

Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information.

The response goes on to define conduit as an entity that transports but does not generally access protected health information. If day-to-day operations and services provided to the covered entity involve exposure to PHI, such as occurs in handling records for imaging or responding to file requests, then the service provider is a business associate, not a conduit.

What is the relationship of a covered entity to the subcontractors of its business associates?

Again, HHS provides an answer. This time in the form of the Sample Business Associate Contract Provisions, revised June 12, 2006. “Obligations and Activities of Business Associate” provisions include the following:

Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.

Subcontractors of business associates also are included in the “Effect of Termination” provision that PHI be either destroyed or returned to the covered entity upon termination of the business associate agreement. In addition to the HHS sample provisions, PRISM International offers its members an agreement template, which was updated in 2010. Member loginis required to view the PRISM template.

What are the notification requirements and related decision points for Business Associates under the HITECH Act?

The HITECH Act (2009), which is part of the larger Recovery Act (ARRA 2009), increased HIPAA responsibilities and penalties all around. Changes for business associates include additional implication in the breach notification requirements. Whereas business associates have always been responsible for notifying covered entities of breaches, HITECH indicates that notification requirements of business associates extend also to protected individuals.

In any case, the first response to a potential breach is to report it to an appropriate team leader and/or the HIPAA Privacy/Security Official in your organization. If you are responsible for notifications under HIPAA, there are resources to help puzzle out the appropriate response. Most notable is the latest offering from the publishers of the HIPAA/HITECH Survival Guide Website (an excellent resource in itself): The HIPAA Breach Notification Framework, which is packaged for sale and includes the 12 Point Notification Flowcharts.

External Resources


HHS, Sample Business Associate Contract Provisions

3Lions Publishing, Inc., HIPAA Breach Notification Framework

3Lions Publishing, Inc., The HIPAA/HITECH Survival Guide, which is an excellent resource.


Get Your Quote

  • This field is for validation purposes and should be left unchanged.