by Kim Stanger, Holland & Hart LLP
The HIPAA privacy rules now apply to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity who “creates, receives, maintains or transmits” protected health information (“PHI”) in the course of performing services on behalf of the covered entity (e.g., consultants; management, billing, coding, transcription or marketing companies; information technology contractors; data storage or document destruction companies; data transmission companies or vendors who routinely access PHI; third party administrators; personal health record vendors; lawyers; accountants; malpractice insurers; etc.) (See 45 CFR 160.103). “A covered entity may be a business associate of another covered entity.” (Id.). Also, with very limited exceptions, a subcontractor or other entity that creates, receives, maintains or transmits PHI on behalf of a business associate is also a business associate. (Id.; 78 FR 5572). To determine if an entity is a business associate, see the attached Business Associate Decision Tree. Continue reading