Under HIPAA, a business associate is a third party that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information (PHI).  Some examples of business associates are a third-party administrator that assists a health plan with claims processing, a consultant that performs data aggregation or analysis, or an attorney whose legal services involve access to PHI.  A covered entity can also be a business associate of another covered entity, and a subcontractor to whom a business associate has delegated some function, activity, or service is treated as a business associate.¹

Under the Privacy Rule, a covered entity engaging a third party to perform business associate services or activities must execute a business associate agreement (BAA) that includes certain protections for the PHI that closely track the Privacy Rule.  For example, the BAA must: (a) describe the permitted and required uses of PHI by the business associate; (b) provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law; and (c) require the business associate to use appropriate safeguards to prevent an unauthorized use or disclosure of the PHI.  To the extent permitted for in its BAA with the covered entity, a business associate is also required to enter into a BAA with any subcontractors to whom it discloses PHI, with terms that mirror those in the original BAA.²

¹ 45 CFR § 160.103.

² Id. § 164.504(e).