HIPAA “Business Associate” Agreements:
Knowing When and How to Enter Into Them
By Leigh-Ann M. Patterson, Esq.
Nixon Peabody LLP, Partner, HIPAA Task Force
March 15, 2003
By all accounts, the Health Insurance Portability and Accountability Act (“HIPAA”) has been one of
the most talked about corporate compliance issues of the past year, and for good reason. The
complexity of the legislation and its implementing regulations are confounding. The costs
associated with implementation are immense and the civil and criminal penalties for violations are
As the April 15, 2003 privacy compliance deadline looms, many companies are being inundated
with requests to sign so-called “HIPAA Business Associate Agreements.” Knowing what a Business
Associate Agreement is and when you should enter into one is critical so that you do not
undertake these contractual obligations unnecessarily.
What Is A HIPAA Business Associate?
A HIPAA Business Associate is any person or entity who performs or helps perform a function or
activity involving the use or disclosure of protected health information (“PHI”) and the function or
activity is being performed on behalf of a HIPAA “Covered Entity.i” This definition focuses on
what an entity does, not what it is.
Examples of common Business Associate functions include claims processing or administration;
data analysis, processing or administration; utilization review; quality assurance; billing benefit
management; practice management; or repricing. Business Associates do not need to be entities
traditionally associated with health care services. For example, the following functions fall within
the definition of a Business Associate; legal, actuarial, accounting, consulting, data aggregation,
management, administrative, accreditation, or financial services.
What Are HIPAA Business Associates Required To Do?
HIPAA’s Business Associate Rule requires Covered Entities to identify their Business Associates and