You cannot release or disclose PHI to business associates unless both parties have a business associate agreement in place. The business associate agreement must contain a confidentiality clause that holds the business associate accountable for protecting PHI. The business associate cannot use or further disclose the information in any way that violates the Privacy Rule.

When a relationship with a business associate ends, the business associate must return or destroy all PHI within a reasonable time frame.

Who qualifies as a business associate?
A business associate is any person with whom the practice discloses protected health information (PHI) for the purpose of carrying out, assisting in the performance of, and performing for or on behalf of, a function or activity for the practice. This includes persons or contractors who receive PHI from your practice in the course of providing a service to you. You may only disclose this confidential PHI to a business associate if the associate has taken steps to ensure the confidentiality of the information.

What types of functions do business associates typically perform?
Functions or activities typically performed that involve the use or disclosure of individually identifiable health information include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing.

Who doesn’t qualify as a business associate?
The following do not qualify as business associates under the Privacy Rule:

A. Employees.
B. Contracted employees who perform a substantial portion of their work at your practice, such as a physical therapist.
C. Oversight agencies (e.g., Joint Commission on Accreditation of Healthcare Organizations (JCAHO)
D. Hospitals, unless the hospital performs billing services for staff providers.

What about when information is shared for treatment purposes?
Any practice or provider may share protected health information (PHI) with a health care provider for treatment purposes without a business associate agreement so long as information is used to treat the patient and not for other unrelated usage.

Do I need a business associate agreement for my cleaning service?
You are not required to enter into a business associate agreement with your janitorial service because the performance of such service does not involve the use or disclosure of protected health information (PHI). In most cases, a janitor has incidental contact and as such is permissible as long as reasonable safeguards are in place. It would be ideal to lock the records room or store records in lockable cabinets. 

Since I already have an attorney-client relationship with counsel, do I need a business associate agreement?
While the Privacy Rule does not intend to interfere with this relationship and feels access to privileged protected health information (PHI) is limited, it does believe that it is appropriate to have attorneys sign a business associate agreement.

What about organizations that act merely as a conduit of protected health information (PHI)?
The rule does not require a business associate agreement with a person or organization that acts merely as a conduit of information, such as the U.S. Postal Service, certain private couriers, and their electronic equivalents (ISPs for example). Since no disclosure is intended and the probability is small for incidental release, no agreement is necessary.

Neither are financial institutions considered business associates when they process consumer-conducted financial transactions by debit, credit, or other payment cards, checks, or electronic funds transfers. Covered entities that initiate such payment activities must meet the minimum necessary disclosure requirements.

What is the requirement for the return or destruction of protected health information (PHI)?
The Privacy Rule requires the return or destruction of all PHI at the termination of a contract only where feasible or permitted by law. When return or destruction is not feasible, the contract must state that the information will remain protected as long as maintained and any further use of this information will be limited to those purposes that make return or destruction infeasible.