Business Associate Contracts

When it comes to protecting sensitive health information, the role of business associates is crucial. Business associates are individuals or entities that perform functions or provide services on behalf of covered entities, such as healthcare providers or health insurance companies. These functions or services often involve access to protected health information (PHI).

To ensure the appropriate safeguarding of PHI, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to establish contracts with their business associates. These contracts serve to clarify and limit the permissible uses and disclosures of PHI by the business associate, based on the nature of the relationship and the services being provided.

In this article, we will explore the importance of business associate contracts and provide sample provisions to help covered entities and business associates comply with HIPAA requirements.

Obligations and Activities of Business Associate

Business associates have certain obligations and responsibilities under HIPAA. These include:

  • Using and disclosing PHI only as permitted or required by the contract or as required by law.
  • Implementing appropriate safeguards, including compliance with the HIPAA Security Rule for electronic PHI, to prevent unauthorized use or disclosure of PHI.
  • Reporting any unauthorized use or disclosure of PHI to the covered entity, including breaches of unsecured PHI.
  • Ensuring that subcontractors engage in activities involving PHI agree to the same restrictions and conditions.
  • Making PHI available to the covered entity for purposes of individuals’ requests for copies of their PHI and requests for amendments or accountings.
  • Complying with the requirements applicable to covered entities under the HIPAA Privacy Rule when carrying out covered entity obligations.
  • Making internal practices, books, and records related to PHI available to the Department of Health and Human Services (HHS) for compliance purposes.

Permitted Uses and Disclosures by Business Associate

Business associates are only allowed to use or disclose PHI as specified in the contract and as permitted by law. This may include:

  • Specific purposes outlined in the contract.
  • Uses and disclosures required by law.
  • Uses and disclosures consistent with the covered entity’s minimum necessary policies and procedures.

Additionally, business associates may use PHI for their own management and administration or to carry out their legal responsibilities, provided they comply with HIPAA regulations.

Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions

Covered entities are responsible for informing business associates of any limitations in their notice of privacy practices, changes in an individual’s permission to use or disclose their PHI, and any restrictions on the use or disclosure of PHI. By keeping business associates informed, covered entities ensure that the business associates comply with the applicable privacy practices and restrictions.

Term and Termination

Business associate contracts have a specified term, starting from the effective date and ending on a termination date or event determined by the covered entity. The contract may be terminated by the covered entity if the business associate violates a material term, with an opportunity for the business associate to cure the breach.

Upon termination, business associates are required to return or destroy all PHI received from the covered entity or created on behalf of the covered entity. However, if authorized, business associates may retain PHI necessary for their management and administration or to fulfill their legal responsibilities.


Q: What is a business associate?
A: A business associate is an individual or entity that performs functions or provides services on behalf of a covered entity, involving access to protected health information (PHI).

Q: What are the obligations of a business associate under HIPAA?
A: Business associates have several obligations, including safeguarding PHI, reporting unauthorized disclosures, and complying with HIPAA regulations. They are also required to make PHI available to covered entities upon request and provide access to their internal practices for compliance purposes.

Q: What are the permissible uses and disclosures of PHI by a business associate?
A: Business associates can use or disclose PHI as specified in the contract with the covered entity or as required by law. They may also use PHI for their management and administration or to carry out their legal responsibilities, subject to certain conditions.


Business associate contracts are an essential component of HIPAA compliance. These contracts help ensure the proper safeguarding of protected health information and define the responsibilities and limitations of business associates. By adhering to the provisions outlined in the contract, covered entities and business associates can fulfill their obligations under HIPAA regulations and protect the privacy of individuals’ health information.

To learn more about business associates and HIPAA compliance, visit Instant Global News.