Is a business associate contract required for a covered entity to disclose PHI to a researcher?
No. Disclosures from a covered entity to a researcher for research purposes do not require a BA contract, even in those instances where the covered entity has hired the researcher to perform research on the covered entity’s behalf. A business associate agreement is required only where a person or entity is conducting a function or activity regulated by the Administrative Simplification Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of “business associate” at 45 CFR 160.103. However, the Privacy Rule does not prohibit a CE from entering into a BA contract with a researcher if the CE wishes to do so. Notwithstanding the above, a covered entity is only permitted to disclose PHI to a researcher as permitted by the Rule, that is, with an individual’s authorization pursuant to 45 CFR 164.508, without an individual’s authorization as permitted by 45 CFR 164.512(i) or as a limited data set provided that
Related Questions
- Under the HIPAA Privacy Rule, may a covered entity contract with a business associate to create a limited data set the same way it can use a business associate to create de-identified data?
- Is a business associate contract required for a covered entity to disclose protected health information to a researcher?
- Is a business associate contract required for a covered entity to disclose PHI to a researcher?
