When is a health care provider a business associate of another health care provider?
The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See 45 CFR 164.502(e)(1). Therefore, any covered health care provider (or other covered entity) may share protected health information with a health care provider for treatment purposes without a business associate contract. However, this exception does not preclude one health care provider from establishing a business associate relationship with another health care provider for some other purpose. For example, a hospital may enlist the services of another health care provider to assist in the hospitals training of medical students. In this case, a business associate contract would be required before the hospital could allow the health care provider access to patient health information.
Related Questions
- Does UnitedHealthcare believe that there needs to be a Business Associate agreement between the provider and UnitedHealthcare to comply with the HIPAA Privacy Regulation?
- Should our business require a note from a health care provider to allow employees who have been sick to return to work?
- When is a health care provider a business associate of another health care provider?
