Is Your Company a HIPAA Business Associate?

HIPAA Covered Entities & Business Associates

HIPAA laws concerning the privacy and security of health information are quite strict. Currently, business associates of HIPAA covered entities must also be HIPAA-compliant. Most businesses are aware whether or not their company is a HIPAA covered entity or not, but what about a HIPAA business associate? If you signed a HIPAA business associate agreement (BAA), defined here, then you are definitely a business associate. The following are some of the instances where there might be some questions:

Covered Entities

Do any of the companies your company regularly works with qualify as a covered entity? The U.S. Department of Health and Human Services (HHS) says that a health care provider, a health plan, and a health care clearinghouse are covered entities. These entities engage business associates to help them and should be signing some form of BAA or contract when they do so. The Legal Information Institute at Cornell University provides access to the actual 45 CFR 160.103 section of the law that defines "covered entities" and "business associates." For further information, Forbes contributor Newtek offers some good examples that elaborate on covered entities in the article "Does Your Business Need To Be HIPAA-Compliant?"

Business Associates

In general, if a company handles Protected Health Information (PHI) either on paper or electronically (ePHI), it is potentially a HIPAA business associate. This sometimes includes businesses that are not generally thought of as part of the medical field, such as law firms and accounting firms. If any health records come across a company's desk for transcription or if the company does data conversion or de-identification, there are cases when the company will be considered a business associate. has an infographic put together by the Robert Wood Johnson Foundation and the Hirsh Health Law and Policy Program from George Washington University to help companies determine if they are a HIPAA business associate. If a company wishes to be 100% certain, consult an attorney to determine if your company is a HIPAA business associate, needs a BAA, and must be HIPAA-compliant.

It is important to know whether or not a company is a HIPAA business associate because those who are can be audited by the HHS Office of Civil Rights. Companies that business associates subcontract to may also need to be HIPAA-compliant. View Giva's PDF on HIPAA-compliance, including BAAs, here.

Client Success

  • 50% reduction in time to deploy Giva's change, incident, problem, asset management and knowledgebase modules
  • 60% reduction in the 5 year Total Cost of Ownership (TCO)
  • Saved at least 1 FTE due to lower ongoing administration
  • Saved 1 week per month due to easy to use reports
  • Increased to 90% achievement in meeting service level agreements
  • 70% reduction in generating reports and admin; eliminated 35 hours/month
  • 50% faster to create/assign a service request
  • 60% increase in information captured during the initial phone call
  • 50% increase in the number of service requests created due to intuitive design
  • 80% increase in productivity by using Giva's dashboards and reports
  • 60% increase in meeting service level agreements
  • 45% increase in the number of the calls logged due to Giva's intuitiveness and ease of use
  • 50% increase in productivity by using Giva's integrated custom forms