Identifying Your Business Associates Under the HIPAA Privacy Regulations

by Michael C. Roach, JD

The HIPAA privacy regulations require that covered entities have written agreements in place before disclosing protected health information (PHI) to business associates.1 The regulations also require specified provisions be included in business associate agreements (BAAs).2 Most likely none of your existing BAAs satisfy all of the requirements of the regulations. Consequently, you need to locate all of your existing agreements with business associates and start amending those agreements.

It is important to understand who is and who is not a business associate, because only BAAs need to be amended. A business associate is an entity that on your behalf, performs or assists in the performance of: (1) any of the following, if it involves use or disclosure of PHI:

• Claims processing or administration;
• Data analysis;
• Processing or administration;
• Utilization review;
• Quality assurance;
• Billing;
• Benefit management;
• Practice management; or
• Repricing;

or (2) any other function regulated by HIPAA. Additionally, any entity that provides any of the following services involving the disclosure of PHI by you, is a business associate:

• Legal;
• Actuarial;
• Accounting;
• Consulting;
• Data aggregation;
• Management;
• Administrative;
• Accreditation; or
• Financial.3

There are important exceptions. First, a member of your workforce is not your business associate.4 “Workforce” means employees, volunteers, trainees, and others whose work performance is under your direct control, regardless of whether they are paid.5

Additionally, if you participate in an “organized healthcare arrangement” (as defined in the regulations) and another member of the arrangement performs a function or activity on behalf of the arrangement, that by itself does not make that other member your business associate.6

Before you can begin to identify your BAAs, you must locate all of your contracts. Be sure you search for letter and oral agreements in addition to formal contracts that are probably labeled as such. One way to do this would be to have your HIPAA compliance project leader send a memo to all personnel who have contracting authority asking them to send to the project office a copy of all written agreements (including letter agreements) that have not been completely performed by both parties. Additionally, these individuals should be asked to identify anybody working in their department who (1) is not an employee, and (2) does not have a written contract with your organization. These people are potentially under oral contract with your organization.

Once collected, all of the agreements need to be reviewed to identify (1) which of them are with business associates, and (2) which will still be in the process of being performed by either party on April 14, 2003 (or 2004 if you are a small health plan). It is not important whether you first identify which agreements are with business associates and then identify which of those will still be in the process of being performed, or vice versa. The point is, you are taking all of your existing agreements (formal, letter, and oral) and reviewing each one to determine which will still be in the process of being performed on your applicable compliance date and are also with a business associate.7

You can eliminate from this stack those agreements where: (a) the disclosure is to a provider concerning treatment of the individual about whom the information pertains, (b) the other party is a plan sponsor, provided that the requirements of the regulations for plan-sponsor documents are satisfied and you are a group health plan, health insurer or HMO, or (c) you are a government program providing public benefits and either (1) eligibility or enrollment is determined by the business associate, or (2) you determine the eligibility or enrollment but information to make those decisions is collected by the business associate.

Once this last step is taken, you will have in one place all the business associate agreements that need to be amended before the compliance date. You should start the process of amending the agreements soon, as negotiation of some of these new contracts could be a protracted process. Some business associates may resist some of the amendment language. However, you have little room to negotiate regarding the required provisions. Luckily, entities that routinely deal with healthcare providers and other HIPAAcovered entities are becoming quite aware of the need for BAAs, and some are even drafting their own versions.

Draft the BAA amendment before starting the negotiations so that you can present it to the business associate. You should involve your legal counsel in this process because you may need to consider providing some additional consideration in order for the amendment to be enforceable. That issue is a question for your legal counsel. Of course, you may also involve your legal counsel in drafting the amendment itself. In any event, the person drafting the amendments should have a thorough knowledge of the privacy regulations. Not all contract writers and attorneys will have such knowledge.

As you go through the process of negotiating the amendments, be careful not to find yourself in the position where you are running out of time to get the agreement amended. For instance, if you estimate that it would take five months to negotiate a new agreement with an alternative to an existing vendor, then you should have your agreement with that vendor amended at least five months before your compliance date. Otherwise, once you are within that five-month window you will be at a disadvantage in the negotiations because you will not have time at that point to take the business elsewhere. This is especially true if the current vendor knows that it will take you five months to negotiate a new agreement with an alternative vendor.


HIPAA requires written contracts with business associates and specific language in those contracts. Pulling together all of the agreements you have in place, identifying which are with business associates, and amending those as necessary will be a long process. You should begin that process as soon as possible. The following checklist may be of assistance.

  • Collect all existing agreements.
  • Select those that are with business associates.
  • Of those, select those that will not be fully performed by your relevant compliance date.
  • Of the remaining, eliminate those with a provider for treatment purposes.
  • If you are an HMO, group health plan, or insurer, eliminate those with plan sponsors if the plan documents satisfy the regulations.
  • If you are government agency providing benefits, eliminate those with other agencies if the other agency determines eligibility for the benefits you provide, or if you make eligibility determinations based on PHI received from the other agency.
  • Draft amendment language and begin negotiations.


  1. 45 C.F.R. ß164.502(e), 65 Fed. Reg. 82806 (2000).
  2. Id.
  3. 45 C.F.R. ß160.103, 65 Fed. Reg. 82798 (2000).
  4. Id.
  5. Id. at 82800.
  6. Id. at 82798 and 82799. The term “organized healthcare arrangement” encompasses a large number of arrangements, too numerous to go into here. The definition of that term appears in 45 C.F.R. ß164.501, 65 Fed. Reg. 82804 (2000).
  7. These arrangements do not require BAAs. 45 C.F.R. ß502(e), 65 Fed. Reg. 82806 (2000).

Michael C. Roach, JD, is a senior attorney in the Health Law group of Bell, Boyd & Lloyd LLC where he practices general corporate law in the healthcare industry. He can be reached at (312) 807-4354 or via e-mail at

Article citation:
Roach, Michael C. "Identifying Your Business Associates Under the HIPAA Privacy Regulations." In Confidence 9, no.6 (Nov/Dec 2001): 1-2.