Home ยป HIPAA

Business Associates

A Business Associate is a person or entity that performs certain functions or activities involving the use or disclosure of protected health information (PHI) on our behalf.

PHI is any individually identifiable information contained in an electronic or paper medical record. PHI includes a patient's mental or physical health condition as well as a patient's billing and demographic information.

In situations where a person or entity is a Business Associate, we must have a Business Associate Agreement (BAA) in place before protected health information may be disclosed.

Our Business Associate Agreements were revised in 2010 to comply with the amendments to HIPAA contained in the HITECH Act*. HITECH extends to Business Associates the patient privacy and security provisions of HIPAA in order to better protect PHI. Therefore, all existing Business Associates must sign the new BAAs and any new Business Associate must also sign the new BAA. Please go to the Policies page of the website for the Office of Compliance, Privacy & Internal Audit to download the new BAA. compliance.med.nyu.edu/compliance-policies

If you have questions as to whether a particular vendor is a Business Associate, or what to do to properly process a BAA, please email BAAhelp@nyumc.org. Someone from the Privacy Office will contact you within two business days.

* The HITECH Act is a component of the economic stimulus package enacted by the federal government in 2009. HITECH is an acronym for Health Information Technology for Economic and Clinical Health.

What Is a Business Associate?

Is a BA

Is not a BA

  • Billing and Collection Companies
  • Utilization Review Organization
  • Claims Processing Companies (Third Party Administrators)
  • Data Analysis, Processing, and Administration Companies
  • Quality Assurance Organizations
  • Benefits Management Companies
  • Practice Management Firms
  • Repricing Agencies
  • Law Firms
  • Accounting Firms
  • Consulting Firms
  • Data Aggregation Services
  • Management Companies
  • Administrative Services
  • Accreditation Organizations
  • Financial Services (eg, banks providing lock box services)
  • Transcriptionists
  • Software vendors (hosting our PHI on their server, routinely accesses PHI to perform a service)
  • Vendors who routinely handle, copy or dispose of medical records or documents containing PHI
  • Interpreters who are not members of the workforce
  • Actuarial Services
  • Patient Safety Organizations*
  • Health Information Organizations*
  • E-Prescribing Gateways*
  • Vendors of Personal Health Records*
  • Data Transmission Organizations*
  • Regional Health Information Organizations (RHIOs)*
  • Other health care providers who use PHI to treat a patient
  • Health plans who use PHI to pay a provider for service rendered
  • Janitorial services
  • Members of a covered entity's workforce
  • Medical device manufacturers
  • US Postal Service, FedEx, UPS, messenger services
  • Software vendors(sale only)
  • Telecommunications Relay Service
  • Providers who disclose PHI to a researcher for research purposes
  • Group health plan disclosure of PHI to health plan sponsor (such as an employer)
  • Group health plan purchasing insurance from HMO/health insurer
  • Financial institutions processing payment card transactions/funds transfers for payment of health care or health plan premiums

*Proposed business associate. Notice of Proposed Rulemaking, July 14, 2010. Final Rule expected 2010 year end.