Business Associate Agreements

The parties to an information sharing agreement may utilize services that will give other entities access to protected health information when those entities provide ancillary services to a covered entity. In such cases, the party providing the ancillary services will need to have a “business associate agreement” with the covered entity to comply with HIPAA.

“Business associate” activities are defined quite broadly and include legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, and financial services as well as any other services that a covered entity might contract for. One type of organization that requires a business associate agreement is an accrediting body.

Business Associate Agreements can be used in the context of information sharing if some or all of the parties in a particular jurisdiction have protected health information stored and retained electronically by a common entity in order to facilitate ready access to the data. In that situation, a business associate agreement would be required between the health care providers (who are “covered entities” under HIPAA) and the organization storing the protected health information. A second example would be if the parties to the agreement wished to have a program evaluation done by a university (as an example) and the evaluation requires access to protected health information. A third example is if a covered entity in the jurisdiction has outside counsel through contract; the outside counsel would be a business associate. Some sample business associate agreements are provided:

·       The Department of Health and Human Services Office of Civil Rights, which has primary responsibility for enforcing and interpreting HIPAA. The template illustrates those things that must be in such an agreement and can also be downloaded at

·       A Colorado business associate agreement provides an excellent example of how to lay out very clearly and cover all of the necessary issues. The agreement can also be found at

Qualified Service Organization agreements                

Qualified Service Organization Agreements are designed to memorialize the relationship between a treatment provider and an entity providing ancillary services.

A person or organization that provides services to a program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, medical, accounting, or other professional services, or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy. The person or organization has entered into a written agreement with a program providing drug or alcohol referral, diagnosis or treatment under which the person or organization acknowledges that in receiving, storing, processing or otherwise dealing with any records concerning enrolled persons, it is fully bound by these regulations and, if necessary, will resist in judicial proceedings any efforts to obtain access to records of enrolled persons except as permitted by these regulations.