A Business Associate is a person or organization, other than an employee of a covered entity, who performs functions or provides services related to creating, receiving, maintaining, or transmitting Protected Health Information (PHI) on behalf of your organization.
Remember!: With all of your business associates, you need an agreement that legally binds you (the HIPAA covered entity) and the business associate with very clear terms for managing and protecting health information emanating from you.
A written contract with your Business Associate must:
Detail the uses and disclosures of PHI the Business Associate may make
Require that the Business Associate safeguard PHI
In other words, if any one person or vendor has potential access to private health information, you need to hold them accountable to the same high standards as you are held accountable.