A BA’s responsibility does not only include billings, the jobs of a BA ranges from Information Technology (IT) Management to administrative services, consultancy services, financial services, accreditation services, legal services, accounting services and actuarial services. A Business Associate (BA) is more or less a contractor to a Covered Entity (CE) and the job BA does is either directly or indirectly linked to PHI. As long as any of the responsibilities allows him access to the PHI, he is a Business Associate of the Covered Entity (CE) and must comply with the HIPAA Rules.
Health Information Organizations or Exchanges also known as HIOs or HIEs are all BAs because they have direct access PHI. Electronic prescribing gateways and as many persons that carry out transmission of data services that allows them access to PHI at any time are also BAs.
A Business Associate (BA) may not be able to provide all the services a health care provider wants and as such decides to contract some of the jobs to another individual or organization, this subcontractor also becomes a BA as long as he sometimes accesses the PHI.
Also a BA under HIPAA includes a contractor that is contracted by a CE to help patients gain direct or indirect access to Personal Health Record (PHR) on behalf of the Covered Entity (CE). This is so because accessing a Personal Health Record (PHR) automatically gives you access to the contents of the PHR which are the PHI.
These PHRs may be financial records both past, present and future, case management records, accounting records, legal documents, insurance records etc. A web designer who designed the company’s web site and posted all the data needed for the web site tom run is also a BA, but a web designer who only update the website by installing newer versions of software is not a BA. Janitors or Janitorial companies are not Bas as long as they don’t have access to PHI, but if they do, then they are Bas and must comply with the HIPAA Rules.