Simply put, a Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity. By law, the HIPAA Privacy Rule applies only to Covered Entities. Covered Entities are typically health plans, health care clearinghouses, and certain health care providers. Most Covered Entities however, do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other organizations. If these services involve the use of protected health information, that means that organization is a Business Associate.
Learn more: Business Associates [HHS]
No. Employees of a Covered Entity are not considered Business Associates.
Yes, it is possible to be classified as both a Covered Entity and a Business Associate. For example, a covered entity such as a health care provider, health plan, or health care clearinghouse can also be a business associate of another covered entity.
Any subcontractor of a Business Associate that creates, receives, maintains, or transmits protected health information on behalf of the BA is itself also a Business Associate. This distinction is often overlooked.
A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a Business Associate Agreement (BAA). If you are a covered entity entrusting protected health information to a third party, then a Business Associate Agreement is required by law.
Read full article: Business Associate Agreement Provisions
A Business Associate Agreement (BAA) is required to be in place for the entire duration of services provided by a Business Associate to a Covered Entity. If a BAA has an expiration date in it, that's a red flag and is the same as not having one at all.