Skip to content

Business Associate Assurance

Under the HIPAA Privacy and Security Rule, health care organizations are required to perform active risk prevention and safeguarding of patient information that are very important to patient privacy. Health care organizations often use the services of a variety of contractors and businesses. The HITECH act allows covered entities to disclose the minimum necessary for protected health information (PHI) to these “business associates”. This should only be allowed if the covered entities obtain satisfactory documented assurances that the business associate will use the PHI information only for the required designated business purposes for which it was engaged in contract by the covered entity. The business associate must safeguard any and all subsequent information from misuse, abuse or unauthorized disclosures. The business associate is required to render due diligence to help protect the covered entity in complying with the covered entity’s duties under the HIPAA Privacy Rule within the scope of their normal business processes, operations and services to the covered entity. Our Business associate toolkit helps organizations complete the required due diligence:

1) Business Associate Assessment Questionnaire:

This business associate assessment questionnaire has been designed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR) and other applicable data privacy laws and regulations. This questionnaire need to be at least completed with all Tier 1 business associates.

2) Business Associate Agreement:

The provisions in the business associate agreement is designed to help covered entities more easily comply with the business associate contract requirements of the HIPAA privacy and security rule.

3) Breach Notification Procedure:

This flow chart has been developed to share with the business associate to use consistent approach in performing a risk assessment to determine if the breach notifications are required to be implemented as a result of a possible breach of unsecured Protected Health Information (PHI).

Business Associate Determination

EHR2.0’s  business associate determination tool helps covered entity determine if the services utilized by the covered entity is under business associate scope based on HHS guidelines. If you have any feedback or want to customize this tool for your business use please e-mail us at

Definition of Business Associate: A Business Associate is a person or entity to which the covered entity discloses protected health information so that the person/entity can carry out, assist with the performance of, or perform a function or activity for the Covered Entity.

Protected Health Information (PHI): A patient’s or participant’s (in the case of research) health information that identifies the person or can be used to identify the person.

Disclaimer:The information contained in this BA determination tool is provided as a service to the Internet community, and does not constitute legal or business advice. We try to provide quality information, but we make no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained in or linked to this web site and its associated sites.

EHR2.0 can help your become HIPAA compliant. Contact us at or +1 (866) 276-8309