Under HIPAA, a Business Associate is any service provider who has access to or may have access to private patient data and/or personal health information. This can be through electronic means (i.e. your IT Managed Service Provider) or physical proximity (i.e. your janitorial service). Here's an incomplete list of common Business Associates that absolutely should complete a Risk Survey and sign a Business Associate Agreement Annually:

  • Managed IT Services
  • EMR Software Providers
  • Janitorial Services
  • Medical Billing Service
  • Marketing Firms
  • Independent Medical Transcriptionists
  • Document shredding vendors
  • CPA or Attorneys

If any of these service providers access patient data for any reason, you must have a signed Business Associate Agreement updated annually. If you're not sure if your service provider needs to complete the survey and sign the agreement, contact your compliance officer or a HIPAA compliance specialist.