The Privacy Rule includes the following exceptions to the business associate standard. In these situations, a covered entity is not required to have a business associate contract or other written agreement in place before protected health information may be disclosed to the person or entity.  

Disclosures by a covered entity to a healthcare provider for the treatment of the individual. For example: 

• A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.  
• A physician is not required to have a business associate contract with a laboratory as a condition of disclosing protected health information for the treatment of an individual.  
• A hospital laboratory is not required to have a business associate contract to disclose protected health information to a reference laboratory for the treatment of the individual.   

Disclosures to a health plan sponsor, such as an employer, by a group health plan, or by the health insurance issuer or HMO that provides the health insurance benefits or coverage for the group health plan, provide that the group health plan’s documents have been amended to limit the disclosures or one of the exceptions have been met.   

The collection and sharing of protected health information by a health plan that is a public benefits program, such as Medicare, and an agency other than the agency administering the health plan, such as the Social Security Administration, that collects protected health information to determine eligibility or enrollment, or determines eligibility or enrollment, for the government program, where the joint activities are authorized by law.