Home Blog

Other situations when a BAA is not required


Situations in which a BAA Is NOT required xviii

  • When a healthcare provider discloses protected health information to a health plan for payment purposes, or when the healthcare provider simply accepts a discounted rate to participate in the health plan’s network. A provider that submits a claim to a health plan and a health plan that assesses and pays the claim are each acting on its behalf as a covered entity, and not as the “business associate” of the other.   
  • With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.  
  • With a person or organization that acts merely as a conduit for protected health information, for example, the U.S. Postal Service, certain private couriers, and their electronic equivalents.  
  • Among covered entities who participate in an organized health care arrangement (OHCA) to make disclosures that relate to the joint health care activities of the OHCA.  
  • Where a group health plan purchases insurance from a health insurance issuer or HMO. The relationship between the group health plan and the health insurance issuer or HMO is defined by the Privacy Rule as an OHCA, concerning the individuals they jointly serve or have served. Thus, these covered entities are permitted to share protected health information that relates to the joint healthcare activities of the OHCA.  
  • Where one covered entity purchases a health plan product or other insurance, for example, reinsurance, from an insurer. Each entity is acting on its behalf when the covered entity purchases the insurance benefits, and when the covered entity submits a claim to the insurer and the insurer pays the claim.  
  • To disclose protected health information to a researcher for research purposes, either with patient authorization, according to a waiver, or as a limited data set. Because the researcher is not conducting a function or activity regulated by the Administrative Simplification Rules, such as payment or health care operations, or providing one of the services listed in the definition of “business associate,” the researcher is not a business associate of the covered entity, and no business associate agreement is required.  
  • When a financial institution processes consumer-conducted financial transactions by debit, credit, or another payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for healthcare or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.