Business Associate

The HIPAA Privacy Rule identifies a new category of business relationship called a "business associate."  
The Privacy Rule requires that a health plan covered by HIPAA, such as Medi-Cal,
enter into a business associate contract in order to disclose protected health information (PHI)
to the business associate.

To be a business associate, a contractor or agency partner:

• Must perform or assist in performing a function or activity which involves the use or disclosure of individually identifiable health information;
• Perform activities, such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing benefit management, practice management, and re-pricing on behalf of a Department of Health Care Services (DHCS) health plan, such as Medi-Cal; and
• Provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a DHCS health plan such as Medi-Cal.

The Privacy Office and the DHCS Contract Management Unit (CMU) review each DHCS health plan covered by HIPAA for its obligation to incorporate business associate terms and conditions into DHCS business associates' contracts and agreements and monitor compliance with this obligation.  Each written agreement with a business associate must contain the terms specified in one of the following HIPAA Addenda (standard or high risk) requiring the business associate to appropriately safeguard PHI:

• Standard Risk Business Associate Addendum (Word)
• High Risk Business Associate Agreement Addendum (Word)
• Exhibit G (Word) (For all applicable contracts entered into with DHCS effective January 1, 2008 and thereafter.)

 When to use Standard vs. the High Risk:  Business Associate Revision Addendum (Word) 

Business Associate Presentation (PowerPoint)