Luis Louro - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does an organization know if it's a HIPAA business associate?

HIPAA business associates must be HIPAA-compliant, but it's often difficult for organizations to figure out if they fit under that umbrella. Expert Mike Chapple explains how.

I work for a commercial printer that offers both traditional print as well as online portals that manage marketing...

support. We have fulfilled the ISO 27001 certification to satisfy audits from our financial services clients, but do we need to be HIPAA-compliant if we want to approach clients in the healthcare industry? If so, can you please explain what that actually means? Would we be classified as a business associate?

You correctly point out the crux of the matter in the question -- would you be considered a business associate? HIPAA applies only to four types of organizations: healthcare providers, health information clearinghouses, health insurance plans and the business associates of any of those parties. Organizations become business associates by entering into formal, written business associate agreements with a HIPAA-covered entity.

Commercial printers are unlikely to be considered a business associate unless it prints highly personalized materials that contain patient information. The reason is that an entity only becomes a business associate if it is exposed to protected health information (PHI) about patients. If the printer handles marketing materials for the covered entity, it will not likely want to disclose PHI to the printer and it will not become a business associate.

The U.S. Department of Health and Human Services, which oversees HIPAA compliance, further elaborates on the functions conducted by business associates with these examples: "claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing." As long as the printer deals only with generalized marketing materials, it's in the clear.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Check out the best way to maintain HIPAA compliance for you and your business associates.

This was last published in March 2015

Dig Deeper on HIPAA