A Business Associate is a person or entity that provides services to a Covered Entity and permits access to PHI information held by the Covered Entity.
Examples include attorneys, accountants, IT contractors, billing companies, cloud storage services, cleaning services, etc.
Although business associates hold or have access to patient health information, they have the same obligations as covered entities and should always be required to enter into contracts with covered entities that reflect those obligations.
To comply with the HIPAA Security Rule, all Covered Entities and Business Associates must ensure that technical, physical, and administrative safeguards are in place and are being followed.
They must also comply with the HIPAA Privacy Rule to protect the integrity of PHI and report rule violations in accordance with the HIPAA Breach Notification Rule.