Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


E. 45 CFR 164.532 (d) and (e), Code of Federal Regulations, Title 45, Part 164, Section 532, Subpart E, Security and Privacy, Uses and disclosures: Organizational requirements, Privacy of Individually Identifiable Health Information and (d) Standard: Effect of Prior Contracts or Other Arrangements with Business Associates

F. Section 13404 and 13410(d) of the HITECH Act - Breach Notification Interim Final Regulation (74 FR 42740) - August 2009.



Rowan Security Officer


Is a Person or Entity a "Business Associate" and 
Required to Enter Into a Written Business Associate Contract?




nameBlank Flowchart-702-56713ec8


The person or entity is not a "business associate" and no business associate contract is required.The person or entity is a "business associate" and business contract is required. 

Examples of Potential Business Associates 
(This is not an all-inclusive list, nor is every arrangement listed necessarily a business associate. Use the attached flowchart and policy and procedure to analyze whether the relationship is a business associate relationship under HIPPA. Contact Legal Management at 2-4705 for assistance in the analysis.)



Accounting services and firms

Accreditation services

Actuarial services

Actuarial specialists

Adjudication services

Administrative services


Architects, builders, and contractors

Asset-based lenders to healthcare facilities



Billing service companies

Bulk mailing services

Care management programs

Civic groups and other local groups help out on ad hoc basis with patients who are hospitalized for a traumatic event or complicated illness (e.g., Shrine Temples, Ronald McDonald House)

Coding providers and experts

Community health management information systems

Computer maintenance services and companies

Consulting services

Contract Research Organization – An entity used by pharmaceutical and device manufactures to monitor clinical research trials

Copy services

Data aggregation services

Device manufactures

Document storage and destruction vendors

Financial service companies

Government health data systems

Hardware vendors

Healthcare consultants (e.g., risk management, information technology, billing, coding and management)

Hospital associations (National and State)

HVAC vendors

Independent contractors

ATTACHMENT 2 (continued) 
Examples of Potential Business Associates

Independent service organizations (ISO) offering clinical/biomedical engineering services

Insurance brokers

Interpreter services (both deaf and foreign language)

Janitorial services; waste disposal and recycling services and companies

Law firms, its staff and employees


Mailing houses

Maintenance contractors

Management services

Marketing services or firms

Medical equipment testing/ repair services

Medical or Physician associations (National and State)

Medical record moving companies

Medical record storage companies

Medical record transcription services

Medical software vendors

Microfilm conversion providers

Organ and Tissue Banks

Organ procurement organization

Outsourced document shredders

Patient advocates

Pharmaceutical companies

Pharmaceutical manufacturers

Pharmaceutical representatives

Plasma Donor Centers

Printing companies (ID cards and other member materials)

Private health data systems

Professional liability insurance carriers

Recycling services and companies

Software vendors

Sperm Banks

Temporary Staffing Companies

Third-party administrators

Trade associations

Utilization management vendors

Value added networks

Vendors to business associates if involving the disclosure of independently identifiable health information

Waste disposal services and companies



Treatment, Payment and Health Care Operations 

A."Treatment" - the provision, coordination, or management of health care and related services by one or more health care providers, including:

  1. the coordination or management of health care by a health care provider with a third party;


  1. consultation between health care providers relating to a patient; or


  1. the referral of a patient for health care from one health care provider to another. 

B."Payment" - the activities undertaken to obtain payment for the provision of healthcare; and relates to the individual to whom health care is provided and includes, but is not limited to:

  1. Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;


  1. Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;


    1. Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity.


    1. Debt collection is recognized as a payment activity.


  1. Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;


  1. Utilization review activities, including pre-certification and pre-authorization of services, concurrent and retrospective review of services; and


  1. Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of reimbursement:


    1. Name and address;


    1. Date of Birth;


    1. Social Security Number;


    1. Payment history;


    1. Account number; and


    1. Name and address of the health care provider and/or health plan.

C."Health Care Operations" - any of the following activities:

  1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contracting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;


  1. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care providers, accreditation, certification, licensing, or credentialing activities;


  1. Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs;


  1. Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and


  1. Business management and general administrative activities of Rowan University, including, but not limited to:


    1. Resolution of internal grievances;


    1. Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity.



Business Associates Agreement Involving the Access to Protected Health Information 

This Business Associate Agreement 
Is Related To and a Part of the Following
Underlying Agreement:
Effective Date of Underlying Agreement:_________
School/Unit: _______________________________
Vendor: ___________________________________

Business Associate Agreement
Involving the Access to Protected Health Information 

This Business Associate Agreement ("BAA") is entered into between RowanSOM - [Name of School/Department/Unit]("Rowan University"), a body corporate and politic of the State of New Jersey having its principal administrative offices at 40 East Laurel Road, UEC Bldg. Suite # 1031, Stratford, NJ 08084 (hereinafter referred to as "Covered Entity") and [Name and Address of Contracting Party] (hereinafter referred to as "Business Associate"(the "Covered Entity" and "Business Associate" hereinafter collectively referred to as the "Parties"). Any conflict between the terms of this BAA and the Underlying Agreement between the Parties shall be governed by the terms of this BAA. 
WHEREAS, in connection with the Underlying Agreement the Business Associate provides services to Covered Entity and Covered Entity discloses to Business Associate certain Protected Health Information that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009) (the "HITECH Act"), and regulations promulgated by the U.S. Department of Health and Human Services (the "HHS") (hereinafter the "HIPAA Regulations" and the "HITECH Regulations," respectively) and/or applicable state and/or local laws and regulations; and 
WHEREAS, for good and lawful consideration and with acknowledgment of the mutual promises, set forth in the Underlying Agreement and herein, the Parties, intending to be legally bound, hereby agree as follows: 
I. Definitions An expanded definition of the following terms, as well as the definition of other relevant terms are availableon RowanSOM website at Terms used in this Business Associate Agreement but not otherwise defined shall have the meaning ascribed to those terms in HIPAA, the HITECH Act, and any current and future regulations promulgated under HIPAA and/or the HITECH Act. See 45 C.F.R. 160.103, 164.402 and 164.501.












Is the person or entity providing a function or activity for or on behalf of the unit?  (See attached definition of treatment, payment and operations).


Is the person or entity providing legal, actuarial, accounting, consulting, data aggregation, management, administration, accreditation, or financial services?


(See also attached list for examples of potential types of functions and services.)






Does the use or disclosure of protected health information to the person or entity concern only the “treatment” of an individual?