Business Associates & Release of Information Workflows
Duration: 50 min · Level: Intermediate · Module: 5. HIPAA Privacy Rule · Focus: business-associate, BAA, ROI, authorization, release-of-information
By the end of this lesson you will be able to explain and apply:
- Business Associate (BA)
- Business Associate Agreement (BAA)
- Valid HIPAA authorization elements (all required)
- ROI turnaround standards
- Records request for workers comp
Why this matters
Any entity that receives PHI from a covered entity to perform a function on its behalf is a Business Associate.
Overview
Any entity that receives PHI from a covered entity to perform a function on its behalf is a Business Associate. CEHRS specialists process Release of Information (ROI) requests daily — understanding the legal framework, required components of a valid authorization, and turnaround requirements prevents liability.
Key concepts
Business Associate (BA): person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity; examples: billing companies, coding vendors, EHR vendors, cloud storage providers, transcription services
- Business Associate Agreement (BAA): required contract before any PHI can flow to a BA; must include: what PHI is shared, permitted uses, security safeguards, incident reporting, return/destruction at contract end
- Valid HIPAA authorization elements (all required): description of PHI to disclose, who may disclose, who may receive, purpose of disclosure, expiration date, signature/date, statement of right to revoke, statement about re-disclosure
- ROI turnaround standards: 30 days for standard requests; medical emergencies within 24 hours; legal subpoenas follow court timelines; CEHRS staff must track request-to-delivery time
- Records request for workers comp: workers compensation is a HIPAA exception — information related to the work injury may be released without authorization for workers comp purposes; but unrelated health information still requires authorization
- CEHRS exam tip: authorization vs consent — authorization = specific written permission for a specific disclosure; consent = general agreement to treatment; they are not interchangeable terms under HIPAA
Check your understanding
Try to recall each answer before expanding it.
Q1. What do you know about Business Associate (BA)?
person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity; examples: billing companies, coding vendors, EHR vendors, cloud storage providers, transcription services
Q2. What do you know about Business Associate Agreement (BAA)?
required contract before any PHI can flow to a BA; must include: what PHI is shared, permitted uses, security safeguards, incident reporting, return/destruction at contract end
Q3. What do you know about Valid HIPAA authorization elements (all required)?
description of PHI to disclose, who may disclose, who may receive, purpose of disclosure, expiration date, signature/date, statement of right to revoke, statement about re-disclosure
Q4. What do you know about ROI turnaround standards?
30 days for standard requests; medical emergencies within 24 hours; legal subpoenas follow court timelines; CEHRS staff must track request-to-delivery time
Q5. What do you know about Records request for workers comp?
workers compensation is a HIPAA exception — information related to the work injury may be released without authorization for workers comp purposes; but unrelated health information still requires authorization
← Previous: C5.3 Permitted Uses, Disclosures & the Minimum Necessary Standard
Part of Module 5: HIPAA Privacy Rule.