A “business associate” is a person or entity, other than an employee, who has access to Protected Health Information (PHI) that the company stores or manages. This may include contractors and subcontractors of the company. The HIPAA Rules generally require that the company and business associates enter into contracts to ensure that the PHI will be appropriately safeguarded. The business associate contract also serves to clarify and limit the permissible uses and disclosures of PHI.
It is required that a business associate contract exist between the parties under HIPAA. This includes not only a contract between your organization and your customers, but between your organization and individuals or companies that have access to PHI that your company may have.
It is required that all parties who have access to PHI from a company have a business associate contract in place between the companies. This includes the originating company, any contractors, and any subcontractors. This is required by HIPAA, which refers to companies as business associates. A covered entity is a company with PHI.