HIPAA violations: Business associate agreements are not necessarily a shield

Healthcare providers should remember that a business associate agreement does not provide blanket protection for the provision of protected health information (PHI) to a business associate, or the use of that information by a business associate. The underlying disclosure and use of the PHI must also be permissible under HIPAA regulations, such as for treatment or payment purposes.

For example, if a sales representative of a healthcare provider wishes to have unlimited access to PHI (such as the medical records of the healthcare provider’s patients), it is highly unlikely that such unlimited access to PHI would be permissible under HIPAA. Signing a business associate agreement with the sales representative will not convert this situation into a permissible one, because the underlying disclosure and use of the PHI must comply with HIPAA.