A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONSĪ “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. Other Administrative Simplification Rules.Covered Entities & Business Associates has sub items, about Covered Entities & Business Associates.Patient Safety has sub items, about Patient Safety.Mental Health & Substance Use Disorders.Gender Affirming Care, Civil Rights, and Privacy.Special Topics has sub items, about Special Topics.Compliance & Enforcement has sub items, about Compliance & Enforcement.Breach Notification has sub items, about Breach Notification.