FAQ 560 Can a health information organization (HIO) operate as a business associate of multiple covered entities participating in a networked environment?

This is an FAQ for regulated entities and stakeholders.

Final

Issued by: Office for Civil Rights (OCR)

Can a health information organization (HIO) operate as a business associate of multiple covered entities participating in a networked environment?

Yes. A HIO can operate as a business associate of multiple covered entities participating in a networked environment. The HIPAA Privacy Rule does not prohibit an entity from acting as a business associate of multiple covered entities and performing functions or activities that involve access to protected health information for the collective benefit of the covered entities. In addition, the Privacy Rule would not require separate business associate agreements between each of the covered entities and the business associate. Rather, the Privacy Rule would permit the covered entities participating in a networked environment and the HIO to operate under a single business associate agreement that was executed by all participating covered entities and the common business associate.

Created 12/15/08

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.