2085-If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate?

Question

If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate?

Office for Civil Rights (OCR) · Accepted Answer

Answer:No. A CSP is not a business associate if it receives and maintains (e.g., to process and/or store) only information de-identified following the processes required by the Privacy Rule.  The Privacy Rule does not restrict the use or disclosure of de-identified information, nor does the Security Rule require that safeguards be applied to de-identified information, as the information is not considered protected health information. See the OCR guidance on de-identification for more information.[1]	[1] See http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/.

If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate?

Answer:

Connect With OCR

Office for Civil Rights Headquarters