Content created by Office for Civil Rights (OCR)
Answer:
No. Disclosures from a covered entity to a researcher for research purposes do not require a business associate contract, even in those instances where the covered entity has hired the researcher to perform research on the covered entity’s own behalf. A business associate agreement is required only where a person or entity is conducting a function or activity regulated by the Administrative Simplification Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of “business associate” at 45 CFR 160.103, links to an external website.
However, the HIPAA Privacy Rule does not prohibit a covered entity from entering into a business associate contract with a researcher if the covered entity wishes to do so. Notwithstanding the above, a covered entity is only permitted to disclose protected health information to a researcher as permitted by Rule, that is, with an individual’s authorization pursuant to 45 CFR 164.508, links to an external website, without an individual’s authorization as permitted by 45 CFR 164.512 (i), links to an external website, or as a limited data set provided that a data use agreement is in place as permitted by 45 CFR 164.514 (e), links to an external website.
Created 12/19/02