Business associates are not required to give individuals direct access to their protected health information (PHI). However, they must assist the covered entity in providing access when an individual requests. The covered entity is ultimately responsible for ensuring individuals can access their PHI.
Under the HIPAA Privacy Rule, individuals have several rights concerning their PHI, including:
These rights empower patients and promote transparency within the healthcare system.
Go deeper: What are patient rights under HIPAA?
While business associates manage PHI, they are not directly responsible for providing individuals access to their health information. Instead, their obligations primarily revolve around supporting the covered entity in fulfilling its responsibilities under HIPAA.
Read also: What does it mean to be a business associate?
According to the HHS, “The Privacy Rule regulates covered entities, not business associates... Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access.”
Although business associates are not required to give individuals direct access to their PHI, they must assist the covered entity in doing so. When a patient requests access to their health records, the covered entity must respond to that request. If the records are held by a business associate, the covered entity will rely on the associate to provide the necessary information.
See also: HIPAA Compliant Email: The Definitive Guide
A business associate is any person or entity that performs functions or activities on behalf of a covered entity (like a healthcare provider or health plan) that involves the use or disclosure of PHI. Examples include billing companies, data storage services, and cloud computing providers.
Patients should contact their healthcare provider or the covered entity directly to request access to their health records. The provider will then work with any business associates to ensure the request is fulfilled.
Business associates can only disclose PHI in accordance with the terms of their BAA and HIPAA regulations. They cannot disclose PHI without the covered entity's consent, except in specific circumstances allowed by HIPAA, such as for public health activities or legal requirements.
Read also: What is PHI disclosure?