Who Is a Business Associate?

The concept of who is a business associate is a common area of confusion but doesn’t have to be.  To define who is a business associate, simply ask three questions.

  1. Does the individual or group have access to patient information?
  2. Do they have a need or reason to have access to patient information?
  3. Is the business associate providing a service DIRECTLY TO the provider or to the patient?

If you answer “yes” to all three questions, you have a business associate. The third question may need clarification and answers the question of whether optical manufacturers/suppliers are business associates. Legal counsel states that in most all these cases, the manufacturer/supplier is providing a service to the patient, NOT the provider and therefore is NOT a business associate of the provider. With this explanation, it appears clear that optical labs, contact lens vendors, optical product companies are not business associates, and no business associate agreement is required.  To the contrary, any company or individual providing a service for the provider – legal counsel, insurance billing company, EMR or other software vendor providing operational looks like appointment scheduling or communication services to patients – would be considered business associates.

What is a Business Associate Agreement?

Business Associate Agreements are written contracts where certain individuals who do business with your practice agree to your privacy policies. You must obtain these agreements from all individuals who fall under the potential designation of a business associate. It is the responsibility of the business associate to secure a business associate agreement from subcontractors. HIPAA requires very specific regulations and languages be included in business associate agreements (BAA).


  1. Is a business associate agreement required with our optical labs, contact lens vendors, etc? No – see prior discussion of who constitutes a business associate.
  2. A business associate wants to use their business associate format, not the one supplied by PCS – should I sign it? There is no required format for a business associate agreement. The PCS format is based on recommendations from the OCR/HHS. Any format containing the basic required elements of a business associate agreement is fine.
  3. How often do I have to obtain a new agreement? There are no rules regarding updating a business associate agreement.
  4. My vendor will not sign a business agreement – can I still do business with them? There are few mandates in HIPAA but having business associate agreements is certainly one of them. A decision to do business with an individual or company falling under the definition of a business associate with no formal agreement would be a serious and indefensible decision.

Other Issues

In 2022, the use of “virtual assistants” became popular. While not illegal in any way, remote workers do pose additional HIPAA compliance issues. Refer to the PCS website article for more detailed information on this topic. https://practicecompliancesolutions.com/virtual-assistants-legal-but-beware/

Some individuals or groups may have incidental exposure to PHI. Examples might be visitors to your practice, vendor representatives that visit your practice, or possibly cleaning services. If the likelihood of exposure to PHI is low, these individuals may sign a Confidentiality Agreement.

PCS understands the challenges optometrists face with an ever-changing regulatory landscape, and we are here to help Optometrists navigate the complexities of these regulations.  BAA and Confidentiality Agreements are included in our comprehensive HIPAA compliance package. If you have questions feel free to reach out at info@practicecompliancesolutions.com