Covered entities cannot share PHI with a business associate unless they ensure that the business associate is also HIPAA compliant (has the proper safeguards in place to protect PHI). That assurance is handled under HIPAA by requiring the covered entity to have a signed business associate contract in place with the business associate.
■ A Business associate contract is a legal document under HIPAA that is used to have the business associate legally attest to the covered entity that they are HIPAA compliant and agree to abide by HIPAA.
■ After signing the contract, the business associate is under the legal fines and penalties of HIPAA.
■ In addition, under the business associate contract, business associates are also legally bound to not share information with another business associate unless they get the same assurances of being HIPAA compliant from them using a business associate contract.
This creates a “chain of trust” starting with the covered entity and continuing with the chain of multiple levels of business associates. All are tied together to the original covered entity through business associate contracts in that “chain of trust”.