The medical industry is regulated in many ways. The regulations specifically related to Patient Privacy and Information Security known as HIPAA apply to those in the healthcare providers and health plans, designated as HIPAA Covered Entities.  Many businesses that provide services for those entities are also required to comply with the same HIPAA regulations.  Those businesses are referred to under HIPAA as Business Associates.  

A Business Associate is defined in the regulations as an entity that "creates, receives, maintains, or transmits" patient information on behalf of a Covered Entity.  

Also, included are entities that maintain or store patient information even if they do not actually view the information.  

Finally, any subcontractors, which are defined as an agent or other person who acts on behalf of the Business Associate, are also considered a Business Associate.

The new rules also state that if you are doing the work of a Business Associate or Subcontractor then you are obligated to comply.  If there is no agreement between the Covered Entity and your business, it doesn't matter.  If you believe you are not a Business Associates but regulators disagree, it doesn't matter, you are liable.

Yes it can very confusing but the classification is one you must err on the side of caution if there is any doubt.  Fines for compliance failures can go into the millions of dollars with minimum fines usually in the thousands.  Some serious infractions include criminal charges and up to 10 years in prison.

You must determine if these regulations apply to your business arrangements.  This simple wizard created by Kardon Technology can help you work through the definition.  For more information see www.kardontech.com or www.smallproviderhipaa.com