Skip to main content


Part Number: 324

Health and Human Services Acquisition Regulation

324.7001 Policy on Compliance with HIPAA business associate contract requirements.

(a) HHS is a HIPAA “covered entity” that is a “hybrid entity” as these terms are defined at sections 160.103 and 164.103 respectively. As such, only the portions of HHS that the Secretary has designated as “health care components” (HCC) as defined at section 164.103, are subject to HIPAA. HHS' HCCs may utilize persons or entities known as “business associates,” as defined at section 160.103. Generally, “business associate” means a “person” as defined by section 160.103 (including contractors, and third-party vendors, etc.) if or when the person or entity:

(1) Creates, receives, maintains, or transmits “protected health information”, as the term is defined at section 160.103, on behalf of an HHS HCC to carry out HHS HIPAA “covered functions” as that term is defined at 164.103; or

(2) Provides certain services to an HHS HCC that involve PHI.

(b) Where the Department as a covered entity is required by 45 CFR 164.502(e)

(1) and 164.504(e) and, if applicable, sections 164.308(b)(3) and 164.314(a), to enter into a HIPAA business associate contract, the relevant HCC contracting officer, acting on behalf of the Department, shall ensure that such contract meets the requirements at section 164.504(e)(2) and, if applicable, section 164.314(a)(2).