the privacy rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the privacy rule. covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate. a member of the covered entity’s workforce is not a business associate. the types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the administrative simplification rules.