45 CFR §164.504 Explained: HIPAA Organizational Requirements and Business Associate Agreements

45 CFR §164.504 sets the organizational requirements that govern how covered entities and business associates handle Protected Health Information (PHI). This guide explains what counts as a business associate, when a Business Associate Agreement (BAA) is required, what it must include, and how group health plans handle plan administration functions, summary health information, and Group Health Plan Safeguards.

Definition of Business Associate

A business associate is any person or organization, other than a covered entity’s workforce, that performs functions or provides services for a covered entity and, in doing so, creates, receives, maintains, or transmits PHI. Subcontractors that handle PHI on behalf of a business associate are also business associates and must meet the same requirements.

Common examples include claims processors, third-party administrators, cloud or data-hosting providers storing ePHI, health information exchanges, consultants, attorneys, accountants, and analytics vendors when their work involves PHI. Entities acting purely as “mere conduits” that transmit data without persistent storage typically are not business associates.

Requirement for Business Associate Contracts

When a contract is required

Before you share PHI with a vendor that qualifies as a business associate, you must obtain “satisfactory assurances” through a written Business Associate Agreement. This requirement applies to covered entity–business associate relationships and to business associate–subcontractor relationships whenever PHI will be created, received, maintained, or transmitted.

The BAA must be executed before PHI is disclosed and must reflect a minimum necessary approach. Verbal assurances or purchase orders are not substitutes; the arrangement must be captured in a binding contract or equivalent instrument permitted by HIPAA for certain government entities.

Subcontractor Compliance

Business associates must flow down all relevant privacy and security obligations to any subcontractor that handles PHI. This downstream Subcontractor Compliance ensures PHI is consistently protected throughout the data lifecycle, regardless of how many vendors are involved.

Content of Business Associate Contracts

Required clauses

• Permitted and required uses and disclosures: Specify what the business associate may do with PHI and prohibit uses not authorized by the contract or required by law.
• Safeguards for PHI and ePHI: Require administrative, physical, and technical controls aligned with the HIPAA Security Rule to protect confidentiality, integrity, and availability.
• Security Incident Reporting and breach notifications: Require prompt reporting of security incidents and notification of breaches of unsecured PHI to the covered entity without unreasonable delay and within required timeframes.
• Subcontractor Compliance: Mandate that subcontractors agree in writing to the same restrictions, conditions, and safeguards for PHI.
• Individual rights: Obligate the business associate to support access, amendment, and accounting of disclosures for PHI in a designated record set, as applicable.
• HHS access: Require making relevant records and practices available to the Secretary of HHS for compliance investigations.
• Return or destruction of PHI: On termination, require return or destruction of PHI, or continued protections if return/destruction is infeasible.
• Termination rights: Allow the covered entity to terminate the BAA if the business associate violates a material term and cure is not feasible.

Permitted uses and disclosures

• Use of de-identified information consistent with HIPAA standards.
• Data aggregation services for the covered entity’s health care operations.
• Disclosures required by law and limited disclosures for the business associate’s proper management and administration, subject to safeguards.

Compliance Obligations of Covered Entities

Before sharing PHI

• Identify all relationships that meet the business associate definition and execute a Business Associate Agreement before any PHI flows.
• Disclose only the minimum necessary PHI to accomplish the intended purpose.
• Evaluate vendor capabilities to safeguard PHI and document due diligence.

When issues arise

• Act on knowledge of a violation: take reasonable steps to cure or end a known pattern of noncompliance; if unsuccessful, terminate the agreement or report the issue to HHS.
• Coordinate breach response: ensure required notifications to individuals, HHS, and (if applicable) the media occur, whether performed by you or delegated to the business associate.
• Maintain documentation: keep BAAs and related compliance records for at least six years from the date of creation or last effective date.

Compliance Obligations of Business Associates

Privacy and Security Rule duties

• Implement risk-based administrative, physical, and technical safeguards for ePHI, including access controls, audit logging, transmission security, and contingency planning.
• Use and disclose PHI only as permitted by the BAA or required by law, applying the minimum necessary standard.
• Provide Security Incident Reporting and notify the covered entity of breaches of unsecured PHI without unreasonable delay and within required timeframes.
• Ensure Subcontractor Compliance by binding downstream vendors to HIPAA-equivalent protections.
• Make records available to HHS and support audits or investigations.

Individual rights support

• Assist the covered entity with access, amendment, and accounting requests for PHI in a designated record set you maintain.
• Return or destroy PHI at contract end, or maintain protections if destruction is infeasible.

Exemptions from Business Associate Contract Requirement

• Disclosures to a health care provider for treatment purposes.
• Disclosures to the individual who is the subject of the PHI or their personal representative.
• Disclosures to health oversight agencies, public health authorities, or law enforcement when permitted by HIPAA; these recipients are not acting as business associates.
• Entities functioning as mere conduits that transmit PHI without persistent storage (for example, postal or courier services).
• Disclosures by a group health plan or insurer of enrollment and disenrollment information to a plan sponsor.
• Disclosures of Summary Health Information to a plan sponsor for obtaining premium bids or to modify or terminate a group health plan.
• Certain covered-entity-to-covered-entity disclosures for specified health care operations where permitted by HIPAA and no agency relationship exists.

Requirements for Group Health Plans

Summary Health Information and enrollment

A group health plan may disclose enrollment and disenrollment information to the plan sponsor without a BAA. It may also disclose Summary Health Information to the sponsor to obtain premium bids or to modify or terminate the plan, provided the data excludes direct identifiers.

Plan Administration Functions

When a plan sponsor performs plan administration functions on behalf of the group health plan, PHI may flow to the sponsor only after the plan documents are amended to state permitted uses and disclosures, to restrict use of PHI to plan administration, and to prohibit employment-related uses or other benefit program uses.

Group Health Plan Safeguards for ePHI

• Implement administrative, physical, and technical safeguards consistent with the Security Rule, including role-based access, authentication, encryption where appropriate, and audit controls.
• Establish firewalls by identifying the workforce members who will access PHI for plan administration and limiting access accordingly.
• Oblige the plan sponsor to provide Security Incident Reporting and to notify the plan of any unauthorized uses, disclosures, or breaches.
• Flow down Subcontractor Compliance to any agents assisting with plan administration.
• Support individual rights (access, amendment, accounting) for PHI held by the plan.
• Return or destroy PHI when it is no longer needed or maintain protections if destruction is infeasible.

Together, these rules operationalize 45 CFR §164.504 by defining when a Business Associate Agreement is required, what it must contain, and how group health plans and sponsors may handle PHI in a secure, compliant manner.

FAQs

What is a business associate under HIPAA?

It is any non-workforce person or entity that performs functions or services for a covered entity and, in doing so, creates, receives, maintains, or transmits PHI. Subcontractors that handle PHI on behalf of a business associate also qualify as business associates.

How do business associate contracts ensure HIPAA compliance?

BAAs set explicit limits on how PHI may be used and disclosed, require safeguards for ePHI, mandate Security Incident Reporting and breach notifications, bind subcontractors to equivalent protections, permit HHS access for oversight, and provide termination rights if the vendor violates a material term.

What are the obligations of covered entities regarding business associate breaches?

Covered entities must act on known noncompliance, mitigate harmful effects, terminate the agreement or report to HHS if cure is not feasible, and ensure required breach notifications to affected individuals and regulators occur—whether performed directly or by the business associate under delegation.

When are business associate contracts not required?

Common examples include disclosures for treatment, to the individual, to oversight or public health authorities, to mere conduits, and to plan sponsors for enrollment/disenrollment or for Summary Health Information used solely to obtain premium bids or to modify or terminate a group health plan.

How must group health plans safeguard electronic PHI?

They must adopt Group Health Plan Safeguards aligned with the Security Rule: perform risk analysis, implement access controls and audit logging, secure transmission and storage (such as encryption where appropriate), limit access to plan administration personnel, ensure Subcontractor Compliance, and support individual rights.