All the Following Are Examples of a Business Associate—Except: Who Does Not Qualify Under HIPAA

Business Associate Definition

A business associate is any person or organization, other than a covered entity’s workforce, that performs functions or services for a covered entity and creates, receives, maintains, or transmits Protected Health Information (PHI). If an entity works for a business associate and handles PHI, it is treated as a business associate as well.

HIPAA compliance hinges on whether the role involves access to PHI—actual viewing is not required. Simply maintaining or storing PHI (including encrypted ePHI) triggers business associate status and the need for PHI safeguards and a Business Associate Agreement (BAA).

Covered entity context

Covered entities include health plans, health care clearinghouses, and most health care providers that conduct standard electronic transactions. When these entities delegate PHI-related tasks to outside parties, those parties typically become business associates and must follow HIPAA requirements.

Examples of Business Associates

Use the following as a practical guide; if a vendor’s services involve PHI or provide access to PHI, they likely qualify as a business associate.

• Claims processing, billing, and collections vendors handling PHI for payment and operations.
• IT service providers that host, maintain, back up, or recover ePHI (including cloud storage, email, messaging, data centers, and managed service providers).
• Electronic health record (EHR) platforms, telehealth platforms, transcription services, and medical scribe vendors with access to PHI.
• Data analytics, quality improvement, utilization review, and population health vendors using PHI for operations.
• Legal, audit, consulting, or accounting firms that receive PHI to advise a covered entity.
• Document scanning, shredding, media disposal, and courier vendors when they handle PHI beyond mere transient transmission.
• Health information exchanges (HIEs), e‑prescribing gateways, and registries that manage PHI on behalf of covered entities.

Non-Business Associates

All the following are examples of a business associate—except the entities that meet one of these exclusions. These parties may interact with PHI, but not in a way that makes them business associates.

• Conduits that only transmit PHI and do not store it other than on a transient basis (for example, the postal service or certain telecommunications carriers).
• Vendors with truly incidental contact (for example, building maintenance or janitorial staff) who are not hired to handle PHI.
• Recipients of de‑identified data only; once PHI is properly de‑identified, the recipient is not a business associate for that data set.
• Health care providers receiving PHI solely for treatment purposes; treatment disclosures do not create a business associate relationship.
• Plan sponsors that receive only enrollment/disenrollment information or summary health information for permitted purposes.
• Government oversight agencies receiving PHI by law for audits, inspections, or licensure reviews.

Covered Entity Workforce

The workforce of a covered entity—employees, volunteers, trainees, and others under the entity’s direct control—are not business associates. They access PHI under the covered entity’s policies, training, and sanctions program rather than under a BAA.

You should manage workforce access to PHI using role‑based controls, the minimum necessary standard, and documented PHI safeguards. Temporary staff may be workforce if the covered entity directly controls their work; otherwise, the staffing agency may be a business associate.

Business Associate Agreements

A Business Associate Agreement is required whenever a vendor’s role involves PHI. The BAA documents permitted uses and disclosures, allocates responsibilities, and embeds HIPAA compliance obligations.

Core elements to include

• Permitted and required uses/disclosures of PHI, including limits consistent with the minimum necessary standard.
• Administrative, physical, and technical PHI safeguards; Security Rule compliance; and risk analysis/risk management expectations.
• Breach and security incident reporting timelines and cooperation duties, including content of notices.
• Subcontractor obligations requiring the same restrictions and safeguards to flow down via written agreements.
• Individual rights support: access to PHI, amendments, and accounting of disclosures when held by the business associate.
• HHS audit/inspection cooperation; record retention commitments.
• Return or destruction of PHI at termination and termination rights for material breach.

Subcontractors of Business Associates

Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are themselves business associates. The original business associate must execute a BAA with each subcontractor and ensure equivalent subcontractor obligations.

Access to PHI includes maintaining encrypted ePHI without a decryption key. For example, cloud providers that store backups for a billing company are business associates even if they never “look” at the data. Each downstream entity must implement PHI safeguards and support required access to PHI when applicable.

Flow‑down responsibilities

• Execute BAAs that mirror restrictions and HIPAA compliance duties.
• Implement security controls proportionate to risk (encryption, access management, audit logging, backup, and incident response).
• Report breaches promptly to the upstream business associate and cooperate in investigations and notifications.

Exceptions to Business Associate Status

Some activities fall outside business associate status even when PHI is involved. Understanding these limits helps you avoid unnecessary BAAs and focus on true risk.

• Pure conduits: entities that only transmit PHI with no routine storage.
• Patient‑directed disclosures: when an individual asks a covered entity to send PHI to a third party, that recipient does not become a business associate by receiving it.
• De‑identification services: the recipient of de‑identified data is not a business associate for that data set, though the expert performing de‑identification from PHI is.
• Treatment disclosures: exchanges of PHI between providers for treatment do not create business associate relationships.
• Limited plan sponsor data: receipt of enrollment or summary information within HIPAA’s allowances does not create business associate status.

In short, the dividing line is whether the role involves performing a function for a covered entity (or another business associate) that requires creating, receiving, maintaining, or transmitting PHI. If not, the entity belongs on the “except” side of the question posed in the title.

FAQs.

What is the definition of a business associate under HIPAA?

A business associate is a person or organization, other than a covered entity’s workforce, that performs functions or services for a covered entity (or another business associate) and creates, receives, maintains, or transmits PHI as part of that work. Access to PHI—whether viewed or simply stored—triggers HIPAA compliance duties.

Which entities are required to have business associate agreements?

Covered entities must have a Business Associate Agreement with each vendor whose work involves PHI, and business associates must have BAAs with any subcontractors that handle PHI for them. The BAA documents permitted uses/disclosures, PHI safeguards, subcontractor obligations, breach reporting, and support for individual access to PHI.

Are subcontractors always considered business associates?

Subcontractors are business associates when they create, receive, maintain, or transmit PHI for a business associate. A rare exception is a pure conduit that only transmits PHI transiently without routine storage; otherwise, subcontractor obligations and BAAs must flow down.

What types of entities do not qualify as business associates?

Entities that do not qualify include a covered entity’s workforce, conduits that only transmit PHI, vendors with incidental exposure, recipients of properly de‑identified data, plan sponsors that receive only limited enrollment or summary information, and providers exchanging PHI solely for treatment purposes.