Business Associate as Defined by HIPAA: Definition, Examples, and Requirements

Definition of Business Associate

A Business Associate as defined by HIPAA is any person or organization, other than a covered entity’s workforce, that creates, receives, maintains, or transmits Protected Health Information to perform services or functions for or on behalf of a Covered Entity or another business associate. The relationship exists because the service requires access to PHI or ePHI, not merely because the parties have a contract.

Typical trigger activities include claims processing, data analysis, utilization review, quality reporting, legal or accounting services that need PHI, and technology services that host or process ePHI. Incidental contact with PHI alone does not usually create a business associate relationship; routine or systematic handling of PHI does.

Key points

• The hallmark is involvement with PHI on behalf of a Covered Entity or another business associate.
• Business associates must have a Business Associate Agreement in place before PHI is shared.
• They carry direct compliance obligations under the HIPAA Security Rule and relevant Privacy Rule provisions.
• They are accountable for preventing unauthorized disclosure and for safeguarding PHI they touch or control.

Examples of Business Associates

Many essential healthcare vendors qualify as business associates because their services depend on access to PHI. Common examples include:

• Medical billing and revenue cycle management firms that process claims using PHI.
• Third-party administrators for employer group health plans that adjudicate benefits.
• Electronic health record and practice management vendors that host or support ePHI.
• Cloud service providers, data centers, and backup vendors that store or maintain PHI—even if encrypted.
• Telehealth platforms, patient portals, and e-prescribing gateways that transmit PHI.
• Healthcare data analytics, population health, and quality reporting companies using PHI for analysis.
• Law firms, accounting firms, and consultants that need PHI to advise you on healthcare operations or compliance.
• Managed IT service providers, cybersecurity firms, and help desks with system-level access to ePHI.
• Scanning, imaging, shredding, and secure document management vendors that handle PHI in physical or digital form.
• Accreditation and certification bodies that review records containing PHI.

Business Associate Agreements

A Business Associate Agreement is the contract that defines what the business associate may do with PHI and how it will protect it. It operationalizes HIPAA requirements, establishes permitted and required uses and disclosures, and binds the parties to safeguards, reporting duties, and termination rights.

Core clauses to include

• Permitted and required uses/disclosures of PHI, applying the minimum necessary standard.
• Prohibition on uses or disclosures not authorized by the agreement or law, preventing unauthorized disclosure.
• Administrative, physical, and technical safeguards consistent with the HIPAA Security Rule to protect ePHI.
• Security incident and breach notification to the Covered Entity without unreasonable delay, with cooperation in investigation and mitigation.
• Flow-down terms requiring subcontractors to agree to the same restrictions and protections (subcontractor liability).
• Assistance to the Covered Entity with individual rights (access, amendment, and accounting of disclosures).
• Availability of relevant records to regulators for compliance reviews.
• Return or destruction of PHI at termination if feasible, and continued protections if retention is required.
• Right to terminate for cause upon a material breach, plus mitigation of any harmful effects.

Operational best practices

• Map data flows and systems to the agreement’s scope so permitted uses match reality.
• Specify encryption expectations, access controls, and logging necessary to meet compliance obligations.
• Define breach and incident reporting procedures, contacts, and timelines clearly.
• Document security and privacy controls the business associate maintains, and how they are tested.

Responsibilities of Business Associates

Business associates have direct compliance obligations under HIPAA. They must safeguard PHI, limit uses and disclosures to what the agreement permits, and promptly address any security incidents or unauthorized disclosure.

Security obligations under the HIPAA Security Rule

• Perform an enterprise-wide risk analysis and manage identified risks to acceptable levels.
• Implement access controls, unique user IDs, least-privilege permissions, and session protections.
• Enable audit logging and monitoring to detect anomalous activity and policy violations.
• Encrypt ePHI in transit and at rest where reasonable and appropriate, and manage keys securely.
• Maintain contingency plans, tested backups, and disaster recovery capabilities.
• Train the workforce, apply sanctions for violations, and document all policies and procedures.

Privacy and disclosure controls

• Use and disclose PHI only as allowed by the Business Associate Agreement or as required by law.
• Apply the minimum necessary standard to limit PHI exposure.
• Support individual rights workflows (access, amendment, accounting) when the agreement requires.
• Prohibit marketing, sale of PHI, or other uses that require individual authorization unless such authorization is obtained.

Incident response and reporting

• Detect, contain, and investigate security incidents quickly; mitigate harm and document findings.
• Conduct a risk assessment to determine whether an event constitutes a breach of unsecured PHI.
• Notify the Covered Entity without unreasonable delay and cooperate on notifications and remediation.
• Implement corrective actions to prevent recurrence and track lessons learned.

Recordkeeping and oversight

• Maintain required documentation for the applicable HIPAA retention period.
• Be prepared for audits or investigations and provide requested evidence of compliance.
• Review and update security and privacy controls as systems and risks evolve.

Subcontractors of Business Associates

Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are themselves business associates. The upstream business associate must ensure subcontractor liability by executing written agreements that impose the same restrictions, conditions, and compliance obligations.

Flow-down requirements

• Written terms obligating subcontractors to protect PHI and comply with the HIPAA Security Rule.
• Limits on uses/disclosures to what is necessary for the delegated services.
• Incident and breach notification duties that align with upstream reporting obligations.
• Return or destruction of PHI at contract end, or continued protections if retention is necessary.
• Rights to assess controls, require remediation, and terminate for material breach.

Due diligence and ongoing oversight

• Pre-engagement security and privacy due diligence, tailored to the sensitivity and volume of PHI.
• Access provisioning based on least privilege and the minimum necessary standard.
• Continuous monitoring, periodic reviews, and evidence-based verification of safeguards.
• Clear lines of responsibility for incident handling and coordinated communications.

Conclusion

A Business Associate as defined by HIPAA is any vendor or partner that needs PHI to serve a Covered Entity or another business associate. Strong Business Associate Agreements, disciplined security and privacy practices, and rigorous oversight of subcontractors create a defensible compliance posture, reduce the risk of unauthorized disclosure, and demonstrate fulfillment of HIPAA compliance obligations across your vendor ecosystem.

FAQs

What is the role of a business associate under HIPAA?

A business associate performs functions or provides services for a Covered Entity that require creating, receiving, maintaining, or transmitting Protected Health Information. Its role is to carry out those tasks while protecting PHI, limiting uses and disclosures to what the agreement permits, and meeting direct compliance obligations under HIPAA, including the HIPAA Security Rule.

What must be included in a business associate agreement?

A Business Associate Agreement must define permitted/required uses and disclosures; prohibit uses not authorized by the contract or law; require safeguards consistent with the HIPAA Security Rule; mandate incident and breach reporting; flow down the same protections to subcontractors; support individual rights as applicable; enable regulator access to relevant records; require return or destruction of PHI at termination; and allow termination for material breach with mitigation of harmful effects.

Are subcontractors considered business associates?

Yes. Any subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate is also a business associate. The upstream entity must impose the same restrictions and protections through a written agreement, and remains responsible for oversight and subcontractor liability.

What are the penalties for noncompliance by business associates?

Penalties can include tiered civil monetary penalties per violation, corrective action plans, and mandated remediation. In serious cases involving wrongful disclosures or misuse of PHI, criminal penalties may apply. Financial exposure can be significant, alongside reputational damage and contractual consequences with Covered Entities.