Examples of Business Associates Under HIPAA: Common Vendors and What Counts

Knowing who qualifies as a business associate is essential to protecting Protected Health Information (PHI) and avoiding costly missteps. This guide clarifies what counts under HIPAA, shows common vendor types, explains Business Associate Agreements (BAAs), and outlines liability, subcontractor rules, and practical safeguards you can put in place.

Business Associate Definition

A business associate is any person or organization that performs functions or services for or on behalf of a Covered Entity—or another business associate—that involve creating, receiving, maintaining, or transmitting PHI. The trigger is PHI access or custody, whether or not the vendor actually looks at the data.

Typical qualifying functions include claims administration, billing, data analysis, utilization review, quality measurement, practice management, IT services with system-level access, shredding or secure disposal, and data aggregation. Members of your workforce are not business associates; they are part of the Covered Entity itself.

The PHI access test

• If a vendor can reasonably access PHI in the course of work, it likely qualifies.
• “Maintain” counts: a cloud host storing ePHI is a business associate even if the data is encrypted and the vendor never views it.
• Incidental contact alone (for example, a janitorial service) does not make a vendor a business associate.

Common Business Associate Examples

Technology and data services

• Cloud service, hosting, backup, and disaster recovery providers that store or transmit ePHI.
• EHR and practice management software vendors supporting PHI-driven workflows.
• Managed service providers (MSPs), IT help desks, and cybersecurity firms with PHI system access.
• Patient communication platforms (email, SMS, portals) used to send or receive PHI.
• Telehealth platforms and health information exchanges operating on behalf of Covered Entities.

Operations, payment, and compliance support

• Billing, coding, revenue cycle management, and claims processing firms.
• Utilization Review and prior authorization vendors supporting health plans and providers.
• Auditors, consultants, accreditation bodies, and quality improvement partners that handle PHI.
• Attorneys, accountants, and actuaries who access PHI in case files or plan work.

Specialized services handling PHI

• Medical transcription and scribing services.
• Pharmacy benefit managers acting on behalf of health plans.
• Records storage, scanning, shredding, and media destruction vendors.
• Analytics, decision support, and population health companies using PHI for operations.

The job title does not decide status; PHI involvement does. When in doubt, ask whether the vendor creates, receives, maintains, or transmits PHI for you.

Business Associate Agreements

A Business Associate Agreement (BAA) is the contract that defines how PHI may be used and protected by a vendor. You should have a BAA in place before sharing PHI and ensure the vendor can meet its obligations in practice, not just on paper.

Core elements every BAA should cover

• Permitted and required uses/disclosures of PHI, tied to your stated purposes and the minimum necessary standard.
• Safeguard commitments aligned to the HIPAA Security Rule (administrative, physical, and technical controls).
• Subcontractor Compliance: flow-down requirements so all subcontractors with PHI sign comparable agreements.
• Breach Notification Procedures, including prompt reporting of incidents and cooperation in investigations.
• Support for individual rights: access to PHI, amendments, and accounting of disclosures when applicable.
• Return or secure destruction of PHI at contract end, or continued protections if retention is required.
• Right to audit/monitor compliance, documentation duties, and sanctions for material breach.

When a BAA is required

Execute a BAA whenever a vendor will create, receive, maintain, or transmit PHI for your organization, including storage-only providers, remote IT support, and outsourced communications that carry PHI. Do not transmit PHI until the BAA is signed.

Direct Liability of Business Associates

Business associates are directly liable for complying with HIPAA requirements that apply to them, not merely contractual promises in the BAA. Liability attaches the moment a BA handles PHI, whether for a Covered Entity or another BA.

What business associates are responsible for

• Implementing the HIPAA Security Rule: risk analysis, risk management, workforce training, and technical safeguards.
• Using or disclosing PHI only as permitted by the Privacy Rule and the BAA, following minimum necessary.
• Providing timely breach and security incident notifications to the Covered Entity and cooperating with response.
• Ensuring Subcontractor Compliance via BAAs and oversight.
• Providing access to designated record set information when required and maintaining required documentation.

Enforcement and consequences

Regulators can impose significant civil penalties and, in certain circumstances, criminal sanctions. Contractual exposure also includes indemnity claims, termination, and reputational harm after a reportable incident.

Subcontractors as Business Associates

Any subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate is itself a business associate. The same privacy and security obligations flow down the chain, and the upstream BA remains accountable for oversight.

Flow-down and oversight in practice

• Sign BAAs with each subcontractor handling PHI; mirror the same or stronger protections.
• Perform due diligence: security questionnaires, evidence reviews, and risk assessments before onboarding.
• Build in audit rights, breach reporting duties, and clear remediation timelines.
• Track data flows so you know exactly where PHI resides and who can access it.

Illustrative scenarios

• An MSP (BA) using a cloud backup provider (subcontractor BA) to store ePHI.
• An analytics firm (BA) hiring a data processing shop (subcontractor BA) for file normalization.
• A mailing house (BA) engaging a print vendor (subcontractor BA) to produce patient statements.

Distinguishing Non-Business Associates

Not every vendor with a healthcare client is a business associate. The key is whether the vendor creates, receives, maintains, or transmits PHI for you as part of its core service, not incidental exposure.

Vendors that typically are not business associates

• Your workforce members (employees, volunteers, trainees) acting within their roles for the Covered Entity.
• Healthcare providers receiving PHI for treatment; they are Covered Entities for that role, not your BAs.
• Conduits that merely transport information without persistent storage, like postal or delivery services.
• Vendors with only incidental contact and no functional need for PHI (for example, building maintenance).

Borderline examples and how to decide

• Offsite storage of patient files involves “maintaining” PHI—this is a BA relationship.
• Cloud email or messaging used to send PHI generally requires a BAA.
• If a vendor can administer your systems or databases containing PHI, treat it as a BA.

Compliance and Safeguards Requirements

Business associates must operationalize privacy and security—not just sign BAAs. Scalable controls are expected, but your program should reflect the sensitivity, volume, and complexity of PHI you handle.

Privacy and security program essentials

• Risk analysis and risk management with documented remediation plans and timelines.
• Administrative safeguards: policies, training, sanctions, vendor management, and access governance.
• Technical safeguards: unique user IDs, multifactor authentication, role-based access, encryption, audit logs, and integrity controls.
• Physical safeguards: facility access controls, device/media management, and secure disposal.
• Breach Notification Procedures: detect, investigate, mitigate, and report within required deadlines.
• Contingency planning: backups, disaster recovery, and emergency operations to maintain PHI availability.
• Documentation and review: test controls, record decisions, and reassess after changes or incidents.

Key takeaways

• Examples of Business Associates Under HIPAA include many technology, operations, and specialty vendors whenever PHI is involved.
• Use a robust Business Associate Agreement (BAA) and verify the vendor can meet the HIPAA Security Rule in practice.
• Subcontractor Compliance is mandatory—responsibilities flow down the chain, and oversight remains with you and your primary BA.

FAQs

What qualifies a vendor as a business associate?

A vendor qualifies when it creates, receives, maintains, or transmits PHI for a Covered Entity (or another BA). The ability to access PHI—even if access is not exercised—generally counts, while incidental contact alone does not.

How are business associates held liable under HIPAA?

They are directly liable for complying with the HIPAA Security Rule and specific Privacy Rule obligations, including proper uses/disclosures, minimum necessary, timely breach reporting, and ensuring subcontractor compliance. Violations can trigger regulatory penalties and contractual remedies.

What must be included in a business associate agreement?

At minimum: permitted uses/disclosures; safeguards aligned to the HIPAA Security Rule; Subcontractor Compliance; Breach Notification Procedures; support for individual rights; return or destruction of PHI at termination; audit/monitoring rights; and documentation duties.

Are subcontractors always considered business associates?

Subcontractors are business associates when they create, receive, maintain, or transmit PHI on behalf of a BA. If they do not handle PHI, they are not BAs; once PHI is involved, the same obligations and BAA requirements apply down the chain.