Examples of HIPAA Business Associates: Who Qualifies and What They Do

Understanding who counts as a business associate is essential to your HIPAA compliance strategy. A business associate is any non-workforce partner that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity or another business associate. The right classification determines when a Business Associate Agreement (BAA) is required and what Data Safeguards must be in place.

This guide walks through clear examples of HIPAA business associates, explains what they do, and outlines core obligations—from BAAs and HIPAA Compliance requirements to Subcontractor Obligations across the vendor chain.

Third-Party Administrators and Medical Billing Companies

Third-Party Administrators (TPAs) and medical billing companies qualify as business associates when they handle PHI for claims processing, payment, or health care operations. If you outsource coding, claims submission, eligibility checks, patient statements, or collections that involve PHI, your partner is acting as a business associate.

Typical services

• Claims intake, adjudication, and appeals management using Electronic Health Records and related systems.
• Medical coding, charge capture, and denial management requiring access to diagnosis and procedure data.
• Patient billing, payment posting, and limited collections that use demographic and financial PHI.

Key responsibilities

• Execute a Business Associate Agreement that defines permitted uses and disclosures of PHI.
• Implement administrative, physical, and technical Data Safeguards, including access controls and audit logs.
• Apply the minimum necessary standard and support breach reporting obligations set in the BAA.

Consultants and Health Information Exchanges

Consultants become business associates when their work requires PHI access—such as privacy and security assessments, revenue cycle optimization, quality improvement, coding audits, or analytics. If a consultant can perform services without PHI, they may not be a business associate; once PHI is used, a BAA is mandatory.

Health Information Exchanges (HIEs) qualify because they facilitate the transmission and maintenance of PHI among participating Covered Entities. Operating an exchange inherently involves creating, receiving, and transmitting PHI, making HIEs business associates with direct Security Rule obligations.

What to expect contractually

• Explicit scope of PHI access and disclosure limitations in the BAA.
• Controls for user provisioning, identity management, and auditability across participating organizations.
• Processes for individual rights support (access, amendments) routed back through the Covered Entity.

Cloud Service Providers and IT Service Providers

Cloud Service Providers that store, back up, or process ePHI—such as hosting Electronic Health Records, imaging archives, secure messaging, or telehealth platforms—are business associates. A “no-view” model does not remove HIPAA duties; maintaining encrypted PHI still triggers BAA and Security Rule compliance.

Managed IT providers also qualify when they can access PHI through helpdesk, remote administration, patching, or monitoring. Even incidental access during maintenance creates business associate status when ePHI is reasonably reachable.

Essential Data Safeguards

• Encryption in transit and at rest, strong authentication (preferably MFA), and least-privilege access.
• Network segmentation, vulnerability management, and timely patching for HIPAA Compliance.
• Comprehensive logging, tamper-evident audit trails, and disaster recovery with tested backups.

Conduit caveat

The narrow “conduit” exception applies to mere transmission services that do not store PHI other than transiently. Persistent storage, indexing, or administrative access typically exceeds a conduit role and creates business associate obligations.

Legal and Accounting Firms

Outside counsel and accounting firms qualify as business associates when legal or financial services require PHI—such as malpractice defense, subpoena response, payer audits, cost reports, or employee health plan reviews. When PHI is shared for these services, a BAA is required.

Practical controls

• Case-by-case minimum necessary disclosures documented by matter or engagement.
• Secure workspaces and encrypted devices for attorneys, CPAs, and expert consultants.
• Retention and destruction schedules that return or securely dispose of PHI at engagement end.

Data Analysis and Document Storage Companies

Analytics vendors that perform risk stratification, quality measurement, utilization review, or population health reporting using PHI are business associates. If a limited data set is used, restrictions still apply and contractual terms must govern its use.

Document scanning, imaging, and storage providers—physical or electronic—qualify when they maintain or transport records containing PHI. Offsite records management, secure shredding services, and digital archiving all fit the business associate definition when PHI is involved.

Risk and safeguard themes

• Chain-of-custody controls for records, barcode tracking, and secure transportation.
• Redaction, de-identification, or pseudonymization where feasible to reduce PHI exposure.
• Role-based access, immutable logs, and defensible destruction to meet Data Safeguards expectations.

Business Associate Agreements and Compliance Requirements

A Business Associate Agreement (BAA) is required before PHI is shared. The BAA defines how PHI may be used and disclosed, requires HIPAA-compliant safeguards, and sets breach reporting expectations. It also addresses Subcontractor Obligations by mandating equivalent protections downstream.

What a strong BAA covers

• Permitted and required uses/disclosures and explicit prohibitions on unauthorized use.
• Security Rule safeguards for ePHI: risk analysis, risk management, access controls, and incident response.
• Privacy Rule support: minimum necessary, cooperation on individual rights via the Covered Entity.
• Breach and security incident reporting timelines, investigation, and documentation duties.
• Subcontractor flow-down terms, right-to-audit, and obligations on termination to return or destroy PHI.

Operational compliance essentials

• Written policies and workforce training tailored to services and data flows.
• Vendor risk management for any third parties touching PHI, including offshore resources.
• Business continuity and disaster recovery plans tested against realistic scenarios.

Subcontractor Responsibilities under HIPAA

Subcontractors to a business associate become business associates themselves when they create, receive, maintain, or transmit PHI. The primary business associate must ensure a BAA is in place with each subcontractor and that equivalent safeguards, restrictions, and reporting duties apply throughout the chain.

Managing the downstream risk

• Due diligence: assess security posture, regulatory history, and PHI access needs before onboarding.
• Least privilege: limit data sets, environments, and time-bound access to the minimum necessary.
• Contractual controls: flow-down BAAs, right-to-audit, breach cooperation, and secure termination/return.
• Continuous oversight: evidence-based monitoring, periodic assessments, and remediation plans.

Summary

If a partner touches PHI for your operations, they likely fit the business associate definition. Ensure BAAs are executed, Data Safeguards are implemented, and Subcontractor Obligations flow down. Clear scoping, strong controls, and ongoing oversight keep your Electronic Health Records and broader PHI ecosystem protected while meeting HIPAA Compliance expectations.

FAQs.

What entities qualify as HIPAA business associates?

Any non-workforce partner that creates, receives, maintains, or transmits PHI for a Covered Entity—or provides services involving PHI—qualifies. Common examples include billing companies, TPAs, HIEs, cloud hosting and backup providers, managed IT, external counsel, accountants, analytics vendors, and records storage or destruction services.

What are the requirements for a Business Associate Agreement?

A BAA must define permitted uses/disclosures of PHI, require HIPAA-aligned safeguards, mandate incident and breach reporting, address minimum necessary and individual rights support, flow down the same protections to subcontractors, allow verification or audit as appropriate, and specify secure return or destruction of PHI at termination.

How do subcontractors fit into HIPAA compliance?

Subcontractors handling PHI for a business associate are business associates too. The primary BA must execute BAAs with them, impose equivalent Security and Privacy Rule obligations, verify controls, and monitor ongoing performance to ensure continuous compliance across the vendor chain.

What services are not considered business associate functions?

Services that do not involve PHI access—like janitorial work, building maintenance, or pure courier/postal delivery acting as a transient conduit—are generally not business associate functions. If a vendor maintains, stores, or can reasonably access PHI, the exception no longer applies and business associate status is triggered.