For HIPAA Purposes, a Business Associate Is: Definition and Examples Explained

Definition of Business Associate

For HIPAA purposes, a business associate is any person or organization, other than a workforce member, that performs functions or provides services for a covered entity involving the use or disclosure of Protected Health Information (PHI). Typical functions include claims processing, data analysis, or IT services that create, receive, maintain, or transmit PHI.

The HIPAA Omnibus Rule expanded this definition to include any subcontractor that handles PHI on behalf of a business associate. Business associates are directly liable for compliance with applicable HIPAA Privacy, Security, and Breach Notification Rules.

Examples of Business Associates

Common business associates include vendors and service providers whose work requires access to PHI. If PHI flows to them (even if encrypted and not viewed), they usually qualify.

• IT and cloud services: electronic health record vendors, cloud storage/backup, managed service providers, data hosting, eFax and secure messaging platforms.
• Administrative support: claims processors, billing companies, practice management, utilization review, clearinghouses acting for providers, and third-party administrators.
• Professional services: legal, actuarial, accounting, consulting, auditing, and accreditation bodies when PHI is used.
• Data services: data analysis, quality reporting, HIE operators, and data aggregation for healthcare operations.
• Operations and logistics: document scanning, shredding, records storage, mailing houses handling PHI mailings, call centers, and transcription.

Entities that act as mere conduits (for example, the postal service or basic carriers that do not access PHI beyond transient transmission) are typically not business associates.

Business Associate Agreements Requirements

A Business Associate Agreement (BAA) is required before PHI is shared. The BAA sets permitted uses and disclosures and embeds HIPAA Omnibus Rule obligations.

• Specify allowable PHI uses/disclosures and prohibit any use beyond the agreement or HIPAA.
• Require PHI safeguarding consistent with the Security Rule and the minimum necessary standard.
• Mandate reporting of security incidents and potential breaches to the covered entity.
• Flow down terms to subcontractors that create, receive, maintain, or transmit PHI.
• Provide for individual rights: access, amendment, and accounting of disclosures, as applicable.
• Require cooperation with the covered entity and HHS investigations or audits.
• Address PHI return or destruction at termination and allow termination for material breach.

Responsibilities of Business Associates

Once engaged, business associates assume direct HIPAA obligations. You must implement policies and controls tailored to your role and the data you handle.

• Conduct risk analysis and risk management; implement administrative, physical, and technical safeguards.
• Limit PHI uses/disclosures to permitted purposes; apply the minimum necessary standard.
• Train workforce members, manage access, and maintain sanction policies for violations.
• Monitor vendors and ensure subcontractor compliance through written agreements and oversight.
• Maintain documentation, audit logs, and incident response procedures for PHI safeguarding.
• Provide timely breach notifications and cooperate with covered entities on investigations and remediation.

Subcontractors of Business Associates

Subcontractors that handle PHI on your behalf are also business associates. Under the HIPAA Omnibus Rule, you are responsible for ensuring Subcontractor Compliance through written BAAs and ongoing oversight.

• Execute BAAs with each PHI-handling subcontractor before work begins.
• Verify that subcontractors implement appropriate safeguards, training, and incident response.
• Flow down all relevant privacy, security, and breach notification obligations.
• Regularly assess subcontractor controls and address deficiencies promptly.

Compliance and Safeguarding PHI

Effective PHI Safeguarding requires a blend of policy, technology, and verification. Align your program with HIPAA’s Security Rule and privacy requirements.

• Administrative safeguards: governance, role-based access, workforce training, vendor management, and contingency planning.
• Technical safeguards: encryption in transit and at rest, multi-factor authentication, unique user IDs, automatic logoff, and audit logging.
• Physical safeguards: facility access controls, device/media controls, secure storage, and verified disposal/shredding.
• Privacy practices: minimum necessary, de-identification or limited data sets where feasible, and strict prohibitions on impermissible uses.
• Validation: periodic risk analyses, penetration tests or security assessments, and corrective action tracking.

Reporting Unauthorized Disclosures

Unauthorized Disclosure Reporting begins with prompt detection and containment. Assess incidents to determine whether a breach occurred and the scope of notification.

• Investigate and document the incident; mitigate harm and prevent further disclosure.
• Perform a risk assessment considering: the type and sensitivity of PHI, who received it, whether it was actually viewed or acquired, and the extent of mitigation.
• If a breach is confirmed, notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery, including required details.
• Support individual notifications, substitute notice (if needed), and any media or regulatory notifications the covered entity must perform.
• Maintain incident records, corrective actions, and lessons learned to strengthen future safeguards.

Proactive safeguards, clear BAAs, and diligent oversight of subcontractors position you to meet HIPAA obligations and protect PHI when incidents arise.

FAQs

What qualifies someone as a HIPAA business associate?

An entity qualifies when it performs functions or services for a covered entity that involve creating, receiving, maintaining, or transmitting PHI, and it is not part of the covered entity’s workforce. Subcontractors that handle PHI on behalf of a business associate are also business associates.

What services require a business associate agreement?

Any service that involves PHI typically requires a Business Associate Agreement, including billing, claims processing, EHR hosting, cloud storage/backup, IT support, data analytics, call centers, transcription, records scanning/shredding, mailing services handling PHI, and professional services (legal, accounting, consulting) that use PHI.

How must business associates safeguard PHI?

They must implement administrative, technical, and physical safeguards aligned with the Security Rule, apply minimum necessary, train their workforce, manage access, encrypt data in transit and at rest where reasonable and appropriate, log activity, maintain incident response, and oversee subcontractor compliance.

Are subcontractors considered business associates?

Yes. Under the HIPAA Omnibus Rule, any subcontractor that creates, receives, maintains, or transmits PHI for a business associate is itself a business associate, subject to HIPAA requirements and a written BAA with the upstream entity.