Not All Software Vendors Are Business Associates of Covered Entities—Here’s How to Tell Under HIPAA

Definition of Business Associate

A business associate is any person or organization, other than a workforce member, that performs functions or services for a covered entity or another business associate that involve the use or disclosure of Protected Health Information (PHI). If a vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity, it meets the definition.

The definition also captures subcontractors of business associates when their work touches PHI, and includes certain data transmission services that require routine access to PHI. Because PHI is at stake, a Business Associate Agreement (BAA) is required before PHI flows to the vendor as part of HIPAA Compliance.

What “Protected Health Information” means

Protected Health Information is individually identifiable health information—such as names, addresses, record numbers, diagnoses, or billing details—related to a person’s health, care, or payment for care. PHI can be in any form: paper, verbal, or electronic (ePHI).

Software Vendors as Business Associates

Many software companies qualify as business associates because their products or services involve PHI. If you host ePHI, process it, back it up, analyze it, or provide support that could expose you to PHI, you are typically a business associate and must sign a BAA and implement appropriate Information Security controls.

Common software scenarios that create BA status

• Cloud service providers that store or back up ePHI (including “no-view” encrypted storage).
• EHR/PM systems, patient portals, telehealth platforms, secure messaging, and e-prescribing tools.
• Integration engines, interfaces, and data pipelines moving PHI between systems.
• Analytics, AI, RCM, and billing platforms using PHI for operations or payment.
• Remote support or managed IT where screen sharing, logs, or credentials may reveal PHI.

By contrast, selling shrink‑wrapped or downloadable software with no services, no connectivity, and no vendor access to customer environments typically does not create business associate status. The moment you can access PHI—even incidentally—you likely do.

Covered Entities under HIPAA

A Covered Entity is one of three types of organizations regulated by HIPAA. Understanding who they are helps software vendors gauge whether BA obligations apply.

The three covered entity types

• Health care providers that transmit health information electronically for standard transactions (for example, claims or eligibility checks).
• Health plans such as insurers, HMOs, Medicare/Medicaid, and employer health plans.
• Healthcare Clearinghouse organizations that transform nonstandard data into standard transaction formats and vice versa.

If your product or service operates “on behalf of” one of these covered entities—or a business associate serving them—you may be handling PHI and thus become a business associate.

Criteria for Business Associate Status

Use this quick decision framework to determine status. You are a business associate if the answer to both is “yes.”

Decision framework

• Do you perform functions or services for a Covered Entity (or for another business associate)?
• Will you create, receive, maintain, or transmit PHI as part of those functions or services (including routine or potential access through support, hosting, or logs)?

Strong indicators you are a business associate

• Persistent storage or processing of ePHI (databases, backups, archives, disaster recovery).
• Operational access to environments containing PHI (admin credentials, support channels, monitoring).
• Use of PHI for claims processing, billing, data analysis, quality measurement, or similar services.

If you are a BA, minimum steps for HIPAA Compliance

• Execute a Business Associate Agreement with each Covered Entity or upstream BA.
• Implement Security Rule safeguards: risk analysis, access controls, encryption, audit logging, and incident response.
• Limit PHI to the minimum necessary, train your workforce, and flow BAA obligations down to subcontractors.
• Prepare for breach notification obligations and document your Information Security program.

Indicators you may not be a BA

• You provide services directly to consumers and not on behalf of a Covered Entity.
• You never create, receive, maintain, or transmit PHI; only de-identified data is used.
• Your role is outside health care functions and you do not handle PHI (for example, general purpose tools with no PHI exposure and no support access).

Exceptions for Vendors Without PHI Access

HIPAA recognizes limited scenarios where a vendor serving a Covered Entity is not a business associate because there is no meaningful PHI access.

Key exceptions and caveats

• Conduit exception: Entities that merely provide Data Transmission with no routine access and no persistent storage of PHI (like postal mail or certain ISPs) are not BAs. If you store or maintain PHI—even encrypted—you generally lose the conduit exception.
• De-identified data only: If data meet HIPAA de-identification standards (safe harbor or expert determination) and no re-identification occurs, BA status does not arise.
• Direct-to-consumer apps: Software offered directly to individuals, not on behalf of a Covered Entity, is not a BA. Other laws may still apply, but HIPAA BA obligations do not.
• Standard payment processing: Financial institutions handling routine consumer-initiated payments without PHI are not BAs. If services extend into functions involving PHI (for example, lockbox operations with EOB details), BA status can apply.

Conclusion

Being a business associate turns on two facts: acting for a Covered Entity and handling PHI. Hosting, support access, or analytics that touch PHI trigger BA status and a BAA, along with robust Information Security controls. Pure transmission without access, de-identified data, or direct-to-consumer models typically do not.

FAQs.

What defines a business associate under HIPAA?

A business associate is any non-workforce person or entity that performs functions or services for a Covered Entity (or another BA) that involve creating, receiving, maintaining, or transmitting PHI. The role can include claims processing, data analysis, storage, backup, or other services where PHI is used or disclosed, and it requires a Business Associate Agreement.

How can software vendors determine their status?

Map your data flows, identify whether PHI is present, and assess whether you create, receive, maintain, or transmit it on behalf of a Covered Entity or BA. If you have persistent storage, administrative access, remote support that could expose PHI, or you process PHI for operations or payment, you are a BA and need a BAA plus HIPAA Compliance controls.

What are exceptions for software vendors not handling PHI?

Vendors qualify for exceptions when they have no PHI exposure, such as pure Data Transmission with no routine access or storage (conduit), use only de-identified data, provide direct-to-consumer services not on behalf of a Covered Entity, or perform standard payment processing without PHI. Storing or maintaining ePHI—encrypted or not—generally makes you a BA.

How do covered entities identify business associates?

Inventory all vendors, review scopes of work and integrations, and ask whether the vendor will create, receive, maintain, or transmit PHI. Flag hosting, backups, analytics, support access, and interfaces. For each BA, execute a Business Associate Agreement, assess Information Security controls, and ensure subcontractors handling PHI are also bound by BAAs.