Under HIPAA, a Person or Entity That Provides Services to a Covered Entity Is Called a Business Associate

Definition of Business Associate

Under HIPAA, a business associate is any person or organization, other than a covered entity’s workforce, that creates, receives, maintains, or transmits Protected Health Information (PHI) to perform functions or activities for, or provide certain services to, a covered entity. This includes a subcontractor that handles PHI on behalf of a business associate.

The Workforce Exclusion means employees, volunteers, and trainees under the direct control of the organization are not business associates. If a vendor’s role requires routine or reasonably anticipated access to PHI, that vendor is a business associate and must meet HIPAA Compliance obligations and sign a Business Associate Agreement (BAA).

If a service can be provided without PHI—or only uses properly de-identified data—it generally does not create a business associate relationship. The trigger is whether PHI will be created, received, maintained, or transmitted for the covered entity’s purposes.

Examples of Business Associate Functions

• Claims processing or administration for a health plan.
• Data analysis, processing, or administration that uses PHI for operations.
• Utilization review and quality assurance that evaluate clinical performance.
• Billing, coding, and collections performed for a provider using PHI.
• Benefit management and practice management activities requiring PHI access.
• Health information exchange, record locator, or e-prescribing gateway functions.
• Medical transcription, imaging normalization, or data conversion involving PHI.

Examples of Business Associate Services

• Legal, actuarial, accounting, and consulting services that need PHI to advise you.
• Management, administrative, accreditation, and financial services using PHI.
• Information technology services—EHR hosting, cloud storage/backup, managed services, and cybersecurity—when systems store or process PHI.
• Data Aggregation Services that combine PHI from multiple covered entities for those entities’ health care operations.
• Shredding, media disposal, scanning, and records archiving vendors handling PHI.
• Patient engagement, messaging, and call center services that access PHI.

Exclusions from Business Associate Definition

• Workforce Exclusion: employees, volunteers, and trainees under your direct control are not business associates; they are your workforce and must follow your internal policies.
• Conduits and couriers: entities that merely transport information (for example, postal services or standard telecom carriers) without routine access to PHI content.
• Treatment disclosures: a provider receiving PHI for treatment is generally acting as a covered entity, not as your business associate.
• De-identified data only: vendors using data that meets HIPAA’s de-identification standard are not business associates for that activity.
• Limited financial transactions: banks processing consumer-initiated payments without access to medical details typically are not business associates.

Requirement for Business Associate Agreements

Before you share PHI with a vendor that qualifies as a business associate, you must execute a written Business Associate Agreement. The BAA documents the permitted uses and disclosures of PHI and requires the business associate to implement PHI safeguards and comply with applicable HIPAA rules.

Core terms a BAA should address

• Permitted and required PHI uses/disclosures and Minimum Necessary limits.
• Administrative, physical, and technical PHI safeguards aligned to the Security Rule.
• Breach Notification duties, including prompt reporting of incidents and breaches of unsecured PHI.
• Downstream subcontractors must sign comparable agreements and meet the same safeguards.
• Support for individual rights: access, amendment, and accounting of disclosures when the covered entity is obligated to provide them.
• Return or secure destruction of PHI at contract end, if feasible.
• Right to terminate for a material breach and required steps if cure is not feasible.

Direct HIPAA Compliance obligations for business associates

• Conduct risk analysis and implement appropriate PHI safeguards.
• Train workforce members and manage access based on job roles.
• Monitor, log, and respond to security incidents; maintain required documentation.
• Maintain and enforce policies and procedures that support HIPAA Compliance.

Summary and Key Takeaways

• If a vendor’s work involves PHI for your operations or services, it is a business associate.
• Put a BAA in place before sharing PHI and require subcontractor flow-downs.
• Ensure concrete PHI safeguards and breach response processes are documented and tested.

FAQs.

What is a business associate under HIPAA?

A business associate is a person or entity outside your workforce that creates, receives, maintains, or transmits PHI for functions or services on behalf of your covered entity, including any subcontractor that handles PHI for that vendor.

What types of services do business associates provide?

Common services include legal, accounting, consulting, management, accreditation, and financial services; IT hosting and cloud operations; patient communications; and Data Aggregation Services. If the work requires access to PHI, the provider is a business associate.

Are workforce members considered business associates?

No. Under the Workforce Exclusion, employees, volunteers, and trainees under your direct control are part of your workforce—not business associates—though they must follow your HIPAA policies and training.

What are the requirements for business associate agreements?

A Business Associate Agreement must specify permitted PHI uses/disclosures, require appropriate PHI safeguards, mandate breach notification, flow down obligations to subcontractors, support individual rights (access, amendment, accounting), address PHI return or destruction at termination, and allow contract termination for material breach.