What Business Associates Are Not Permitted to Do Under HIPAA

Business associates are vendors and service providers that create, receive, maintain, or transmit protected health information (PHI) for covered entities. To maintain HIPAA compliance, you must avoid prohibited PHI activities, limit any authorized disclosure to what is specifically permitted, and operate strictly within your contract.

Restrict Unauthorized PHI Use and Disclosure

You may use or disclose PHI only as allowed by your business associate agreement and applicable law. Anything outside those permissions is an unauthorized use or disclosure, even if done with good intentions or for perceived operational efficiency.

• Do not access PHI out of curiosity, convenience, or to “help” without a documented, authorized disclosure pathway and a legitimate need-to-know.
• Do not disclose PHI to third parties (including parent companies, affiliates, or contractors) unless they are explicitly authorized and bound by equivalent safeguards.
• Do not disclose more than the minimum necessary PHI to accomplish an approved task.
• Do not sell PHI or receive remuneration for PHI disclosures without a valid authorization where required.
• Do not re-identify de-identified data or combine PHI with other datasets for purposes not permitted by contract.
• Do not store PHI on unapproved systems or personal devices, or move PHI to regions or environments that your agreement does not allow.

Prohibit PHI Use for Marketing and Fundraising

You may not use PHI to promote your own products or services. Marketing communications that rely on PHI generally require an authorization, and using ad platforms or data brokers with PHI is prohibited unless your arrangement specifically permits it and all HIPAA requirements are met.

• Do not send marketing messages using PHI, accept payment to send such messages, or enrich advertising audiences with PHI.
• Do not build or share fundraising lists containing diagnosis, treatment, or clinical details; fundraising activity must be limited, contracted, and respect opt-outs.
• Do not transfer PHI to social media, analytics, or advertising tools that lack a business associate agreement or that do not support HIPAA compliance.

Enforce PHI Safeguards and Security

You are not permitted to neglect safeguards. The HIPAA Security Rule requires administrative, physical, and technical controls appropriate to your risks and operations. Safeguarding PHI is a continuous obligation, not a one-time setup.

• Do not transmit PHI over insecure channels or disable encryption where it is appropriate and feasible.
• Do not share user accounts, bypass multi-factor authentication, or disable audit logs and monitoring.
• Do not skip risk analysis, risk management, workforce training, or vendor due diligence for subcontractors handling PHI.
• Do not upload PHI to cloud services, collaboration tools, or AI systems that are not covered by a binding business associate agreement.
• Do not dispose of PHI (paper or electronic) without secure destruction methods and verifiable documentation.

Prevent PHI Use for Personal Gain

HIPAA bars any personal use of PHI that benefits you or harms individuals. Your workforce must be trained and monitored to stop misuse, even if the data is accessible on your systems.

• Do not look up PHI of family, friends, celebrities, or colleagues without a legitimate, authorized work reason.
• Do not use PHI for identity theft, harassment, employment decisions, lending or credit screening, or competitive intelligence.
• Do not post PHI on forums, messaging apps, or social media—even if you “anonymize” it informally.
• Do not use PHI to develop unrelated products, research, or training datasets unless expressly permitted and properly authorized.

Mandate Prompt Breach Reporting

When a breach or likely compromise of unsecured PHI occurs, you must provide PHI breach notification to the covered entity without unreasonable delay and no later than 60 days after discovery. Do not wait for every detail before alerting them.

• Do not conceal, delay, or underreport incidents; escalate internally within hours, preserve logs, and begin containment and mitigation immediately.
• Provide the covered entity with timely facts: what happened and when, the types of PHI involved, the number of individuals affected, mitigation steps, and recommended actions for risk reduction.
• Document your investigation, decisions, and corrective actions to demonstrate HIPAA compliance and continuous improvement.

Limit PHI Handling to Contracted Purposes

Your business associate agreement defines why you may handle PHI, how, where, and for how long. You must adhere to the minimum necessary standard and avoid any secondary use that is not expressly permitted.

• Do not repurpose PHI for analytics, profiling, product development, or benchmarking unless the contract permits it and appropriate de-identification or authorization is in place.
• Do not commingle PHI between customers or reuse it to improve services offered to other clients without explicit permission.
• Do not retain PHI longer than necessary; return or securely destroy PHI when the contracted purpose ends or the agreement terminates, unless retention is legally required or contractually permitted.

Comply with HIPAA Business Associate Agreements

You must not receive or handle PHI without a fully executed business associate agreement. The agreement’s privacy, security, and breach terms are binding—and they must flow down to all subcontractors that touch PHI on your behalf.

• Do not begin services involving PHI before the agreement is signed and effective.
• Do not deviate from the agreement’s permitted uses/disclosures, breach reporting timelines, or safeguard requirements.
• Do not engage subcontractors for PHI tasks without written contracts that impose the same HIPAA obligations.
• Do not block covered entities from fulfilling patient rights; you must assist with access, amendment, and accounting of disclosures as required.
• Do not refuse oversight; make relevant records available to authorized regulators and honor audit obligations.

Taken together, these restrictions mean you should handle PHI only for contracted purposes, implement robust safeguards, avoid marketing or personal use, and report issues quickly. Doing so strengthens safeguarding PHI and keeps your organization aligned with HIPAA compliance.

FAQs.

What activities are business associates prohibited from performing with PHI?

You may not use or disclose PHI beyond what your agreement permits, sell PHI, use it for marketing or fundraising for your own benefit, access PHI out of curiosity, move PHI to unapproved systems, neglect required safeguards, or repurpose PHI for analytics or product development without explicit authorization. Any disclosure must be an authorized disclosure, limited to the minimum necessary.

How must business associates handle PHI breaches?

Act immediately to contain and investigate, preserve evidence, assess risk, and notify the covered entity without unreasonable delay and no later than 60 days after discovery. Provide enough detail for the covered entity’s PHI breach notification—what happened, when it occurred and was discovered, who was affected, the PHI types involved, mitigation steps taken, and how recurrence will be prevented—then track remediation to closure.

Are business associates allowed to use PHI for marketing?

No. You cannot use PHI to market your own services, enrich ad platforms, or accept payment to send marketing messages using PHI. Limited communications on behalf of a covered entity may be allowed only if your business associate agreement permits them and, where required, the individual has provided a valid authorization with clear opt-out options.

What are the consequences of unauthorized PHI disclosure?

Consequences can include contractual remedies (including termination and indemnification), regulatory investigations, civil monetary penalties, mandated corrective action plans and monitoring, potential criminal liability for willful misuse, state enforcement, costly breach response obligations, and lasting reputational harm. Robust safeguards and disciplined incident reporting are essential to reduce these risks.