What Does “Business Associate” Mean? Definition and Examples

Definition of Business Associate

In healthcare, a business associate is any person or organization that performs functions or provides services for a covered entity—such as a health plan, healthcare provider, or clearinghouse—that involve the use or disclosure of protected health information (PHI). If you create, receive, maintain, or transmit PHI on a covered entity’s behalf, you are a business associate under HIPAA.

Subcontractors of business associates who handle PHI are also business associates and must meet HIPAA compliance requirements. A business associate agreement formalizes the relationship and sets boundaries for PHI disclosure, information safeguarding, and accountability. This guide explains what “business associate” means, offers a clear definition, and provides practical examples.

Examples of Business Associates

• Revenue cycle and claims services: medical billing companies, coding vendors, and clearinghouses that process PHI for payment and operations.
• Health IT and cloud providers: EHR vendors, cloud storage platforms, data backup services, and managed service providers that host or support PHI systems.
• Professional services: attorneys, accountants, actuaries, and consultants who access PHI while advising covered entities.
• Patient engagement and communications: call centers, texting platforms, mail houses, and print vendors that send appointment reminders or statements containing PHI.
• Analytics and quality programs: data aggregation firms, utilization review vendors, and population health or risk adjustment partners handling identifiable data.
• Transcription and documentation: medical scribes, dictation/transcription services, and document imaging or scanning companies.
• Logistics and destruction: records storage providers and shredding companies that store or dispose of media containing PHI.
• Third‑party administrators and PBMs: vendors assisting health plans with enrollment, claims adjudication, or pharmacy benefits involving PHI.

Exclusions from Business Associate Definition

• Workforce members: a covered entity’s employees, volunteers, and trainees are part of the workforce, not business associates.
• Conduits: courier services and telecom carriers that merely transmit information without routine access to PHI (for example, postal services) are not business associates.
• Treatment disclosures: a healthcare provider sharing PHI with another provider for treatment does so as a covered entity, not as a business associate.
• Individuals and personal representatives: disclosures of PHI to the patient or authorized personal representative do not create a business associate relationship.
• De‑identified data: vendors receiving only properly de‑identified data are not business associates because the information is no longer PHI.
• Financial transactions: banks processing standard consumer payments without access to medical information are not business associates.
• Researchers in certain contexts: researchers are not business associates when accessing PHI under other HIPAA pathways (such as authorization or IRB waiver), unless they perform services for the covered entity that involve PHI.

Business Associate Agreements (BAAs)

A business associate agreement is a written, legally binding contract that defines how a business associate may use and disclose PHI, and how it will protect that information. You must have a BAA in place before a vendor or subcontractor accesses PHI.

Core elements typically included

• Permitted and required uses/disclosures of PHI and explicit prohibitions on unauthorized PHI disclosure.
• Security Rule alignment: administrative, physical, and technical safeguards to ensure HIPAA compliance and robust information safeguarding.
• Breach and incident reporting: prompt notice to the covered entity of any security incident or breach, without unreasonable delay and no later than 60 days after discovery.
• Subcontractor flow‑down: a requirement that subcontractors who handle PHI agree to the same restrictions and safeguards in a written BAA.
• Individual rights support: processes to help the covered entity provide access, amendment, and an accounting of disclosures.
• Regulatory cooperation: making internal practices, books, and records available to the U.S. Department of Health and Human Services upon request.
• Termination and data disposition: return or secure destruction of PHI at contract end, if feasible, and continued protection where destruction is infeasible.
• Remedies for breach: authorization for the covered entity to terminate the agreement for material violations.

Safeguarding Protected Health Information

Business associates must implement layered safeguards that meet HIPAA’s Security Rule and support the Privacy Rule. Effective programs blend policies, technology, and monitoring to reduce risk and demonstrate compliance.

Administrative safeguards

• Risk analysis and risk management to identify threats, document mitigation, and prioritize controls.
• Policies and procedures for access, minimum necessary use, change management, vendor oversight, and PHI disclosure handling.
• Workforce training, role‑based access, sanctions for violations, and background checks where appropriate.
• Contingency planning: backups, disaster recovery, and periodic testing of business continuity plans.

Technical safeguards

• Encryption of PHI in transit and at rest; strong authentication (for example, MFA) and session management.
• Role‑based access controls, network segmentation, and least‑privilege provisioning.
• Audit logging, centralized monitoring, and alerting on anomalous activity.
• Secure development practices, vulnerability management, timely patching, and third‑party penetration testing.

Physical safeguards

• Facility access controls, visitor logs, and environmental protections for data centers and offices.
• Device and media controls, including workstation security, secure storage, and certified destruction of PHI media.

Operational practices

• Data lifecycle governance: intake, classification, retention, and defensible disposal tied to regulatory and contractual requirements.
• Subcontractor due diligence and ongoing oversight to ensure downstream HIPAA compliance.
• Incident response playbooks, tabletop exercises, and coordinated compliance reporting to covered entities.

Roles and Responsibilities of Business Associates

As a business associate, you are directly accountable under HIPAA for safeguarding PHI and for limiting use and disclosure to what the contract and law allow. You must also support the covered entity’s compliance obligations and maintain clear evidence of your controls.

• Execute and honor a business associate agreement before handling PHI, and flow requirements to subcontractors.
• Implement administrative, technical, and physical safeguards proportionate to risk, and evaluate them periodically.
• Use or disclose PHI only as permitted; apply the minimum necessary standard to routine operations.
• Maintain processes for access, amendment, and accounting of disclosures to support individual rights.
• Monitor for incidents, investigate promptly, mitigate harm, and provide breach notifications and compliance reporting to the covered entity.
• Retain required documentation for at least six years and cooperate with regulatory inquiries or audits.
• Train your workforce, assign a security official, enforce sanctions for violations, and promote a culture of HIPAA compliance.

Conclusion

In short, a business associate is any vendor or partner that handles PHI for a covered entity. With a clear business associate agreement, disciplined safeguards, and timely reporting, you can meet HIPAA compliance expectations, reduce risk, and build trust with your healthcare clients.

FAQs.

What is a business associate in healthcare?

A business associate is a vendor or partner that creates, receives, maintains, or transmits protected health information for a covered entity. Examples include billing companies, EHR vendors, cloud providers, and consultants who need PHI to perform contracted services.

How does a business associate agreement work?

A business associate agreement defines how PHI may be used and disclosed, mandates safeguards, and sets duties like breach notification, subcontractor controls, and data return or destruction. It aligns the vendor’s practices with HIPAA compliance and makes obligations enforceable.

Who is excluded from being a business associate?

Workforce members of a covered entity, conduits that only transmit data without routine access, providers sharing PHI for treatment, recipients of de‑identified data, and banks processing standard payments are not business associates. These activities do not create a BAA requirement.

What responsibilities do business associates have under HIPAA?

Business associates must implement safeguards, follow the minimum necessary standard, report incidents and breaches promptly, support access/amendment and accounting of disclosures, flow down requirements to subcontractors, maintain documentation, and cooperate with audits—core pillars of HIPAA compliance.