What Is a Business Associate? Examples Under HIPAA

Definition of Business Associate

A business associate is any person or organization, other than a covered entity’s workforce, that performs functions or services for a covered entity and requires access to Protected Health Information (PHI). If an entity creates, receives, maintains, or transmits PHI on behalf of a covered entity, it is a business associate and must meet HIPAA Compliance obligations.

Business associates may also support another business associate. In every case, their work involves PHI or electronic PHI (ePHI), and they are bound by privacy and security standards that limit how PHI can be used or disclosed.

Key elements of the definition

• Performs functions or provides services for or on behalf of a covered entity.
• Access to PHI is required to perform those tasks; mere incidental contact is not enough.
• Includes vendors that create, receive, maintain, or transmit PHI, even if they never open a file (for example, data hosting).
• Excludes members of the covered entity’s workforce.

Examples of Business Associates

Many vendors that support care delivery and operations qualify as business associates because their services depend on PHI. Below are common, practical examples you might encounter.

• Medical billing companies and revenue cycle management vendors.
• Third-party administrators for group health plans.
• Electronic health record (EHR) and practice management software providers.
• Cloud storage, data backup, and managed IT service providers that host or maintain PHI.
• Data analytics, quality improvement, and population health vendors handling PHI.
• Legal, accounting, actuarial, consulting, and accreditation firms receiving PHI to perform services.
• Collections agencies, medical transcription, scanning, and document destruction/shredding services.
• Secure messaging, e-prescribing, and patient engagement platforms that store or route PHI.
• Health information exchange or health information network operators.

Business Associate Agreement Requirements

A Business Associate Agreement (BAA) is a written contract that defines how a business associate may use and disclose PHI and the safeguards it must maintain. A covered entity must have a BAA in place before sharing PHI for services that create a business associate relationship.

The BAA allocates responsibilities, sets breach reporting expectations, and ensures subcontractors uphold the same protections. It is central to HIPAA Compliance and enforceable alongside HIPAA’s rules.

Core terms every Business Associate Agreement should include

• Permitted and required uses and disclosures of PHI, with a clear “minimum necessary” standard.
• Administrative, physical, and technical safeguards for ePHI, including risk analysis and access controls.
• Obligation to report any security incident, breach, or Unauthorized Disclosure to the covered entity without unreasonable delay and no later than 60 calendar days after discovery.
• Flow-down terms requiring subcontractors to agree in writing to the same restrictions and safeguards.
• Support for individual rights (access, amendment, and accounting of disclosures) as applicable.
• Commitment to make internal practices and records available to regulators for compliance review.
• Return or secure destruction of PHI at contract end, or continued protections if destruction is infeasible.
• Right to terminate the agreement if the business associate materially breaches HIPAA obligations.

Practical drafting tips

• Define breach notification timelines, contact points, and incident details to be provided.
• Specify encryption-at-rest/in-transit, auditing, and logging expectations proportionate to risk.
• Clarify data retention, return/destruction procedures, and transition support at termination.
• Address subcontractor due diligence, ongoing monitoring, and Subcontractor Liability allocation.

Exclusions from Business Associate Definition

Not every vendor with incidental exposure to PHI is a business associate. Whether an entity qualifies turns on its role, purpose, and the nature of PHI access.

• Workforce members of a covered entity (employees, volunteers, trainees) are not business associates.
• Health care providers receiving PHI for treatment purposes are not business associates of the disclosing provider.
• “Conduits” that merely transport information—like the postal service or certain telecom carriers—without persistent storage of PHI are not business associates.
• Entities receiving only de-identified data are not business associates.
• Recipients of a limited data set under a data use agreement for research, public health, or health care operations are not automatically business associates unless they also perform services for the covered entity.
• Banks and payment processors engaged solely in standard consumer payment processing without PHI are typically not business associates.

Subcontractors of Business Associates

A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate is itself a business associate. It inherits HIPAA responsibilities and can face enforcement for its own violations.

The primary business associate must execute a written subcontractor BAA that mirrors the main BAA’s protections, monitor performance, and remain accountable for Subcontractor Liability under the agreement and HIPAA.

Best practices for managing subcontractor liability

• Perform risk-based due diligence, including security questionnaires, audits, and references.
• Flow down security controls (encryption, access management, logging, vulnerability management).
• Set clear breach notification duties and cooperation requirements for investigations and mitigation.
• Limit PHI to the minimum necessary and segment environments to reduce blast radius.
• Reserve audit and termination rights; require periodic compliance attestations.

Direct Liability of Business Associates

Business associates are directly liable under HIPAA for impermissible uses or disclosures of PHI, failure to implement Security Rule safeguards, and failure to provide timely breach notification to the covered entity. They also must ensure their subcontractors protect PHI to the same standard.

Direct liability means regulators can enforce against a business associate even if the covered entity did everything right. Contractual remedies under the BAA are in addition to regulatory enforcement.

Enforcement and penalties

HIPAA is enforced primarily by the U.S. Department of Health and Human Services’ Office for Civil Rights. Violations can result in corrective action plans, monitoring, and Civil Penalties calibrated to the nature and culpability of the violation. State attorneys general may also bring actions, and contract damages may apply.

Common risk scenarios include unsecured cloud storage, lost or stolen devices without encryption, misdirected emails or mailings, excessive user access, and Unauthorized Disclosure through improper workforce practices.

Covered Entities as Business Associates

A covered entity can act as a business associate of another covered entity when it performs services or activities on behalf of the other organization that involve PHI and are not for its own treatment, payment, or health care operations. In those cases, a BAA between the covered entities is required.

For example, if a hospital provides billing services for an independent physician practice, the hospital acts as the practice’s business associate for that service. By contrast, a provider that receives PHI for treatment is not a business associate for that exchange.

Practical implications for HIPAA compliance

• Execute a BAA when one covered entity performs PHI-related services for another’s benefit.
• Segregate PHI, systems, and workforce roles to distinguish BA activities from your own operations.
• Track disclosures, manage minimum necessary access, and maintain audit trails for BA functions.

Conclusion

Business associates are essential partners in health care operations, but their access to PHI brings direct HIPAA obligations. With a precise Business Associate Agreement, rigorous safeguards, and vigilant oversight of subcontractors, you can protect PHI, reduce enforcement risk, and sustain compliant vendor relationships.

FAQs

Who qualifies as a business associate under HIPAA?

Any person or organization, other than a covered entity’s workforce, that performs functions or services for a covered entity and needs to create, receive, maintain, or transmit PHI qualifies as a business associate. The same applies to subcontractors handling PHI on behalf of a business associate.

What are the requirements for business associate agreements?

A BAA must define permitted uses and disclosures of PHI; require administrative, physical, and technical safeguards; mandate breach and incident reporting; flow down protections to subcontractors; support individual rights where applicable; provide for regulatory access; and address PHI return or destruction and termination for material breach.

Are subcontractors considered business associates?

Yes. Any subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate is also a business associate and must sign a subcontractor BAA with equivalent protections and obligations.

What penalties do business associates face for HIPAA violations?

Business associates may face investigations, corrective action plans, and civil monetary penalties for impermissible uses or disclosures, inadequate safeguards, or failure to notify of breaches. They can also face contract damages under the BAA and actions by state attorneys general.