Which Entities Are Considered a HIPAA Business Associate? Definition and Examples

A HIPAA business associate is any person or organization—other than a covered entity’s workforce—that creates, receives, maintains, or transmits Protected Health Information (PHI) for or on behalf of a covered entity or another business associate. If you use such a vendor, you must have a Business Associate Agreement (BAA) that sets permitted uses, safeguards, breach duties, and other HIPAA compliance obligations.

Use this guide to pinpoint which entities qualify across common categories, when PHI access or data transmission triggers business associate status, and practical examples to help you contract confidently.

Claims Processing Entities

Who qualifies

Organizations that support payment or health plan operations typically qualify as business associates when they handle PHI to adjudicate, manage, or review claims. If they create, receive, maintain, or transmit PHI to perform these services for you, a BAA is required before PHI is shared.

Common examples

• Third‑Party Administrators (TPAs) and ASO vendors that process eligibility, claims, appeals, and coordination of benefits.
• Claims processing, repricing, network management, and utilization management/prior authorization vendors that rely on PHI.
• Revenue cycle management and medical billing companies submitting or correcting claims for provider groups.
• Eligibility and benefits verification services that ingest patient identifiers and coverage details.

Important nuance

Healthcare clearinghouses are covered entities under HIPAA when performing clearinghouse functions. If a clearinghouse provides separate services involving PHI on your behalf, those specific services may place it in a business associate role, which would require a BAA.

Legal and Accounting Service Providers

Who qualifies

Attorneys, law firms, CPAs, and audit or forensic teams become business associates when their services require PHI access—whether to investigate incidents, defend claims, perform audits, or advise on compliance. PHI access (even if limited or incidental) generally triggers a BAA.

Common examples

• Outside counsel reviewing medical records in litigation, investigations, or regulatory responses.
• Accounting firms performing audits, forensic reviews, or reimbursement analyses that rely on PHI.
• eDiscovery, litigation support, and court reporting vendors engaged by your counsel that host or view PHI as subcontractors.

When they may not be a BA

If a legal or accounting engagement never involves PHI (for example, drafting a lease or advising on corporate structure using no patient data), the provider is not a business associate for that matter.

Consulting and Data Analysis Services

Who qualifies

Consultants that use PHI to improve care delivery, optimize operations, or measure performance are business associates. If your engagement requires PHI access for analytics, benchmarking, or program design, a BAA is necessary.

Common examples

• Quality improvement, population health, and risk adjustment analytics using diagnosis, procedure, or outcome data.
• Coding, clinical documentation improvement, and revenue integrity reviews involving patient records.
• Actuarial or benefits analysis for health plans using enrollment and claims PHI.
• Data aggregation or de‑identification services (the vendor is a BA until PHI is de‑identified to HIPAA’s standard).

Medical and Telehealth Service Providers

Who qualifies

Vendors that support care delivery on your behalf—especially through technology—are often business associates because they handle ePHI. This includes platforms or service providers you direct to interact with your patients or their data.

Common examples

• Telehealth platforms, video visit tools, and secure messaging systems that create, receive, maintain, or transmit ePHI.
• Remote patient monitoring programs and device hubs that collect and route PHI to your clinicians.
• Medical transcription and scribe services, interpreter services, and nurse triage or after‑hours call centers.
• Scheduling and patient engagement vendors sending reminders or instructions using PHI.

Important nuance

When you disclose PHI to another independent provider or laboratory for a patient’s treatment, each party acts as its own covered entity; a BAA is not required for that treatment disclosure. When a clinical organization performs services on your behalf (for example, white‑labeled nurse triage for your patients), it functions as your business associate.

Data Storage and IT Service Companies

Who qualifies

Any company that stores, hosts, manages, or supports systems containing ePHI is a business associate—even if it offers “no‑view” or encrypted services. Maintaining PHI triggers HIPAA responsibilities regardless of routine viewing.

Common examples

• Cloud service providers, colocation facilities, backup and disaster recovery vendors, and data archive services.
• Email, eFax, secure file transfer, and patient portal hosting when PHI is stored beyond transient relay.
• Electronic health record (EHR) and practice management vendors, HIE or integration platforms, and API middleware.
• Managed service providers (MSPs), device management, patching, and help desk teams with administrative access to PHI systems.

Data transmission vs. conduit

Pure “conduits” that only provide transient data transmission without persistent storage (for example, certain telecommunications or postal carriers) are generally not business associates. If a vendor persistently stores or can access PHI—directly or through system administration—it is a business associate and must sign a BAA.

Marketing and Accreditation Organizations

Who qualifies

Marketing or outreach vendors become business associates when they use PHI to perform services on your behalf, such as targeted patient communications, segmentation, or printing and mailing with patient identifiers. HIPAA’s marketing rules may also require patient authorization for certain communications, even with a BAA in place.

Common examples

• Marketing agencies, CRM and marketing automation platforms integrated with PHI, and survey vendors handling patient identifiers.
• Print shops and mail houses producing statements, notices, and patient outreach using PHI.
• Accreditation bodies and certification organizations that review records or samples containing PHI to assess compliance.

Subcontractors and Covered Entity Relationships

Subcontractors

Subcontractors of your business associates that create, receive, maintain, or transmit PHI are themselves business associates. Your BA must execute BAAs with these subcontractors, and the same HIPAA compliance obligations (privacy, security, breach notification) flow down the chain.

Covered entities acting as business associates

A covered entity can also be a business associate when it performs services for another organization that involve PHI (for example, a hospital billing office handling claims for an affiliated clinic). By contrast, PHI shared between covered entities for a patient’s treatment does not require a BAA.

FAQs

What defines a HIPAA business associate?

A HIPAA business associate is a person or organization—outside your workforce—that performs functions or services for you and creates, receives, maintains, or transmits PHI in doing so. PHI access or maintenance, including electronic PHI through hosting or administration, triggers business associate status and the need for a BAA.

Which entities must sign a business associate agreement?

Any vendor or subcontractor that will create, receive, maintain, or transmit PHI for your organization must sign a Business Associate Agreement before PHI is shared. This includes cloud hosting and backup providers, telehealth and messaging platforms, billing and analytics firms, legal and accounting teams with PHI access, and marketing or accreditation vendors that handle PHI for you.

Can covered entities be business associates?

Yes. A covered entity can act as a business associate when it is contracted to perform services for another organization that involve PHI. However, when PHI is exchanged between covered entities for a patient’s treatment, no BAA is required for that disclosure.

What roles do subcontractors play under HIPAA?

Subcontractors that create, receive, maintain, or transmit PHI on behalf of your business associate are also business associates. They must sign BAAs with the upstream BA and meet the same HIPAA compliance requirements, ensuring protections follow PHI across every layer of data transmission and PHI access.