Which of These Entities Is Considered a Business Associate Under HIPAA?

Claims Processing Services

Claims processing vendors are business associates because they create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a Covered Entity to adjudicate and pay claims. Typical actors include third‑party administrators, claims adjudicators, benefits administrators, and appeals processors supporting health plans or provider groups.

These organizations must execute a Business Associate Agreement (BAA) and implement HIPAA Compliance safeguards. Because their core work requires PHI, the “minimum necessary” standard, role‑based access, and breach reporting duties apply throughout their operations.

• Common functions: intake and validation, coding verification, adjudication, coordination of benefits, prior authorizations, and appeals.
• Required controls: secure intake channels, audit logging, data retention limits, and secure data-sharing with subcontractors.

Data Analysis and Administration

Entities performing data analysis or administrative services for a Covered Entity are business associates when PHI is required to deliver the service. Examples include analytics platforms, population health tools, data warehouses, and vendors performing Data Aggregation to support quality improvement or health care operations.

Administrative Services that rely on PHI—such as record management, medical coding support, document scanning, secure offsite storage, IT hosting, and cloud backup—also fall within business associate status. Even if a cloud provider cannot view encrypted data, it still “maintains” PHI and therefore requires a BAA and full HIPAA Compliance.

• Examples: registry reporting, outcomes analytics, dashboarding, archival and retrieval, and secure messaging tools integrated with EHRs.
• Subcontractors that handle PHI on behalf of a business associate inherit the same obligations and must receive flow‑down BAA terms.

Legal and Accounting Services

Law firms and accounting firms are business associates when their representation or services require access to PHI—such as defending malpractice claims, advising on privacy incidents, supporting reimbursement disputes, or conducting financial and coding audits that use patient information.

Related vendors, including e‑discovery providers, forensic accountants, and external auditors, must also sign BAAs. The BAA should define permitted uses of PHI, enforce the minimum necessary standard, prohibit unauthorized disclosures, and require appropriate administrative, technical, and physical safeguards.

Practice and Utilization Management

Organizations that deliver practice management or Utilization Review on behalf of a Covered Entity are business associates because their work depends on PHI. This includes case management, disease management, medical necessity reviews, referral management, and chart abstraction supporting health plan or provider operations.

If the services can be performed without PHI and none is shared, the vendor is not a business associate. However, most utilization management and operational support services necessarily involve PHI and therefore require a BAA and robust safeguards.

• Typical activities: chart reviews for appropriateness, length‑of‑stay management, pre‑certifications, and care coordination across settings.
• Operational support: scheduling optimization, provider credentialing with PHI, and performance reporting tied to patient records.

Billing and Financial Services

Medical billing companies, revenue cycle management vendors, statement printing/mailers that include treatment details, and collection agencies handling patient balances are business associates because they use PHI to perform their services for Covered Entities.

By contrast, financial institutions engaged solely in standard banking or payment processing generally are not business associates. When a vendor goes beyond basic payment transmission and requires access to clinical or eligibility data to perform Billing and Financial Services, business associate obligations and a BAA apply.

• BA triggers: charge capture support, coding edits using charts, remittance posting that uses PHI, and patient balance outreach with visit details.
• Controls: segregation of duties, encrypted e‑statements, strict vendor oversight, and timely incident response procedures.

Consulting and Management Services

Consultants that provide management, strategic, compliance, accreditation, or Administrative Services are business associates when they need PHI to meet engagement objectives. Examples include HIPAA compliance consulting, operational redesign using real patient records, accreditation reviews that sample charts, or Management Services Organizations (MSOs) running day‑to‑day operations.

Pure advisory work that never involves PHI does not create business associate status. The moment PHI is accessed—directly or via test datasets that can be re‑identified—a BAA, access controls, and downstream subcontractor oversight are required.

• Examples: workflow optimization with live charts, risk adjustment reviews, payer‑contract modeling using encounter data, and accreditation surveys referencing records.
• Key precautions: minimum necessary scoping, de‑identification where feasible, and time‑bound data access with secure destruction.

Confidential PHI Handling Requirements

Once an entity qualifies as a business associate, it must meet specific HIPAA Compliance duties. A Business Associate Agreement is mandatory and must describe permitted uses/disclosures, require safeguards, restrict subcontractor disclosures, mandate breach reporting, and specify termination and return or destruction of PHI.

Business associates must implement comprehensive safeguards: administrative (policies, workforce training, risk analysis), technical (encryption in transit and at rest, unique IDs, role‑based access, audit logs), and physical (facility security, device controls). They must follow the minimum necessary standard and support Covered Entity obligations when their services affect individual rights.

Breach and incident obligations include prompt investigation, mitigation, and notification to the Covered Entity in line with HITECH and the BAA. Business associates must also ensure any subcontractor that handles PHI agrees to equivalent protections and is appropriately monitored.

In short, if a vendor’s service requires PHI—whether for claims processing, data analysis and administration, legal or accounting support, practice and utilization management, billing and financial services, or broader consulting and management—it is a business associate and must operate under a well‑crafted BAA with rigorous safeguards.

FAQs.

What defines a business associate under HIPAA?

A business associate is any person or organization, other than a Covered Entity’s workforce, that creates, receives, maintains, or transmits Protected Health Information to perform functions, activities, or services for—or on behalf of—a Covered Entity or another business associate. If PHI is required to do the job, business associate status applies and a BAA is required.

How does HIPAA regulate business associate agreements?

HIPAA requires a written Business Associate Agreement that limits how PHI may be used and disclosed, mandates appropriate safeguards, requires breach and incident reporting, flows down the same duties to subcontractors, allows oversight by the Covered Entity and regulators, and ensures PHI is returned or destroyed at contract end when feasible.

Can a healthcare provider be a business associate?

Yes. While healthcare providers are typically Covered Entities, they can act as a business associate when performing non‑treatment services for another Covered Entity—such as utilization review for a health plan or management services for a practice—that require access to PHI. Provider‑to‑provider disclosures for treatment generally do not require a BAA.

What activities require a business associate agreement?

Representative activities include claims processing or administration; data analysis, Data Aggregation, and Administrative Services that rely on PHI; legal and accounting work using records; utilization management and case or disease management; billing, coding, collections, and revenue cycle operations; and IT hosting, EHR support, secure storage/backup, scanning, and disposal services that maintain PHI.