Who Counts as a Business Associate Under HIPAA? Examples and Requirements

Definition of Business Associate

A business associate under HIPAA is any person or organization that performs functions or services for a covered entity and needs access to Protected Health Information (PHI) to do so. PHI includes any individually identifiable health information in any form—oral, paper, or electronic (ePHI).

Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. When a vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity, that vendor is a business associate and must follow HIPAA’s Privacy, Security, and Breach Notification Rules.

Core criteria

• Performs a function or activity for or on behalf of a covered entity that involves PHI.
• Provides services—such as billing, data analysis, or IT support—that require PHI access.
• Maintains or stores PHI (including ePHI), triggering HIPAA Security Rule obligations.
• Is not part of the covered entity’s workforce (employees and volunteers are not business associates).

When a Business Associate Agreement is required

A Business Associate Agreement (BAA) is required before PHI is shared with a vendor. If a task can be completed without PHI or uses properly de-identified data, the vendor is not a business associate and a BAA is not required.

Examples of Business Associates

Whether an organization is a business associate depends on what it does with PHI—not its industry label. Common examples include:

• Billing, claims processing, and revenue cycle management companies.
• Cloud service providers, data centers, and backup vendors that store ePHI—even if encrypted.
• Electronic health record (EHR) vendors, patient portal providers, and telehealth platforms serving covered entities.
• IT support, managed security providers, and medical device servicing companies with PHI access.
• Legal counsel, auditors, and consultants performing compliance, risk, or litigation support using PHI.
• Transcription, medical scribing, coding, and data analytics services.
• Health Information Exchanges and data aggregation services.
• Shredding, media disposal, and scanning vendors handling PHI.

Clarifications and edge cases

• Mere transmission conduits (for example, postal services or certain telecom carriers) are typically not business associates if they do not access or store PHI other than transiently.
• A cloud or messaging provider that stores PHI—even without viewing it—counts as a business associate because it maintains PHI.
• Healthcare providers sharing PHI for treatment purposes are not business associates to one another for that activity.

Business Associate Agreements

A Business Associate Agreement defines how PHI may be used and protected. It contractually requires PHI safeguards and sets accountability for unauthorized disclosure, breaches, and ongoing compliance.

Required elements to include

• Permitted and required uses/disclosures of PHI, with “minimum necessary” limitations.
• Administrative, physical, and technical PHI safeguards consistent with the HIPAA Security Rule.
• Obligation to report security incidents and potential breaches to the covered entity without unreasonable delay (no later than 60 days after discovery).
• Flow-down requirement: subcontractors must agree to the same restrictions and safeguards through a BAA.
• Support for individual rights (access, amendments, and accounting of disclosures) as directed by the covered entity.
• Return or secure destruction of PHI at contract termination when feasible.
• Right to terminate for material breach and duty to make practices available to regulators upon request.

Operational best practices

• Conduct a risk analysis, implement encryption and access controls, and maintain audit logs.
• Train workforce members, manage user provisioning, and enforce strong authentication.
• Document incident response, breach assessment, and notification procedures.
• Regularly review BAAs and verify that PHI safeguards remain effective as systems change.

Subcontractors of Business Associates

Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are themselves business associates. The primary business associate must execute BAAs with such subcontractors and ensure equivalent PHI safeguards.

Due diligence and oversight

• Map PHI data flows and identify every subcontractor touching PHI.
• Evaluate security controls, breach history, and incident response capabilities.
• Require prompt reporting of security incidents and allow reasonable audit or attestation.
• Ensure secure data return or destruction when the relationship ends.

Entities Not Considered Business Associates

Some parties interact with PHI but are not business associates for specific activities:

• Workforce members of a covered entity (employees and volunteers).
• “Conduits” that only transport information and do not store PHI other than transiently.
• Healthcare providers exchanging PHI for treatment of a patient.
• Financial institutions processing consumer payments or clearing checks for routine banking activities.
• Recipients of properly de-identified data, which is not PHI.
• Third parties receiving PHI directly from individuals under a valid authorization (they are not acting on behalf of a covered entity).

If any of these parties begin performing services that require ongoing access to PHI on behalf of a covered entity, their status may shift and a BAA could be required.

Direct Liability of Business Associates

Business associates are directly liable under HIPAA for compliance failures, not just contractual breaches. Liability covers improper uses or disclosures of PHI, failure to provide adequate PHI safeguards, and noncompliance with the HIPAA Security Rule for ePHI.

What direct liability includes

• Implementing and maintaining Security Rule safeguards (risk management, access controls, audit logging, integrity, and transmission security).
• Using or disclosing PHI only as permitted by the Privacy Rule, the BAA, or as required by law; unauthorized disclosure can trigger enforcement.
• Providing breach notifications to the covered entity and cooperating in investigations.
• Ensuring subcontractors sign BAAs and follow equivalent requirements.
• Providing access to designated record set information as directed by the covered entity.

Enforcement and penalties

HHS and the Department of Justice may enforce HIPAA against business associates. Civil penalties are tiered based on culpability (from lack of knowledge to willful neglect) and can escalate with repeated or uncorrected violations. Prompt detection, correction, and documentation can significantly reduce civil penalties and overall enforcement exposure.

Key takeaways

• If you create, receive, maintain, or transmit PHI for a covered entity, you are likely a business associate under HIPAA.
• A Business Associate Agreement must be in place before PHI is shared, and its requirements must flow down to subcontractors.
• Strong, documented PHI safeguards and timely breach reporting are essential to reduce risk and civil penalties.

FAQs

What activities define a business associate under HIPAA?

Any function or service performed for a covered entity that requires creating, receiving, maintaining, or transmitting PHI defines a business associate role. Examples include billing, IT hosting of ePHI, data analytics, legal support using PHI, and disposal services handling PHI.

Who must sign a business associate agreement?

Every vendor or partner that needs PHI to perform work for a covered entity must sign a Business Associate Agreement. The requirement also applies to subcontractors of business associates that handle PHI.

Are subcontractors considered business associates?

Yes. Subcontractors that handle PHI on behalf of a business associate are business associates themselves. They must sign a BAA with the primary business associate and implement equivalent PHI safeguards.

What penalties apply to business associates under HIPAA?

Business associates face tiered civil monetary penalties for violations such as unauthorized disclosure or failure to implement required safeguards, with higher penalties for willful neglect and repeated or uncorrected issues. Criminal penalties may apply in egregious cases involving wrongful disclosures.