Who Counts as a HIPAA Business Associate? A 3-Step Test with Role-Based Examples

Definition of Business Associate

A HIPAA business associate is any person or entity that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity for a regulated function or service. The core definition appears in 45 CFR 160.103 and applies whether PHI is paper or electronic (ePHI).

Under the Omnibus Rule, the definition expands to include vendors and subcontractors that handle PHI for a business associate. If you touch PHI while performing work for a covered entity or another business associate, you likely meet the definition.

The 3-Step Test

• Step 1 — PHI touchpoint: Will you create, receive, maintain, or transmit PHI (not de-identified data)? If yes, continue.
• Step 2 — On behalf of: Are you acting for a covered entity or another business associate, rather than as part of their workforce? If yes, continue.
• Step 3 — Regulated function/service: Is the work a HIPAA-regulated function or service (for example, claims, billing, data analysis, or legal/IT support)? If yes to all three, you are a business associate.

Borderlines and exceptions

• Workforce members of a covered entity are not business associates.
• Mere conduits (for example, the postal service) that do not access PHI beyond transient transmission are not business associates.
• Using de-identified data is outside HIPAA’s PHI scope; re-identification or maintaining a key can trigger business associate status.
• Treatment disclosures between providers generally do not create a business associate relationship.

Functions and Activities of Business Associates

Business associates perform “functions or activities” involving PHI on behalf of covered entities. Typical activities listed in 45 CFR 160.103 include claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and repricing.

They may also support operations that inherently require access to Protected Health Information (PHI), such as creating reports, extracting data for audits, or maintaining systems that store ePHI. If PHI access is routine or reasonably foreseeable, you should assume business associate obligations apply.

Operational triggers

• Persistent custody of PHI (for example, storing backups or archives).
• Programmatic access (for example, APIs, analytics, data mapping, or conversion).
• Human access for support (for example, help desk, coding, transcription, or review).
• Security-relevant access (for example, encryption key management or incident response on systems with ePHI).

Data Aggregation Services

“Data aggregation” (as referenced in HIPAA rules) allows a business associate to combine PHI from multiple covered entities to support health care operations if expressly permitted by the Business Associate Agreement (BAA). You must apply the minimum necessary standard and maintain safeguards consistent with the Security Rule.

Services Provided by Business Associates

HIPAA enumerates common services where business associate status is typical. These include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services, especially where PHI is needed to deliver the service.

Modern examples include EHR hosting, cloud storage, managed service providers, data centers, email relays with ePHI, eFax and scanning, print-and-mail vendors, call centers, revenue cycle management, medical transcription, coding, and analytics. Even “no-view” cloud providers are business associates if they maintain ePHI.

PHI-dependent service patterns

• Revenue and claims: clearinghouse functions, billing and collections, prior authorization support.
• IT and infrastructure: backup, disaster recovery, patching, and monitoring of ePHI systems.
• Professional services: attorneys, auditors, actuaries, and consultants who review PHI.
• Patient engagement: contacting individuals using PHI for care coordination (subject to marketing limits).

Role of Subcontractors

A subcontractor is any person or entity to whom a business associate delegates a function, activity, or service that involves PHI. Under 45 CFR 160.103 and the Omnibus Rule, such subcontractors are themselves business associates and must meet HIPAA obligations.

This “flow-down” requirement—often called Subcontractor Compliance—means your subcontractors must sign their own BAA with you, implement Security Rule safeguards, restrict uses/disclosures, and support breach reporting. The original covered entity does not contract directly with downstream subcontractors, but retains oversight through the primary BAA.

Managing subcontractor risk

• Due diligence: security posture, breach history, and PHI access design.
• Contractual flow-down: mirror 45 CFR 164.504(e) requirements, including data aggregation permissions.
• Monitoring: right to audit, incident escalation paths, and termination assistance.

Examples of Business Associates

Role-based examples

• Revenue cycle: medical billing companies, coding vendors, claims repricing services.
• Professional services: law firms, accounting firms, actuaries, consultants analyzing PHI.
• Technology and hosting: EHR vendors, cloud service providers, data centers, managed IT, backup and disaster recovery vendors.
• Operations support: transcription, records scanning, document destruction, print-and-mail houses, call centers handling patient inquiries.
• Analytics and quality: data aggregation services, utilization review, quality assurance vendors.

Role-based non-examples (when limited to these roles)

• Mere conduits like postal carriers and certain ISPs that only transmit data transiently.
• Vendors handling only de-identified data with no re-identification capability.
• Covered entity workforce members acting within the entity’s control.
• Banks processing payments without accessing PHI beyond standard transaction data.

Business Associate Agreements

A Business Associate Agreement (BAA) is required by 45 CFR 164.504(e) whenever PHI is handled by a business associate. The BAA defines permitted uses/disclosures, mandates safeguards, and creates reporting and termination rights.

Essential BAA elements

• Permitted and required uses/disclosures of PHI, including any Data Aggregation Services.
• Safeguards: administrative, physical, and technical controls aligning with the Security Rule.
• Breach, security incident, and improper disclosure reporting to the covered entity without unreasonable delay.
• Subcontractor Compliance: ensure subcontractors agree to the same restrictions and safeguards.
• Individual rights support: access, amendment, and accounting of disclosures when applicable.
• HHS access to records for compliance review and enforcement.
• Termination, return, or destruction of PHI, or documentation of infeasibility.

Remember that encryption and “no-view” arrangements do not remove the need for a BAA. If you maintain ePHI for a covered entity, you are a business associate and must sign and honor the BAA.

Regulatory References and Compliance

Key citations include 45 CFR 160.103 (definitions, including “business associate”) and 45 CFR 164.504(e) (Business Associate Agreement requirements). Related provisions include 45 CFR 164.502(e) (uses/disclosures by business associates) and Security Rule safeguards across 45 CFR 164.306–164.316.

The Omnibus Rule strengthened direct liability for business associates, expanded the definition to subcontractors, and aligned breach notification duties. Effective compliance blends governance, contracts, and technical controls tailored to how you create, receive, maintain, or transmit PHI.

Practical compliance checklist

• Map PHI flows and vendors; apply the 3-step test to each relationship.
• Execute BAAs that reflect 45 CFR 164.504(e), minimum necessary, and Data Aggregation permissions.
• Implement Security Rule safeguards, risk analysis, workforce training, and incident response.
• Flow down obligations to subcontractors and monitor performance.
• Document everything: inventories, assessments, agreements, and reports.

FAQs

What criteria determine a HIPAA business associate?

Use the 3-step test: you are a business associate if you create, receive, maintain, or transmit PHI (Step 1), on behalf of a covered entity or another business associate (Step 2), to perform a HIPAA-regulated function or service such as claims, billing, analytics, or professional support (Step 3). This aligns with 45 CFR 160.103 and related operational provisions.

How does the Omnibus Rule affect business associate definitions?

The Omnibus Rule broadened the definition to include subcontractors that handle PHI, clarified that “no-view” hosting still creates business associate status, and imposed direct liability under the Security Rule. It also reinforced breach notification and BAA flow-down requirements.

What obligations do business associates have under HIPAA?

Business associates must implement Security Rule safeguards, limit uses and disclosures to those permitted by the BAA, support individual rights where applicable, report breaches and certain security incidents promptly, and ensure Subcontractor Compliance. They must document policies, training, and risk management activities.

Can subcontractors be considered business associates?

Yes. A subcontractor that creates, receives, maintains, or transmits PHI for a business associate is itself a business associate under 45 CFR 160.103. It must sign a BAA with the upstream business associate and adopt the same restrictions, safeguards, and reporting obligations.