Who Is a Business Associate Under HIPAA? Definition, Examples, and Responsibilities

If you work with healthcare data, you need to know who counts as a Business Associate under HIPAA. This guide explains the definition, shows common examples, outlines key responsibilities, and clarifies when a Business Associate Agreement is required—including how subcontractors and even covered entities can function as Business Associates.

Definition of Business Associate

A Business Associate is any person or organization that creates, receives, maintains, or transmits Protected Health Information (PHI) to perform services or functions for a covered entity—or for another Business Associate. The role is defined by access to PHI and the work performed, not by job title or industry.

• Performs tasks “on behalf of” a covered entity (or another Business Associate) that involve PHI.
• Is not part of the covered entity’s workforce (i.e., not an employee under direct control).
• May be a contractor, vendor, consultant, or service provider with potential PHI access.

Note: Entities that merely transmit information as a “conduit” (e.g., postal services) without routine access to PHI typically are not Business Associates. However, providers that store or can view PHI—such as cloud hosts—are Business Associates because they maintain PHI.

Examples of Business Associates

Many operational partners qualify as Business Associates when their work touches PHI. Typical examples include:

• IT and cloud service providers that host EHRs, backups, images, or portals.
• Billing, coding, and revenue cycle companies; claims processing and collections.
• Data analytics, quality improvement, and population health vendors.
• Legal, accounting, actuarial, and consulting firms reviewing PHI.
• Managed service providers and cybersecurity firms monitoring systems with PHI.
• Shredding, scanning, and records management companies handling PHI media.
• Telehealth platforms, e-prescribing gateways, and health information exchanges.
• Equipment service vendors or device manufacturers that access PHI during maintenance.

Responsibilities of Business Associates

Business Associates must comply with the HIPAA Privacy Rule to the extent required by contract and must fully comply with the HIPAA Security Rule for electronic PHI. Core responsibilities include:

• Use and disclose PHI only as permitted by the Business Associate Agreement and the HIPAA Privacy Rule, applying the minimum necessary standard.
• Implement Security Rule safeguards for ePHI, including:
  • Administrative Safeguards: risk analysis, policies, workforce training, and vendor oversight.
  • Technical Safeguards: access controls, encryption, authentication, and audit logging.
  • Physical safeguards as appropriate to facilities and devices.
• Provide prompt Data Breach Notification to the covered entity after discovering a breach and document security incidents and mitigation steps.
• Support individual rights by facilitating access, amendment, and accounting of disclosures when the contract requires it.
• Ensure subcontractors that handle PHI agree to equivalent protections and sign their own Business Associate Agreement.
• Maintain required documentation and records for at least six years and make them available to regulators when necessary.

Business Associate Agreements

A Business Associate Agreement (BAA) is the contract that defines permitted PHI uses and required protections. You must have a BAA in place before a vendor or partner creates, receives, maintains, or transmits PHI for you.

• Specify allowed and prohibited PHI uses/disclosures consistent with the HIPAA Privacy Rule.
• Require implementation of the HIPAA Security Rule, including Administrative and Technical Safeguards.
• Set timelines and processes for incident reporting and Data Breach Notification.
• Flow down obligations to subcontractors and require BAAs with them.
• Address access, amendment, and accounting requests; ensure return or destruction of PHI at termination.
• Reserve the right to audit compliance and require corrective actions when needed.

Subcontractors as Business Associates

Any subcontractor of a Business Associate that creates, receives, maintains, or transmits PHI is also a Business Associate. The original BA must execute a BAA with each such subcontractor and ensure equivalent safeguards flow down the chain.

• Map PHI data flows so you know which subcontractors handle PHI.
• Perform due diligence: assess Security Rule controls, including Administrative and Technical Safeguards.
• Set clear breach reporting obligations and cooperation requirements.
• Review and test termination procedures for timely return or destruction of PHI.

Covered Entities as Business Associates

A covered entity can act as a Business Associate to another covered entity when providing services that involve PHI beyond its own treatment, payment, or operations. In those engagements, the servicing entity must meet Business Associate obligations and sign a BAA.

• Examples: a hospital providing billing for an independent clinic, or a health plan performing third-party administration for a self-funded employer plan.
• When you wear both hats (covered entity and Business Associate), apply the HIPAA Privacy Rule and HIPAA Security Rule according to the specific role and purpose for which you hold PHI.
• Use PHI only for the contracted services, and maintain boundaries between your covered-entity activities and Business Associate activities.

In short, a Business Associate is defined by function and PHI access. If you or your vendors handle Protected Health Information for another organization, you likely need a Business Associate Agreement and must implement appropriate safeguards, breach response, and oversight to meet HIPAA Privacy Rule and HIPAA Security Rule requirements.

FAQs.

What is a Business Associate under HIPAA?

It is any person or organization that creates, receives, maintains, or transmits Protected Health Information for—or on behalf of—a covered entity (or another Business Associate) to perform services or functions. The status is based on PHI access and the work performed.

What are the responsibilities of a Business Associate?

Use and disclose PHI only as permitted, implement the HIPAA Security Rule (including Administrative Safeguards and Technical Safeguards), support Privacy Rule obligations, provide timely Data Breach Notification to the covered entity, oversee subcontractors, and maintain required documentation.

When is a Business Associate Agreement required?

You need a Business Associate Agreement before a vendor or partner will create, receive, maintain, or transmit PHI for your organization. The BAA defines permitted uses, required safeguards, breach reporting, subcontractor flow-downs, and PHI return or destruction at termination.

Can subcontractors be Business Associates?

Yes. Any subcontractor that handles PHI on behalf of a Business Associate is also a Business Associate. The primary BA must execute a BAA with the subcontractor and ensure equivalent Privacy Rule and Security Rule protections are implemented.