The Business Associate Definition
A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of protected health information. The key element is that the business associate uses or discloses PHI while performing work for or on behalf of the covered entity — and the covered entity is the one that has the underlying obligation to protect that PHI.
Business associate status triggers significant compliance obligations. Business associates must comply directly with the HIPAA Security Rule, certain provisions of the Privacy Rule, and the Breach Notification Rule. They must execute a Business Associate Agreement (BAA) with each covered entity they serve.
Functions That Create Business Associate Status
A person or organization becomes a business associate when it performs one of the following functions on behalf of a covered entity involving PHI:
- Claims processing or administration
- Data analysis, processing, or administration
- Utilization review
- Quality assurance
- Patient safety activities
- Billing and collections
- Benefit management
- Practice management
- Repricing services
Additionally, a person is a business associate if it provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to a covered entity where the provision of the service involves disclosure of PHI by the covered entity or its business associate.
Common Business Associate Examples
Examples of entities that typically qualify as business associates include:
- Electronic health record (EHR) vendors that host or process patient records
- Medical billing companies and revenue cycle management firms
- Cloud storage providers that store ePHI
- IT managed services providers with access to systems containing ePHI
- Transcription services that process dictated medical records
- Shredding companies that destroy PHI-containing documents
- Answering services that take patient messages
- Attorneys who advise on matters involving PHI review
- Accountants who review financial records containing PHI
- Third-party administrators of health plans
- Consultants who review medical records as part of their services
- Email encryption services used to send PHI
- Data analytics companies that analyze de-identified data that could be re-identified
Subcontractors as Business Associates
Since the HITECH Act and the 2013 Omnibus Rule, subcontractors of business associates are themselves business associates if they create, receive, maintain, or transmit PHI on behalf of the business associate. This creates a chain of accountability: covered entity → business associate → subcontractor business associate. Each link in the chain must execute a BAA with the next link and must comply directly with HIPAA.
A cloud provider hired by an EHR vendor is a subcontractor business associate of the EHR vendor (which is itself a business associate of a covered entity). The cloud provider must execute a BAA with the EHR vendor and comply with the Security Rule — even though it has no direct contract with the covered entity.
Who Is NOT a Business Associate
Several categories of persons are explicitly excluded from business associate status:
- Members of the covered entity's workforce — employees, volunteers, trainees, and others under the direct control of the covered entity are not business associates; they are managed through workforce policies.
- Covered entities sharing PHI for treatment — when one covered entity discloses PHI to another covered entity for treatment purposes (e.g., a referring physician sending records to a specialist), neither is a business associate of the other for that activity.
- Conduit exceptions — entities that transport PHI but do not access it in any way, such as the U.S. Postal Service, certain courier services, and internet service providers whose function is mere transmission, are not business associates. However, a cloud provider that stores (not merely transmits) PHI is a business associate, even if it does not actually view the data.
- Researchers receiving a limited data set under a data use agreement may not require a BAA.