According to the U.S. Department of Health and Human Services (HHS), "A 'business associate' is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
Kelly Thompson, a healthcare attorney at Foley & Lardner LLP and contributor to the Association of Corporate Counsel, provides additional clarity in her legal analysis, defining a business associate as "a person or entity (other than a member of the covered entity's workforce) that creates, receives, maintains, or transmits protected health information for a covered entity.”
The American Dental Association provides a more practical definition, stating that "A business associate is a person or a company who needs access to your patients' protected health information (PHI) in order to do a task on behalf of your practice.”
At its core, a business associate is an entity or individual that performs certain functions or activities on behalf of, or provides services to, a covered entity that involve access to protected information, confidential data, or regulated processes. In the healthcare context under HIPAA, this definition has become the standard for understanding business associate relationships, even in contexts outside of healthcare.
The relationship normally involves a service provider who needs access to sensitive information to perform their contracted duties effectively. This access creates legal obligations and compliance requirements that differentiate business associates from regular vendors or contractors.
Several indicators suggest you may be operating as a business associate. The most common one being whether you have access to protected or confidential information as part of your service delivery. If your work requires you to handle, process, store, or transmit sensitive data belonging to another organization, you're likely functioning as a business associate.
HHS identifies specific types of work that commonly qualify as business associate activities: "Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.”
Thompson reinforces this understanding from a legal practice perspective, noting that "Common business associates include billing companies, electronic health record companies, accounting firms, law firms, and cloud storage companies.” This list shows how diverse business associate relationships can be across different service sectors.
The American Dental Association provides additional examples, noting that "business associates might be lawyers, accountants, consultants, insurance companies, clearinghouses, billing services or computer support services.”
Another indicator is the nature of your contractual relationship. Business associates typically enter into formal agreements that specifically address data handling, security requirements, and compliance obligations. If your contracts include detailed provisions about confidentiality, data protection, and regulatory compliance, this suggests a business associate relationship.
The scope of your services also matters. Business associates often provide specialized services important to their client's operations. These include IT support, consulting, data processing, administrative services, or professional services that require integration with the client's systems and processes.
In healthcare, the business associate determination is particularly well-defined and carries regulatory weight. Under HIPAA, you're likely a business associate if you provide services to a covered entity (healthcare providers, health plans, or healthcare clearinghouses) and your services involve creating, receiving, maintaining, or transmitting PHI.
Common healthcare business associates include medical billing companies, IT service providers, cloud storage vendors, consultants, attorneys, accountants, and administrative service providers. HHS provides specific examples of business associates, including "A third party administrator that assists a health plan with claims processing," "A CPA firm whose accounting services to a health care provider involve access to protected health information," and "An attorney whose legal services to a health plan involve access to protected health information.”
Even services like shredding companies or cleaning services might qualify as business associates if they have potential access to PHI, though HHS notes exceptions for entities "whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.”
The "conduit exception" is vital to understand in healthcare contexts. Thompson explains that "HIPAA has provided a conduit exception, which provides that random access by a data transmission entity does not necessarily make the entity a HIPAA business associate.” HHS further clarifies that this applies to entities that act "merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents.” However, this exception is narrow and requires that the entity has no access to PHI beyond what's necessary for transport.
Healthcare business associates must sign Business Associate Agreements (BAAs) with covered entities. These agreements outline specific obligations for protecting PHI, including implementing appropriate safeguards, reporting breaches, and allowing covered entities to audit compliance.
Learn more: What is a covered entity under HIPAA?
While HIPAA provides a detailed framework for business associate relationships, similar concepts exist across various regulated industries. In financial services, entities handling customer financial information often enter into relationships analogous to business associate arrangements, with specific requirements under regulations like the Gramm-Leach-Bliley Act.
In the technology sector, cloud service providers, software-as-a-service vendors, and IT consultants frequently function as business associates for their clients across multiple industries. These relationships involve access to various types of protected information and require attention to data security and privacy obligations.
Legal and professional service providers often find themselves in business associate relationships when they handle confidential client information under regulatory protection. This includes law firms, accounting firms, consulting companies, and other professional service providers who need access to protected information to perform their services.
Government contractors frequently operate as business associates when they provide services involving access to sensitive government data or citizen information. These relationships are governed by various federal and state regulations that impose specific security and privacy requirements.
Understanding when you're not a business associate is equally important for avoiding unnecessary compliance burdens and properly structuring business relationships. Generally, you're not a business associate if you don't have access to protected information in connection with your services, if you only have access to de-identified information, or if you qualify for specific regulatory exceptions.
Workforce members and employees of covered entities are typically not considered business associates, as they're subject to different regulatory requirements. Similarly, entities that only provide general services without access to protected information, such as utilities or general maintenance services, usually don't qualify as business associates.
The conduit exception applies when an entity merely transports protected information without accessing it. However, this exception requires analysis as an entity that initially appears to qualify as conduit might actually have access that makes them business associates.
HHS also clarifies several other situations where business associate contracts are not required, including disclosures between covered entities for treatment purposes, certain health plan sponsor relationships, and financial institutions that "process consumer-conducted financial transactions by debit, credit, or other payment card" in their normal banking capacity.
Yes, an organization can serve as a covered entity in one context and a business associate in another, depending on the specific services and relationships involved.
Failure to comply with business associate obligations can lead to significant HIPAA fines, breach notification costs, and reputational damage.
Yes, subcontractors who handle PHI for a business associate are also considered business associates and must comply with HIPAA.
A BAA contains HIPAA-specific privacy, security, and breach-reporting requirements that go beyond a generic NDA.
Yes, HIPAA applies to foreign vendors if they handle PHI for a U.S. covered entity or business associate.