What is a HIPAA business associate?

Who qualifies as a HIPAA business associate?

Your status depends on why you have access to PHI. Use this decision path to clarify your role:

• Are you working for a HIPAA covered entity? Health plans, healthcare clearinghouses, and many healthcare providers fall into this group when they transmit health information electronically.
• Does your service involve PHI? Services that require access to patient data include claims processing, data analysis, billing, utilization review, quality assurance, and practice management.
• Are you a subcontractor? If you support an existing business associate and you handle PHI to help them do their job, you are also a business associate under HIPAA.

If you answer "yes" to the first question and either the second or third question, you likely qualify as a business associate and you must meet HIPAA compliance obligations that apply to business associates.

However, if your access is purely incidental, you generally do not need a business associate agreement. A janitor who might accidentally see paperwork doesn't need a BAA. Neither does a facilities technician replacing a monitor who might see a screen briefly, but does not access systems or handle records.

Examples of HIPAA business associates

Many vendors, from cloud platforms to professional services, qualify as business associates. What unites them is routine access to PHI, meaning the service requires predictable access to PHI or to systems that contain PHI (not an accidental one-off exposure).

Common business associate categories include:

• Cloud service providers (CSPs). CSPs qualify when they store, process, or maintain ePHI for a covered entity or another business associate. This can apply even when the data is encrypted and the CSP does not hold the decryption key. AWS, Microsoft Azure, or Google Cloud hosting an app or backups that contain ePHI are business associates.
• Third-party administrators (TPAs). TPAs that process claims or administer health plan operations on behalf of an insurer or employer health plan often qualify. Examples include a claims administrator for a self-insured plan or a vendor that manages prior authorization and must access claims data.
• Professional service firms. Attorneys, certified public accountants (CPAs), actuaries, and consultants qualify when their work requires access to files that contain PHI. For instance, a law firm reviewing medical records for litigation or a CPA auditing billing files with patient identifiers would qualify as a BA.
• IT and software vendors. Vendors qualify when they provide managed IT, hosting, data migration, or support that involves access to systems containing PHI: such as an MSP with admin access to servers storing ePHI.
• Medical transcriptionists. Transcription services often qualify because they handle PHI while converting dictated notes into reports.
• Shredding and media destruction companies. Vendors hired to destroy paper records or media containing PHI also qualify because they maintain the PHI until destruction.

Who is not a business associate?

It is equally important to know who does not carry this designation.

• Conduits. Organizations that transport data but do not access it other than on a random or infrequent basis, as needed to transport it, are generally exempt. Examples include the U.S. Postal Service, private couriers (UPS, FedEx), and certain electronic transmission services.
• Workforce members. Employees, volunteers, and trainees of covered entities are not business associates; they are part of the internal workforce.
• Software vendors (sales only). A vendor that sells software, but does not host it, access it for support, or store your data, is not a business associate just because the software can be used with PHI.

Overall, if the service requires access to PHI (or to systems that contain PHI), treat the vendor as a business associate and move into the required controls.

HIPAA business associate requirements

Business associates must protect the PHI they handle and follow rules that regulators can enforce directly against them. These duties show up in four areas:

• A business associate agreement
• The HIPAA Security Rule safeguards for ePHI
• Breach notification timelines
• Practices that prevent HIPAA violations.

1. Signing a business associate agreement (BAA)

Before a business associate creates, receives, maintains, or transmits PHI for a covered entity, the parties must sign a written contract called a Business Associate Agreement (BAA). The BAA gives the covered entity “satisfactory assurances” that the business associate will safeguard PHI and limit uses and disclosures.

A compliant BAA must include specific core clauses:

• Permitted uses. It should define how the business associate may use and disclose PHI.
• Safeguards. It should require appropriate measures to protect PHI and ePHI from unauthorized use or disclosure.
• Reporting. It should require the business associate to report security incidents, breaches, or unauthorized uses or disclosures to the covered entity.
• Subcontractors. Require subcontractors that handle PHI to accept the same restrictions and conditions.
• Termination. Allow termination if the business associate violates a material term.

2. Complying with the HIPAA Security Rule

Business associates are directly liable for compliance with the HIPAA Security Rule. You must implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI). For business associates, HIPAA security rule compliance applies even if you never view the data. In brief:

• Administrative safeguards mean that you must run risk analysis and risk management, train staff, and assign security responsibility.
• Physical safeguards involve controlling physical access to systems and devices that store ePHI.
• Technical safeguards require BAs to use access controls, audit logs, integrity controls, and transmission security.

3. Meeting the requirements of the Breach Notification Rule

If a breach of unsecured PHI occurs, the business associate must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery (eCFR). The notice must include affected individuals when known and enough detail for the covered entity to complete required notifications.

4. Avoiding HIPAA violations and penalties

Business associates have been directly liable for HIPAA violations since 2013, and the Office for Civil Rights (OCR) can investigate and impose penalties.

Enforcement actions can be triggered by:

• Failure to provide breach notification.
• Impermissible uses or disclosures of PHI.
• Failure to cooperate with OCR investigations.
• Retaliation against individuals for filing HIPAA complaints.

Penalties can be severe. As of early 2026, the maximum annual penalty for identical violations can exceed $2 million, with per-violation amounts adjusted annually for inflation. Obviously, it's important to avoid HIPAA violations because OCR can pursue a business associate directly, and failures often trigger corrective action and contractual fallout.

Conclusion

A HIPAA business associate is a person or company (outside a covered entity’s workforce) that creates, receives, maintains, or transmits protected health information on behalf of covered entities to perform certain functions or services. This includes a cloud hosting provider storing encrypted ePHI, a billing or claims vendor processing patient data, and an IT support firm with remote access to systems containing PHI. Conduits like the U.S. Postal Service, workforce members, and software vendors that only sell software without access usually do not qualify.

Once the relationship meets the definition, the obligations are clear: sign a business associate agreement, follow the HIPAA Security Rule safeguards, meet breach notification timelines, and keep processes tight enough to support HIPAA compliance. If you are unsure where you land, map your PHI touchpoints and start with the BAA and the security controls.