What is a Business Associate?

Simply put, a Business Associate is a vendor or subcontractor who has access to PHI (Protected Health Information).

A more legalese definition of a Business Associate under HIPAA is any entity that uses or discloses PHI on behalf of a Covered Entity. Furthermore, a Business Associate is any person who, on behalf of a Covered Entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.


Here are some examples of vendors:

  • data storage or document storage services (it doesn’t matter if they can view the PHI that they maintain)
  • providers of data transmission services, portals, or other interfaces created on behalf of Covered Entities that allow patients to share their data with the Covered Entity
  • electronic heath information exchanges

If a Business Associate (vendor) delegates a covered function or activity to someone, then that entity is considered a subcontractor.

Some vendors avoid PHI like the plague; they don’t want this information anywhere near their service. But, avoidance doesn’t necessarily excuse a vendor from becoming compliant.

If a Covered Entity (customer) sends PHI through a vendor, and the vendor’s servers store this information, then they are considered a Business Associate and subject to the HIPAA Security Rule.

**Here are some examples of potential Business Associates:

  • Data processing firms or software companies that may be exposed to or use PHI
  • Medical equipment service companies handling equipment that holds PHI
  • Shredding and/or documentation storage companies
  • Consultants hired to conduct audits, perform coding reviews, etc.
  • Lawyers
  • External auditors or accountants
  • Professional translator services
  • Answering services
  • Accreditation agencies
  • e-prescribing services
  • Medical transcription services

In contrast, these folks are NOT Business Associates:

  • Covered Entity’s Workforce
  • Individuals or companies with very limited and incidental exposure to health information, such as a telephone company, electrician, etc.
  • Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc