
What you need to know:
- A business associate is any vendor or contractor — outside your workforce — that creates, receives, maintains, or transmits PHI on your behalf
- The list is broader than most organizations expect: billing companies, IT vendors, lawyers, cloud providers, shredding services, and more
- A signed Business Associate Agreement (BAA) must be in place before PHI is shared — and it doesn’t shift your liability as a covered entity
- Business associates who use subcontractors must have subcontractor BAAs
- Since HITECH, business associates are directly subject to HIPAA enforcement, not just contractually obligated
- The Change Healthcare breach — 192.7 million individuals affected — shows what’s at stake when vendor risk isn’t managed
- Covered entities must identify, contract with, and actively monitor their business associates
If your organization works with outside vendors or service providers that handle patient data, understanding the definition of a business associate is foundational to your HIPAA compliance program. This article explains what a business associate is under HIPAA, why the distinction matters for both covered entities and business associates, and how high the stakes are when these relationships aren’t properly managed.
The Legal Definition, in Plain English
Under HIPAA, a business associate is a person or organization — not part of the covered entity’s workforce — that performs a function or activity on behalf of a covered entity involving the creation, receipt, maintenance, or transmission of protected health information (PHI).
It’s worth unpacking that definition because each element matters and each one leads into the next.
“Person or organization” — in HIPAA, the term “person” is a legal term of art that includes individuals, corporations, partnerships, and other entities. A business associate can be a large technology company, a small billing firm, a solo consultant, or anything in between.
“Not a member of the covered entity’s workforce” — HIPAA draws a clear line between employees and contractors on one side and independent vendors on the other. Workforce members are covered by the covered entity’s HIPAA policies and training. Those outside the workforce — even individuals who work closely with your organization — fall under the business associate framework instead.
“On behalf of a covered entity” — this phrase does a lot of work. The vendor or contractor must perform a function that supports the covered entity’s operations, not merely provide a generic commercial service. A company that processes medical claims for a physician’s office is a business associate. A company that delivers office supplies to that same physician’s office is not.
“Creates, receives, maintains, or transmits PHI” — these words cast a wide net. It qualifies if it receives existing PHI, stores it on your behalf, or transfers it from one location to another. Cloud storage providers, data centers, and IT support firms that have access to systems storing PHI are common examples that organizations sometimes overlook.
What Counts as a Business Associate in Practice?
The list of entities that can qualify as business associates is broader than most organizations expect. Common examples include:
Medical billing and coding companies that process claims containing patient identifiers.
Health information technology vendors whose software stores, processes, or transmits electronic health records (EHR). Transcription services that receive recorded provider-patient encounters and return written documentation. Answering services that receive calls.
Third-party administrators that manage employee health benefit plans on behalf of an employer.
Law firms and accounting firms that receive PHI in the course of providing professional services to a covered entity. This includes cloud service providers, data backup services, and IT managed services firms that have access to servers or systems that store PHI.
Other consultants that may have access to PHI in the course of providing professional services to a covered entity. This could include practice management consultants, IT providers, and marketing firms.
Shredding companies and document storage services that handle physical records containing PHI.
The link connecting all of these is the same: access to PHI by someone who is not on the covered entity’s payroll while performing a service that supports the covered entity’s operations.
What Is Not a Business Associate?
Understanding the edges of the definition matters as much as understanding the central concept, so a few common scenarios that do not create a business associate relationship include:
Conduit – An organization, like a courier or postal service, that merely transports sealed envelopes containing PHI without opening them is not a business associate. The conduit exception also applies to internet service providers and landline or cellular phone services.
Incidental access – A vendor whose services don’t require access to PHI, but who might incidentally be exposed to it while doing their job is generally not a business associate. Examples include janitorial or housekeeping services, painters, plumbers.
A healthcare provider that receives PHI from another covered entity to treat a patient is not acting as a business associate; that disclosure is governed by the Privacy Rule’s treatment exception.
Banks and financial institutions acting solely as payment processors are generally not considered business associates. However, if they perform services that go beyond payment processing, e.g., managing accounts receivable, lockbox services, they are business associates.
Consumer payment apps like PayPal, Venmo, Block/Square, and Zelle are not business associates and will not sign a BAA. Some payment apps, like IvyPay, operate specifically for healthcare and do sign BAAs. For more, see this article.
Any organization that does not sign a BAA is not a business associate, even if it appears to meet the definition, e.g., social media platforms.
The Business Associate Agreement
Identifying which of your vendors qualify as business associates is the first step. Once a business associate relationship exists, HIPAA requires both parties to execute a Business Associate Agreement (BAA) — a written contract that specifies permitted uses and disclosures of PHI, sets each party’s compliance obligations, and outlines what happens in the event of a breach.
A covered entity that discloses PHI to a vendor that qualifies as a business associate without a valid BAA in place violates HIPAA, regardless of whether a breach ever occurs. The BAA is not a formality to address after the fact — it must be in place before PHI changes hands.
It’s equally important to recognize that a BAA doesn’t shift your liability. If a covered entity knows, or reasonably should have known, that a business associate is failing to comply with its obligations under the BAA, the covered entity may be held responsible for that failure. Be sure to do your business associate due diligence.
Business Associates Have Direct HIPAA Liability
One of the most significant developments in HIPAA’s history was the HITECH Act and the 2013 Omnibus Rule, which extended direct legal liability to business associates. Before that change, business associates were contractually obligated to covered entities but were not independently subject to HIPAA enforcement. That is no longer the case.
Today, business associates are directly subject to the HIPAA Security Rule and many provisions of the Privacy Rule. OCR can investigate and penalize a business associate directly, without going through the covered entity. Because business associates can engage subcontractors — vendors who perform functions on behalf of the business associate involving PHI — those subcontractors are treated as business associates, and the chain of obligation extends accordingly. A covered entity’s PHI may pass through several layers of vendors, each with its own compliance obligations.
The Scale of the Risk in 2026
Understanding the definition of a business associate isn’t just a compliance exercise. Data on breach origins makes it clear that a considerable share of the healthcare industry’s exposure to PHI loss now lies outside covered entities, in the hands of third-party vendors.
No single event illustrates this more powerfully than the Change Healthcare breach. Change Healthcare, a subsidiary of UnitedHealth Group, serves as a business associate to a vast number of health plans, hospitals, and physician practices, processing claims and other healthcare transactions at enormous scale. When ransomware attackers breached its systems in February 2024, the downstream impact was staggering. The final confirmed figure, reported to the OCR and updated on the HHS breach portal in July 2025, is 192.7 million individuals — the largest healthcare data breach in United States history, affecting more than half the U.S. population.
Change Healthcare is an extreme case, but it’s not isolated. Conduent, a business process services company that serves as a business associate for multiple state Medicaid programs and other healthcare clients, suffered a breach in early 2025 that exposed PHI across several states before the full scope was known. These large-scale BA breaches share a common feature: a single vendor failure can propagate across dozens or hundreds of covered entity clients simultaneously, multiplying the harm in ways no individual covered entity could have prevented on its own.
This is the structural reality of the modern healthcare ecosystem. Covered entities depend on a network of vendors to operate, and PHI flows through that network constantly. The business associate framework exists to address this reality — to extend HIPAA’s protections beyond the covered entity itself to wherever PHI actually travels.
What This Means for Covered Entities
For covered entities, the business associate framework imposes three core obligations. First, identify every vendor or contractor relationship that qualifies — a task that requires a precise understanding of the definition and a systematic review of all third-party arrangements. Second, ensure that a compliant BAA is executed before PHI is shared and that existing BAAs are current and enforceable. Third, monitor business associate compliance on an ongoing basis, since a covered entity’s exposure doesn’t end when the ink dries on the agreement.
This final obligation is often underestimated by many organizations. OCR has consistently made clear that a covered entity cannot simply execute a BAA and walk away. Monitoring is required, and failing to exercise reasonable diligence in monitoring a business associate can be treated as the covered entity’s own violation.
What This Means for Business Associates
If your organization provides services to covered entities and handles PHI in the process, you are directly subject to HIPAA — not merely by contract. This means conducting your own risk analysis, implementing the Security Rule’s administrative, physical, and technical safeguards, training your workforce on HIPAA requirements, and complying with breach notification obligations on your own timeline, regardless of what your covered entity clients do.
For organizations new to the business associate role, or for those whose business associate relationships have grown without a corresponding investment in compliance infrastructure, this is the year to take stock. OCR enforcement of business associate obligations has grown steadily, and state attorneys general and private litigation have added additional layers of accountability that don’t require a federal investigation to trigger them.
How The HIPAA E-Tool® Can Help
Whether you are a covered entity working to identify and manage your business associate relationships or a business associate building your HIPAA compliance program, The HIPAA E-Tool® provides the structure you need to do so internally, without relying on expensive outside consultants.
Our compliance software guides your team through identifying business associate relationships, evaluating your BAAs, and completing the risk analysis that underpins everything else — with clear guidance tailored for compliance staff, office managers, and IT teams, not just attorneys and consultants.
Understanding what a business associate is and taking that definition seriously are foundational steps in any HIPAA compliance program. In 2026, the stakes for getting it wrong have never been higher.
Learn more about HIPAA compliance support for covered entities and business associates at thehipaaetool.com.

