How do I determine who is a business associate?

According to the U.S. Department of Health and Human Services (HHS), the Privacy Rule defines a business associate as a person, other than a member of a covered entity’s workforce, who:

(1) Creates, receives, maintains, or transmits protected health information (PHI) for a function or activity regulated by the Privacy Rule* on behalf of a covered entity or organized health care arrangement in which the covered entity participates; or,

(2) Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity or organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of PHI from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

*Business associate functions or activities include:  claims processing or administration, data analysis, processing, or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing.

The Final Omnibus Rule expands the definition of business associate to include the following:

1.  A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI.

2.  A person that offers a personal health record to one or more individuals on behalf of a covered entity.

3.  A subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.

In short, if a covered entity hires a person or organization to provide services for or on behalf of the covered entity and that service involves the creation, receipt, maintenance, or transmission of PHI, then that person or organization is likely a business associate. 

HHS Examples of Business Associates:

1. A third party administrator that assists a health plan with claims processing.

2. A CPA firm whose accounting services to a health care provider involve access to PHI.

3. An attorney whose legal services to a health plan involve access to PHI.

4. A consultant that performs utilization reviews for a hospital.

5. A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.

6. An independent medical transcriptionist that provides transcription services to a physician.

7. A pharmacy benefits manager that manages a health plan’s pharmacist network.1

Good to Know

Shipping services.  The US Postal Service, United Parcel Service, and certain private couriers that act as conduits for PHI are not considered business associates of a covered entity.  The probability for exposure of PHI to a conduit is considered to be very small due to the fact that a conduit is intended to transport the information and not have access to it.  Any disclosure of PHI to a conduit by a covered entity would be unintentional.2

Data storage companies and ISP’s.  A data storage company that maintains PHI is considered a business associate even if it does not view the information because it has persistence access.  An ISP, on the other hand, does not meet the definition of a business associate because it does not maintain PHI and only has transient access to the information.3

Services.  Services, such as plumbers, electricians, and janitors, do not require access to PHI when performing their duties.  Because they are not hired by a covered entity to provide services that involve the creation, receipt, maintenance, or transmission of PHI for, or on behalf of the covered entity, they do not meet the definition of a business associate.  Any disclosure to a service that is limited in nature and occurs as a by-product of their duties would be considered incidental and, therefore, permitted by the Privacy Rule. However, if the work performed by a service involves the disclosure of PHI where the disclosure is not limited in nature, the service will generally be considered a business associate.  A shredding service is one example.  Another example is a copier repairman when the copy machine retains PHI.4,5

Physicians with hospital privileges.  The HIPAA Privacy Rule describes physicians with hospital privileges as participating in an organized health care arrangement (OHCA).  Protected health information used and disclosed for the joint health care activities of the OHCA do not require a business associate agreement.6

Another health care provider.  A health care provider is not considered a business associate of another health care provider when PHI is shared for treatment purposes.  This, however, does not prevent the establishment of a business associate agreement between the two health care providers for another purpose.7


Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 160.103 – Definitions

§ 164.502(e) – Uses and disclosures of protected health information: general rules (Disclosures to Business Associates)

§ 164.504(e) – Uses and disclosures: Organizational requirements (Business Associate Contracts)

§ 164.532(d)&(e) – Transitions Provisions (Effect of prior contracts or other arrangements with business associate & Deemed Compliance)

U.S. Department of Health and Human Services and Other Resources:

1.  “Business Associates,” hhs.gov, last modified April 3, 2003, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html.

2.  “Are the following entities considered “business associates” under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses/245.html.

3.  “Who’s a Business Associate under the HIPAA Omnibus Rule?” emrsoap.com, posted January 18, 2013, http://www.emrsoap.com/business-associates-under-the-hipaa-omnibus-rule/.

4.  “Is a physician required to have business associate contracts with technicians such as plumbers, electricians or photocopy machine repairmen who provide repair services in a physician’s office?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/244.html.

5.  “Is a business associate contract required with organizations or persons where inadvertent contact with protected health information may result – such as in the case of janitorial services?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/243.html.

6.  “Do physicians with hospital privileges have to enter into business associate contracts with the hospital?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/248.html.

7.  “When is a health care provider a business associate of another health care provider?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/240.html.