What is a HIPAA business associate?

A HIPAA business associate is a person or organization that provides certain services or functions that involve access to protected health information (PHI) on behalf of a covered entity. Covered entities are healthcare providers, health plans, and healthcare clearinghouses that are subject to the HIPAA Privacy and Security Rules.

Examples of HIPAA business associates may include:

  • Third-party billing companies
  • IT service providers
  • Medical transcription companies
  • Claims processing companies
  • Healthcare consultants
  • Lawyers and accountants that provide services to covered entities involving PHI

Under HIPAA regulations, covered entities are required to enter into written agreements with their business associates to ensure that they protect the privacy and security of PHI in accordance with HIPAA requirements. These agreements, called business associate agreements (BAAs), must be signed before any PHI is shared with the business associate. The BAA specifies the permitted uses and disclosures of PHI by the business associate, as well as the business associate's obligations with respect to protecting the PHI.

Business associates are also directly subject to certain provisions of the HIPAA Privacy and Security Rules, and may be subject to penalties and fines for non-compliance with these requirements. In addition, the HIPAA Omnibus Rule, which went into effect in 2013, expanded the definition of business associates to include subcontractors, meaning that a business associate's downstream contractors and vendors that have access to PHI are also subject to the same HIPAA requirements as the business associate.