What is a business associate?

A business associate is a person or entity that performs functions or activities on behalf of, or provides services to, a covered entity (such as a healthcare provider, health plan, or healthcare clearinghouse) that involves the use or disclosure of protected health information (PHI).

Understanding business associates

Business associates are third-party vendors that perform functions or services involving PHI for covered entities.

Examples of business associates

• Billing and claims processing: Medical billing companies
• Data storage and cloud computing: Cloud service providers 
• IT and cybersecurity services: Companies that manage electronic health records (EHRs)
• Legal and accounting firms: Law firms handling medical records for litigation
• Consultants and auditors: HIPAA compliance consultants reviewing PHI
• Marketing and communications: Email encryption providers that process patient data

See also: HIPAA Compliant Email: The Definitive Guide

Business associate responsibilities

Under the HIPAA Final Rule, business associates must:

• Follow HIPAA Security and Privacy Rules
• Implement technical, administrative, and physical safeguards
• Report data breaches
• Sign BAAs with subcontractors handling PHI

Failure to comply can lead to fines and penalties from the Office for Civil Rights (OCR).

Best practices and tips for business associates

To ensure compliance with HIPAA regulations, business associates should follow these best practices when handling PHI:

• Implement strong security measures: Use encryption, access controls, multi-factor authentication (MFA), and conduct regular security audits.
• Ensure HIPAA compliance: Follow administrative, physical, and technical safeguards to protect PHI.
• Sign business associate agreements (BAAs): Secure agreements with covered entities and subcontractors handling PHI.
• Develop an incident response plan: Quickly report and investigate data breaches, taking corrective action.
• Train employees on HIPAA: Provide annual and role-specific compliance training.
• Monitor and audit PHI access: Keep access logs and conduct regular internal audits.
• Minimize PHI use and retention: Follow the Minimum Necessary Rule and securely dispose of PHI when no longer needed.

FAQS

What is a business associate agreement (BAA)?

A BAA is a legally required contract between a covered entity and a business associate that outlines how PHI will be protected, used, and disclosed.

Do all vendors working with healthcare entities need a BAA?

No. Only vendors handling PHI need a BAA. For example, an IT support company accessing PHI would need a BAA, while a cleaning service would not.