A managed IT company in Tennessee gets hit with a $2.3 million settlement from HHS because a hospital never signed a business associate agreement with them — and nobody at the hospital even questioned whether the IT vendor qualified. That's not a hypothetical. That's the kind of scenario I see play out repeatedly. The question which of these entities could be considered a business associate shows up on compliance exams, in board meetings, and — most painfully — during OCR investigations after a breach.

Getting this wrong isn't an academic failure. It's a regulatory and financial one. Let me walk you through exactly who qualifies, who doesn't, and where the gray areas will trip you up.

The HIPAA Definition Most People Get Wrong

Under the HIPAA Privacy Rule, a business associate is any person or organization — other than a member of a covered entity's workforce — that performs functions or activities on behalf of, or provides certain services to, a covered entity involving the use or disclosure of protected health information (PHI). That definition comes directly from 45 CFR § 160.103.

Here's where people stumble. They think a business associate has to be a healthcare company. It doesn't. The business associate designation has nothing to do with what industry you're in. It has everything to do with whether you touch, handle, transmit, or maintain PHI on behalf of a covered entity.

Which of These Entities Could Be Considered a Business Associate? Clear-Cut Examples

I've audited dozens of organizations, and these are the entities that consistently qualify as business associates — yet frequently slip through without a signed BAA:

  • IT service providers and cloud hosting companies — If they can access ePHI on your servers, they're a business associate. Period.
  • Medical billing and coding companies — They handle claims data packed with PHI every single day.
  • Third-party administrators (TPAs) — Processing claims for health plans absolutely involves PHI.
  • Attorneys and accountants — When legal counsel or a CPA firm accesses patient records for audits, litigation, or financial analysis, they qualify.
  • Shredding and document destruction companies — They physically handle paper records containing PHI.
  • Answering services for medical practices — If they take messages that include patient names, symptoms, or appointment details, they're handling PHI.
  • EHR and practice management software vendors — They store and transmit ePHI as their core function.
  • Data analytics firms — If a covered entity shares PHI with an analytics company for population health studies, that company is a business associate.

Notice the pattern. None of these entities are hospitals or health plans themselves. They orbit the healthcare system, and that orbit is exactly what creates the legal obligation.

Subcontractors Count Too

The 2013 HIPAA Omnibus Rule extended business associate status to subcontractors. If your billing company hires a software vendor to process claims, that software vendor is a business associate of the billing company. The chain doesn't break just because there's another link in it. HHS made this explicit in the HHS business associate guidance.

Entities That Are NOT Business Associates

This list surprises people almost as much as the first one.

  • Members of your own workforce — Employees, volunteers, and trainees operating under the covered entity's direct control are not business associates, even if they handle PHI daily. They're covered under your workforce training obligations instead.
  • Other covered entities — When two hospitals share PHI for treatment purposes, neither one becomes the other's business associate. They're both covered entities acting in that capacity.
  • A patient's personal representative — A family member picking up a prescription isn't a business associate.
  • Conduit-only entities — The U.S. Postal Service, UPS, and internet service providers that merely transmit data without accessing it generally fall under the "conduit exception."
  • A bank processing financial transactions — Banks that handle payment for healthcare services, but never see clinical PHI, are typically excluded.

The conduit exception is narrow, though. If a courier company stores records overnight in a warehouse — even temporarily — they may have crossed the line from conduit to business associate.

The $1.5 Million Mistake: Why BAAs Aren't Optional

In 2018, OCR settled with Advanced Care Hospitalists (ACH) for $500,000 after ACH failed to enter into a business associate agreement with a medical billing company that had access to the PHI of over 400 patients. The billing company's employee had actually been convicted of identity theft using that data.

North Memorial Health Care paid $1.55 million in a settlement with OCR partly because it failed to have a business associate agreement with a major contractor. The PHI of 289,904 individuals was compromised when an unencrypted laptop was stolen from the contractor's workforce member.

These aren't outlier cases. They represent OCR's consistent enforcement posture: if you hand PHI to a vendor without a signed BAA, you've committed a HIPAA violation before anything even goes wrong. You can review OCR's enforcement actions on the HHS breach portal and resolution agreements page.

How to Determine if Your Vendor Is a Business Associate

I use a simple three-question test with every client I work with:

1. Does this entity create, receive, maintain, or transmit PHI? If yes, move to question two.

2. Is this entity a member of your workforce? If no, move to question three.

3. Does the conduit exception apply? If no — congratulations, you have a business associate. Get a BAA signed immediately.

Document this analysis for every vendor. When OCR comes knocking, they want to see that you thought it through, not that you guessed.

What the BAA Must Include

A business associate agreement isn't a handshake. It's a legally required contract that must specify how the business associate will safeguard PHI, report breaches, return or destroy PHI at termination, and make its practices available to HHS during an investigation. Templates exist, but cookie-cutter agreements often miss entity-specific risks. Have compliance counsel review every one.

The Gray Areas That Keep Compliance Officers Up at Night

Some vendor relationships genuinely live in the gray zone. Here are the ones I get asked about most:

Janitorial Services

A cleaning crew working in a clinic after hours might see PHI on desks or screens. Are they business associates? Generally no — as long as their job function doesn't involve accessing PHI. But if you contract them to shred documents or handle medical waste with identifiable information, the analysis changes.

Health Information Exchanges (HIEs)

HIEs that facilitate the electronic sharing of PHI between covered entities typically function as business associates. The data flows through them, and they maintain it — even briefly.

Researchers

A university research team that receives a limited data set with a data use agreement may not be a business associate. But if they receive full PHI under a different arrangement, they likely are. The details of the data sharing agreement matter enormously here.

SaaS Platforms and API Integrations

If your organization uses a scheduling platform, telehealth tool, or patient portal hosted by a third party, that vendor almost certainly qualifies as a business associate. I've seen practices assume their scheduling app "doesn't count" because patients enter their own data. That's not how HIPAA works. If the platform stores or transmits PHI, the vendor is a business associate.

Your Staff Needs to Know This — Not Just Your Compliance Officer

One of the biggest gaps I encounter isn't at the executive level. It's at the operational level. Front desk staff sign up for a new fax-to-email service. A department manager hires a freelance consultant to analyze patient flow. An office coordinator contracts with a records storage company. None of them think to loop in compliance.

Every one of those scenarios potentially creates a new business associate relationship — and a new HIPAA obligation. Your entire workforce needs baseline training on what triggers a BAA requirement. Our HIPAA training catalog covers business associate identification as part of comprehensive workforce compliance education.

Quick-Reference: Who Is and Isn't a Business Associate

Is a business associate: IT managed services provider, medical transcription service, claims clearinghouse, EHR vendor, third-party billing company, cloud storage provider with PHI access, shredding company, consulting firm reviewing patient records.

Is NOT a business associate: Your employed staff, the postal service (conduit), a bank handling payment transactions without clinical data, another covered entity exchanging PHI for treatment, a patient's family member.

What Happens When You Get This Right

Organizations that properly identify and manage their business associate relationships don't just avoid fines. They build a vendor ecosystem where everyone understands their role in protecting patient data. That means faster breach response, cleaner audits, and fewer midnight phone calls from your privacy officer.

Start with an inventory. List every vendor, contractor, and service provider. Run each one through the three-question test. Confirm you have current, signed BAAs for every entity that qualifies. Then make sure your workforce knows how to spot new business associate relationships before they become compliance gaps. If your team needs structured guidance, explore the HIPAA compliance training programs we offer — they're built for exactly this kind of operational readiness.

Because the next time someone asks which of these entities could be considered a business associate, your organization should already have the answer documented, trained, and enforced.