The Vendor That Cost a Health System $4.3 Million
In 2016, Advocate Health Care agreed to pay $5.55 million to HHS after multiple breaches — one of which involved an unauthorized business associate who had access to ePHI on unencrypted laptops. The organization couldn't produce signed business associate agreements for several vendors who handled protected health information. That single oversight became one of the largest HIPAA settlements at the time.
If you've ever wondered about real examples of business associates HIPAA rules actually apply to, this post is your field guide. I've spent years helping covered entities audit their vendor relationships, and the number-one mistake I see is assuming "business associate" only means the big IT company managing your EHR. It doesn't. Not even close.
What Exactly Is a Business Associate Under HIPAA?
A business associate is any person or organization — other than a member of a covered entity's own workforce — that creates, receives, maintains, or transmits PHI on behalf of that covered entity. The definition also covers subcontractors who handle PHI for another business associate.
This comes straight from the HIPAA Privacy Rule at 45 CFR § 160.103. If a vendor touches PHI in any form — paper, electronic, or verbal — they likely qualify.
Here's the part most organizations get wrong: you don't have to intend for a vendor to access PHI. If they could reasonably access it during the course of their work, HIPAA treats them as a business associate.
15 Real-World Examples of Business Associates HIPAA Covers
I keep a running list I share with clients during compliance audits. Here are the most common — and the most commonly overlooked — examples:
The Obvious Ones
- IT service providers and managed service providers (MSPs): If they host, maintain, or have access to systems containing ePHI, they're a business associate. Period.
- Cloud storage and SaaS vendors: Think cloud-based EHR platforms, email hosting services, even cloud backup providers. If PHI sits on their servers, they qualify.
- Medical billing companies: They process claims that are saturated with PHI — diagnoses, treatment codes, patient identifiers.
- Clearinghouses: They translate claims data between providers and payers. They're explicitly named in the HIPAA statute.
- Health information exchanges (HIEs): These organizations facilitate the electronic sharing of PHI across multiple providers.
The Ones Organizations Forget
- Document shredding companies: They physically handle paper records containing PHI. I've audited clinics that used a shredding service for years without a BAA in place.
- Answering services: That after-hours call service taking patient messages? They're writing down names, symptoms, callback numbers. That's PHI.
- Attorneys and law firms: When legal counsel accesses patient records for malpractice defense, payment disputes, or compliance advice, they become a business associate.
- Accountants and auditors: If they review financial records that contain patient-identifiable billing data, they qualify.
- Medical transcription services: They listen to dictation full of diagnoses, patient names, and treatment details.
- Courier and mailing services handling PHI: Not the U.S. Postal Service (explicitly excluded), but private courier companies that transport lab results or medical records.
- Practice management consultants: If they access patient scheduling systems, billing platforms, or operational data containing PHI, they're in scope.
- Interpreters and translation services: Especially relevant for community health settings — interpreters hear PHI directly during patient encounters.
- Software developers: If a developer builds or tests applications using real PHI (which they shouldn't, but often do), they're a business associate.
- Data analytics firms: Population health analytics vendors often ingest massive datasets that include identifiable patient information.
What About Community Health Workers and Their Partners?
This is a question I get constantly. Community health workers (CHWs) operate in settings where the line between workforce member and external partner blurs fast. A CHW employed by a hospital is part of the workforce — not a business associate. But a CHW contracted through an outside community organization? That organization is likely a business associate.
The same logic applies to community-based organizations that refer patients, coordinate care, or share social determinants of health data linked to specific individuals. If PHI changes hands, a business associate agreement must be in place.
If your organization employs or contracts with CHWs, our HIPAA training for community health workers covers exactly how these relationships work — including when a BAA is required and when it isn't.
How Do You Know If Someone Is a Business Associate?
Here's a quick test I use during audits. Ask three questions about every vendor, contractor, and partner:
- Does this entity create, receive, maintain, or transmit PHI on our behalf?
- Does this entity perform a function or activity regulated by HIPAA involving the use or disclosure of PHI?
- Could this entity reasonably access PHI — even accidentally — while performing their contracted services?
If the answer to any of those is yes, you almost certainly need a business associate agreement. HHS has published clear guidance on this at their business associate guidance page.
The $1.55 Million Mistake: Not Having a BAA
In 2017, the OCR settled with North Memorial Health Care of Minnesota for $1.55 million. The issue? North Memorial gave a business associate — an accounting firm — access to a database containing the ePHI of 289,904 individuals without ever executing a business associate agreement. The firm's laptop was stolen. Because no BAA existed, North Memorial had no contractual leverage, no assurance of safeguards, and no defined breach notification process.
This is exactly the scenario your organization must avoid. The BAA isn't just paperwork. It's your contractual safety net. It defines who's responsible for what when something goes wrong — and something always goes wrong eventually.
What Must a Business Associate Agreement Include?
A valid BAA under HIPAA must address several specific elements:
- Permitted and required uses and disclosures of PHI by the business associate
- A prohibition against using or disclosing PHI beyond what the contract allows
- Requirements for appropriate administrative, physical, and technical safeguards
- Breach notification obligations — specifically, reporting to the covered entity without unreasonable delay
- Requirements that the business associate ensure any subcontractors agree to the same restrictions
- The obligation to make PHI available to satisfy an individual's right of access
- Termination provisions if the business associate violates the agreement
For the full regulatory text, see 45 CFR § 164.504(e).
Subcontractors Count Too — And Most Organizations Miss Them
Since the 2013 HIPAA Omnibus Rule, business associates are directly liable for HIPAA compliance. That includes their subcontractors. If your billing company outsources data entry to a third-party firm in another state, that firm is a business associate of your billing company — and needs its own BAA.
I've seen chains of three and four subcontractors deep, each handling ePHI, with zero agreements in place beyond the first link. This is a ticking time bomb. Your risk assessment should map every vendor relationship at least two levels deep.
The Audit Move That Catches 90% of BAA Gaps
Here's what I tell every compliance officer: pull your accounts payable records for the past 12 months. Every vendor that received a payment from your organization is a candidate. Cross-reference that list against your BAA inventory. The gaps will jump off the page.
I've done this exercise with hospital systems and found 20 to 30 vendors without agreements — shredding companies, IT consultants, temporary staffing agencies sending workers into clinical areas. Each one represented an uncontrolled risk.
If you want your team — especially staff who interact with outside vendors — to understand what triggers BAA requirements, our HIPAA training catalog includes courses built for exactly this scenario.
Does Every Vendor Need a BAA?
No. And this distinction matters. The janitorial crew that cleans your lobby? Probably not a business associate — unless they're cleaning exam rooms and could access paper charts or screens displaying PHI. Your general office supply vendor? No. Your landlord? Generally no, unless they have access to areas where PHI is stored.
The key question is always access to PHI. Not proximity. Not possibility. Reasonable access during the normal course of the contracted service.
Where Organizations Go From Here
Identifying examples of business associates HIPAA regulations cover is the starting point, not the finish line. Once you've mapped your vendor relationships, you need signed BAAs, documented risk assessments for each business associate, and training for your workforce on how to manage these relationships day to day.
Start with the accounts payable audit. Update your BAA inventory. Train your staff to flag new vendor relationships before PHI gets shared. These three steps will close more compliance gaps than any single policy revision.
Because the next OCR enforcement action won't care that you didn't know your answering service was a business associate. They'll care that you didn't bother to find out.