The Vendor That Cost a Health Plan $4.3 Million

In 2016, Advocate Health Care Network agreed to pay $5.55 million to settle multiple HIPAA violations — and one root cause kept surfacing: failure to properly manage business associates. They didn't get a handle on who had access to protected health information and under what terms. That single blind spot made them one of the largest HIPAA settlements in history.

Understanding the business associate definition under HIPAA isn't an academic exercise. It's the difference between a manageable vendor relationship and a seven-figure enforcement action. If your organization handles PHI in any capacity, this is the concept you need nailed down cold.

I've spent years helping covered entities audit their vendor lists and I can tell you — most organizations have at least one undocumented business associate. Some have a dozen. Here's everything you need to know to avoid becoming a cautionary tale.

The Actual Business Associate Definition Under HIPAA

A business associate is any person or organization that performs functions or activities on behalf of — or provides certain services to — a covered entity, where those functions, activities, or services involve access to PHI. That's the core of it.

HHS defines this in the HIPAA Privacy Rule at 45 CFR § 160.103. The definition was significantly expanded by the HITECH Act of 2009 and further clarified by the 2013 Omnibus Rule. You can read the full regulatory text at law.cornell.edu.

The business associate definition captures a wide range of relationships. If a company touches, transmits, stores, or could reasonably access your patients' PHI while doing work for you, they're almost certainly a business associate.

Common Examples You Might Miss

  • Cloud storage providers — Even if they claim they don't "look at" your data, if they store ePHI on their servers, they're a business associate.
  • IT support vendors — That managed services company troubleshooting your EHR remotely? Business associate.
  • Billing companies and clearinghouses — Classic example, but I still find practices without signed BAAs for their billing service.
  • Shredding and document destruction companies — They handle paper PHI. They qualify.
  • Attorneys and accountants — When their work involves access to individually identifiable health information, they meet the business associate definition.
  • Answering services — If they take patient calls and record messages with health details, they're in scope.

The one that catches people off guard most often? Their email provider. If your staff sends ePHI through a hosted email platform, that platform provider is a business associate.

Business Associate vs. Covered Entity: Where the Line Falls

A covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. A business associate is the entity performing work for that covered entity that requires PHI access.

The distinction matters because it determines who bears primary accountability. After the Omnibus Rule, business associates became directly liable for HIPAA compliance — they're no longer just contractually bound. OCR can and does go after business associates independently.

Here's a real example: In 2018, Fresenius Medical Care North America paid $3.5 million after five separate breach incidents. Some of those issues stemmed from business associate relationships where security controls weren't properly enforced. When I train organizations using our HIPAA Introduction Training 2026 course, this is where I see the most "aha" moments — when people realize the regulatory exposure flows in both directions.

What Triggers the Business Associate Relationship

The Two-Part Test I Use in Every Audit

When I assess whether a vendor meets the business associate definition, I ask two questions:

1. Does this vendor perform a function or activity regulated by HIPAA on your behalf? This includes claims processing, data analysis, utilization review, quality assurance, billing, benefit management, practice management, or repricing.

2. Does this vendor provide a service that requires access to PHI? This covers legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services.

If the answer to either question is yes, you have a business associate. Full stop. No gray area.

Who Doesn't Qualify

Not every vendor is a business associate. HHS has carved out specific exceptions:

  • Members of your workforce — Employees, volunteers, and trainees under your direct control are not business associates. They're covered under your workforce training obligations.
  • Conduit entities — The postal service, UPS, and internet service providers that merely transmit PHI but don't access it in a meaningful way.
  • Other covered entities — When two covered entities share PHI for treatment purposes, they act as covered entities to each other, not business associates.

The conduit exception is narrow and frequently misapplied. A data center that stores your encrypted ePHI is not a conduit — they're a business associate. The distinction is whether the entity has more than transient access to PHI. HHS guidance on this is available at HHS.gov's business associate guidance page.

The Business Associate Agreement: Your Only Safety Net

Identifying a business associate is step one. Step two — the one that actually protects you — is executing a Business Associate Agreement (BAA). Without a signed BAA, you're in violation of HIPAA regardless of how secure your vendor actually is.

A BAA must include specific elements mandated by 45 CFR § 164.504(e):

  • A description of the permitted uses and disclosures of PHI
  • A requirement that the business associate won't use or disclose PHI beyond the agreement
  • Safeguards to prevent unauthorized use or disclosure
  • Breach notification obligations — specifically, the business associate must report breaches to the covered entity without unreasonable delay
  • Requirements for returning or destroying PHI at termination
  • Assurance that the business associate will make its practices available to HHS for compliance review

I've reviewed hundreds of BAAs. The most common failure? They're signed and filed away. Nobody checks whether the business associate is actually complying with the terms. A BAA without oversight is a piece of paper, not a compliance program.

OCR Enforcement: They're Watching Both Sides Now

Before the Omnibus Rule, OCR could only enforce HIPAA against covered entities. Now, business associates face direct enforcement. And OCR has used that authority.

In 2017, CHSPSC LLC — a business associate providing IT services to Community Health Systems hospitals — agreed to a $2.3 million settlement after a breach affecting 6.1 million individuals. OCR found that CHSPSC failed to implement adequate security measures, conduct a proper risk analysis, and respond to a known cybersecurity threat. The full details are on OCR's enforcement page for CHSPSC.

That case should be required reading for every business associate in the country. It proves the business associate definition isn't just regulatory language — it's an enforcement trigger.

How to Audit Your Business Associate Relationships Today

Step 1: Build a Complete Vendor Inventory

List every third party that interacts with your organization. Every single one. I mean the copier company, the cloud backup provider, the transcription service, and the consultant you hired last quarter. Then apply the two-part test above.

Step 2: Check for Signed, Current BAAs

Pull your BAA files. Match them against your vendor inventory. I guarantee you'll find gaps. Every gap is a violation. Every violation is exposure.

Step 3: Verify Compliance — Don't Just Trust the Signature

Request evidence that your business associates are conducting risk analyses, training their workforce, and maintaining security controls. You're not required to audit them, but willful ignorance isn't a defense OCR respects.

Step 4: Train Your Workforce to Recognize Business Associates

Your front desk staff, your office manager, your community health workers — they all need to understand that sharing PHI with a new vendor without a BAA creates instant liability. Programs like our HIPAA Training for Community Health Workers build exactly this kind of awareness at every level of your organization.

What Exactly Is a Business Associate Under HIPAA?

A business associate is any person or entity — other than a member of a covered entity's workforce — that creates, receives, maintains, or transmits protected health information on behalf of a covered entity, or that provides services to a covered entity involving PHI access. This definition is established by 45 CFR § 160.103 and expanded by the HITECH Act. Business associates are directly subject to HIPAA's Security Rule, certain Privacy Rule provisions, and the Breach Notification Rule.

The Bottom Line on Business Associate Compliance

Getting the business associate definition right isn't a technicality. It's a foundational requirement. Every covered entity I've worked with that suffered a major breach had at least one business associate relationship that wasn't properly documented, trained, or monitored.

Your action items are straightforward: build the inventory, sign the agreements, verify compliance, and train your people. If you need a starting point, explore the full HIPAA training catalog to get your team up to speed on the rules that actually matter.

Because the next OCR investigation won't care whether you understood the definition. It'll care whether you acted on it.