In 2018, a medical billing company called Advanced Care Hospitalists paid $500,000 to settle with HHS after a business associate they'd hired — a Florida-based individual — accessed and sold the PHI of more than 400 patients. The twist? ACH didn't even realize their business associate was a problem until local police got involved. If you work with any outside vendor that touches patient data, the concept of a HIPAA business associate isn't just legal jargon. It's the thing that determines whether your organization absorbs someone else's breach.

This post breaks down exactly who qualifies as a business associate, what your agreements must contain, and where I've seen organizations — from solo practices to health systems — get burned by ignoring the details.

What Is a HIPAA Business Associate, Exactly?

A HIPAA business associate is any person or organization that performs a function or activity on behalf of a covered entity — or provides services to a covered entity — that involves access to protected health information (PHI). Think billing companies, IT support vendors, cloud storage providers, shredding services, consultants, and even certain subcontractors.

The definition comes straight from 45 CFR § 160.103. If someone handles, transmits, maintains, or has the opportunity to access PHI on your behalf, they're almost certainly a business associate under the HIPAA Privacy and Security Rules.

The Gray Areas That Trip People Up

Here's where I see confusion constantly. A janitorial crew that enters a clinic after hours? Probably not a business associate — unless they're hired specifically to shred documents containing PHI. A cloud storage vendor that encrypts data and claims they "never look at it"? Still a business associate. Access doesn't require intent. If the technical capability to view ePHI exists, the obligation exists.

I've also seen organizations miss the fact that health information exchanges, patient safety organizations, and even certain researchers can fall into business associate territory. When in doubt, treat the relationship as one that requires a Business Associate Agreement (BAA).

The $2.3 Million Mistake: Why BAAs Aren't Optional

In 2016, Raleigh Orthopaedic Clinic paid $750,000 to settle allegations that it handed over X-rays and PHI of roughly 17,300 patients to a potential business partner without a business associate agreement in place. No BAA, no safeguard language, nothing.

And that case is far from unique. OCR has made it clear that failing to execute a BAA before sharing PHI is one of the most common — and most avoidable — compliance failures. Every enforcement action sends the same message: the paperwork isn't bureaucracy. It's your legal shield.

What a Business Associate Agreement Must Include

A BAA isn't a boilerplate document you download and sign without reading. Under 45 CFR § 164.504(e), a valid agreement must address specific elements:

  • Permitted and required uses of PHI by the business associate
  • A prohibition against using or disclosing PHI beyond the contract's scope
  • Requirements to implement appropriate safeguards, including for ePHI under the Security Rule
  • Obligations to report breaches of unsecured PHI to the covered entity
  • Requirements that the business associate ensure any subcontractors agree to the same restrictions
  • The obligation to make PHI available for individual access requests
  • Return or destruction of PHI at termination of the agreement
  • Authorization for the covered entity to terminate the contract if the business associate violates the terms

If your BAA is missing any of these elements, you have a compliance gap. I've reviewed agreements that were three pages of legalese and missed half these points. Length doesn't equal coverage.

Business Associates Are Directly Liable — Not Just the Covered Entity

Before the HITECH Act, business associates existed in a kind of enforcement shadow. Covered entities were on the hook; BAs largely skated. That changed in 2009 and became fully effective in 2013.

Today, a HIPAA business associate is directly liable for compliance with the HIPAA Security Rule, certain provisions of the Privacy Rule, and all breach notification requirements. OCR can — and does — bring enforcement actions directly against business associates.

Real Consequences for Business Associates

In 2020, CHSPSC LLC, a management company providing services to hospitals, agreed to a $2.3 million settlement with OCR after a breach affecting over 6 million individuals. The company was acting as a business associate. OCR found failures in risk analysis, information system activity review, and access controls for ePHI.

That case underscores something I tell every vendor I consult with: being a business associate doesn't mean you're a secondary player. You carry the same regulatory weight as the covered entity when it comes to safeguarding PHI.

How to Vet and Monitor Your Business Associates

Signing a BAA isn't the finish line. It's the starting line. Here's the process I recommend to every organization I work with:

Step 1: Inventory Every Vendor Relationship

Map out every vendor, contractor, and service provider that interacts with your organization. For each one, ask a single question: does this entity create, receive, maintain, or transmit PHI on our behalf? If yes, they need a BAA.

Step 2: Conduct Due Diligence Before Signing

Ask for evidence of the vendor's own HIPAA compliance program. Do they conduct annual risk assessments? Do they train their workforce? Do they have an incident response plan? If they can't answer these questions, that's a red flag — not a negotiation point.

Step 3: Review and Update BAAs Annually

Regulations evolve. Services change. A BAA signed in 2019 may not account for the vendor's expanded cloud services or new subcontractors. Build annual BAA review into your compliance calendar.

Step 4: Train Your Own Team

Your staff members who manage vendor relationships need to understand what triggers a business associate designation. Community health workers, care coordinators, and outreach staff frequently share PHI with outside organizations without realizing the implications. Our HIPAA training for community health workers covers these scenarios in practical detail — including when a referral partner or social services agency qualifies as a business associate.

Can a Subcontractor Be a HIPAA Business Associate?

Yes. Under the HITECH Act and the 2013 Omnibus Rule, subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are themselves considered business associates. This means a business associate must execute a BAA with its own subcontractors. The chain of accountability doesn't stop at the first vendor — it extends to every entity downstream that touches PHI.

I've seen this catch IT companies off guard. They hire a data center, the data center hires a backup provider, and suddenly there are three layers of business associate relationships — each requiring a valid agreement and each carrying direct liability under HIPAA.

The Five Fastest Ways to Fail a HIPAA Business Associate Audit

Based on years of consulting and reviewing OCR enforcement patterns, these are the failures I see most often:

  • No BAA in place at all. Still the number one problem. Organizations assume verbal agreements or generic service contracts are enough.
  • BAA doesn't address subcontractors. If your vendor outsources any PHI-related function, your agreement must require downstream BAAs.
  • No evidence of Security Rule compliance by the BA. A signed agreement means nothing if the business associate hasn't implemented access controls, encryption, or audit logs for ePHI.
  • Failure to terminate after a known breach. If a business associate violates the BAA and you don't act, you share the liability.
  • No workforce training on BA obligations. Staff who don't understand business associate rules will share PHI with unvetted vendors — and that's a reportable breach.

If any of these apply to your organization, address them now. Not after an OCR inquiry.

Building a Culture Where Business Associate Compliance Is Automatic

The organizations that handle business associate compliance well don't treat it as a legal checkbox. They embed it into procurement, onboarding, and ongoing vendor management. Every new vendor relationship triggers a compliance review. Every contract renewal includes a BAA assessment.

That kind of culture starts with education. If your workforce — from front desk staff to executives — understands what a HIPAA business associate is and why it matters, you catch problems before they become breaches. Browse our full HIPAA training catalog to find role-specific courses that build this awareness across every level of your organization.

The reality is straightforward: your organization's HIPAA compliance is only as strong as the weakest vendor in your chain. Every unsigned BAA, every unvetted subcontractor, every untrained employee who shares PHI with an outside party — each one is a door you've left open. Close them now, while the choice is still yours.