A cloud storage vendor loses a laptop containing 20,000 patient records. The hospital that hired them gets the breach notification letter. The vendor insists it's not their problem — they're "just a tech company." Three years later, the Department of Health and Human Services settles with both organizations for a combined penalty exceeding $4 million. That vendor? A textbook business associate. And not knowing what are business associates under HIPAA is exactly what made the situation catastrophic.

If your organization handles protected health information — or pays someone else to handle it — you need to understand this concept cold. It's not optional. It's not academic. It's the single most common blind spot I see in HIPAA compliance programs, and it's where OCR has been landing some of its heaviest punches.

What Are Business Associates? A Straight Answer

A business associate is any person or organization that performs a function or activity on behalf of a covered entity — a health plan, healthcare clearinghouse, or healthcare provider — that involves access to protected health information (PHI). This definition comes directly from 45 CFR § 160.103.

Think billing companies, IT consultants, cloud hosting providers, shredding services, law firms doing compliance work, medical transcription services, and even certain accreditation organizations. If they touch PHI on your behalf, they're a business associate.

Here's the critical part most people miss: business associates have been directly liable under HIPAA since the 2013 Omnibus Rule. Before that, only covered entities faced penalties. Now, OCR can — and does — go after business associates independently.

The $2.3 Million Mistake You Don't Want to Make

In 2018, OCR settled with Fresenius Medical Care North America for $3.5 million following five separate breach incidents — several of which involved inadequate oversight of how ePHI moved between entities and systems. The organization's failure to conduct proper risk analyses and manage access to PHI across its operations exposed exactly the kind of gaps that business associate relationships create when left unmanaged.

I've personally reviewed compliance programs where the covered entity had no idea how many business associates they actually had. One mid-sized clinic I worked with discovered they had 47 vendors with PHI access — and valid Business Associate Agreements for only 11 of them.

That's not a paperwork problem. That's a ticking enforcement action.

Business Associates vs. Covered Entities: Know the Difference

Covered entities are the healthcare providers, health plans, and clearinghouses that HIPAA was originally designed to regulate. Business associates exist one layer out — they're the organizations that support covered entities and need PHI access to do their jobs.

A Quick Test

Ask yourself: Does this vendor create, receive, maintain, or transmit PHI on our behalf? If yes, they're almost certainly a business associate. If they only perform functions where PHI exposure is incidental — like a janitorial service that might glimpse a chart on a desk — they typically are not.

But the line isn't always obvious. A law firm reviewing medical records during litigation? Business associate. An accountant processing claims data? Business associate. Your nephew who "does your IT" and has remote access to your EHR? Absolutely a business associate.

What a Business Associate Agreement (BAA) Must Include

Every business associate relationship requires a written Business Associate Agreement. This isn't a handshake deal. HHS spells out the required elements, and I've seen OCR cite organizations specifically for BAAs that were missing key provisions.

At minimum, your BAA must address:

  • How the business associate will use and disclose PHI — and the limits on that use
  • Safeguards the business associate will implement to prevent unauthorized use or disclosure of ePHI
  • Breach notification obligations — how quickly and to whom the business associate must report incidents
  • The requirement to return or destroy PHI when the contract ends
  • The covered entity's right to terminate the agreement if the business associate violates HIPAA
  • Whether the business associate can use subcontractors — and the requirement for downstream BAAs

HHS provides guidance on these provisions at its sample BAA provisions page. I recommend every compliance officer bookmark it.

Subcontractors: The Business Associates You Forgot About

Here's where it gets layered. When your business associate hires its own vendor — say, a cloud hosting company to store the billing data they process for you — that subcontractor is also a business associate under HIPAA. And they need their own BAA with your business associate.

I've seen this chain extend three and four levels deep. Each link in that chain is a potential breach point. Each one needs a valid agreement. Each one is independently liable to OCR.

Your compliance program should require business associates to disclose their subcontractors and confirm downstream BAAs are in place. If you're not asking, you're assuming — and assumptions don't hold up in an OCR investigation.

A Real-World Subcontractor Scenario

Imagine your practice uses a billing company. That billing company uses a cloud platform. The cloud platform uses a data center managed by a third party. Patient records sit on servers three organizations removed from your front desk. If any one of those entities has a breach, your patients are affected — and your organization's name ends up in the notification letter.

What Happens When Business Associate Relationships Go Wrong

The enforcement record tells the story clearly. In 2020, OCR settled with CHSPSC LLC — a business associate providing IT and health information management services to Community Health Systems — for $2.3 million after a breach affecting over 6 million individuals. The root cause? Failure to conduct a proper risk analysis, among other Security Rule violations.

That settlement targeted the business associate directly — not the covered entities it served. OCR made a clear statement: if you're a business associate, you own your HIPAA obligations. Period.

How to Build a Business Associate Management Program That Actually Works

In my experience, the organizations that avoid trouble do four things consistently:

1. Inventory Every Vendor With PHI Access

Start with a complete list. Include obvious ones like billing companies and EHR vendors. Then go deeper: answering services, courier companies, consultants, IT managed service providers, even certain benefits brokers. If they touch PHI, they go on the list.

2. Execute BAAs Before Work Begins

Not after. Not "when legal gets around to it." Before a single record is shared. Make this a non-negotiable step in your vendor onboarding process.

3. Verify Compliance Annually

A signed BAA isn't a one-and-done event. Request evidence that your business associates conduct risk analyses, train their workforce, and maintain security policies. Some organizations send annual compliance questionnaires. I've seen larger health systems require third-party audits.

4. Train Your Own Workforce to Recognize BA Relationships

Your staff need to understand what triggers a business associate relationship so they don't accidentally create one without proper agreements. This is where targeted workforce training pays for itself. Our HIPAA training for community health workers covers these scenarios in practical terms — because frontline staff are often the ones handing PHI to outside parties without realizing the implications.

Does Every Vendor Need a BAA?

No. And this is an important distinction. A vendor who never accesses, creates, receives, maintains, or transmits PHI on your behalf is not a business associate. Your office supply company doesn't need a BAA. Your electrician doesn't need one either.

But the moment a vendor's role puts them in contact with PHI — even potential contact — you need to evaluate. When in doubt, treat them as a business associate. The cost of an unnecessary BAA is zero. The cost of a missing one can be millions.

Your Business Associate Checklist for 2026

If you haven't audited your business associate relationships recently, now is the time. Here's your action list:

  • Pull a complete vendor list and flag every organization with potential PHI access
  • Verify a signed, current BAA exists for each flagged vendor
  • Review each BAA against HHS requirements — many older agreements are missing post-Omnibus provisions
  • Confirm subcontractor disclosure and downstream BAAs
  • Document everything — OCR investigators want to see evidence, not promises

Building this muscle takes training, and not just for your compliance officer. Every member of your workforce who interacts with outside organizations needs to understand the basics. Explore our full HIPAA training catalog to find the right fit for each role in your organization.

The Bottom Line on Business Associates

Understanding what are business associates isn't just a vocabulary exercise. It's a core operational requirement that determines whether your organization can withstand an OCR investigation, survive a breach, and maintain the trust of every patient whose data you hold.

The vendors you choose are extensions of your compliance program. Treat them that way — with clear agreements, ongoing oversight, and zero assumptions. Because when a breach happens three vendors deep, it's still your patients' PHI on the line.