Business Associate
Definition
A business associate is a person or organization that performs services for a healthcare covered entity or another business associate and needs access to protected health information to do that work. Under HIPAA, the concept is used to identify third parties that are not part of the covered entity but still have legal, contractual, and security responsibilities when they create, receive, maintain, transmit, or otherwise handle regulated health information on the covered entity's behalf. Common business associates include billing companies, cloud service providers, managed IT providers, analytics platforms, consultants, attorneys, data hosting providers, and software vendors supporting healthcare operations. The role is important because it extends privacy and security accountability beyond the healthcare organization itself. A business associate is usually required to sign a business associate agreement that defines permitted uses of data, safeguards, breach notification expectations, subcontractor obligations, and termination procedures. Similar concepts appear in other compliance programs as data processors, service providers, suppliers, or third-party vendors with delegated data handling responsibilities.
Real-World Examples
Healthcare Billing Provider
A clinic uses an external billing company to process claims and payment information that includes patient identifiers and treatment details.
Cloud Hosting for Health Records
A digital health startup stores patient records with a cloud infrastructure provider that maintains systems containing protected health information.
Managed IT Support
A hospital hires an IT services firm to administer user accounts, backups, endpoint security, and systems that may contain health data.
Analytics Subcontractor
A health platform uses a subcontractor to analyze patient engagement data, requiring controls over downstream access and permitted use.
A business associate is a third party that performs services for a healthcare covered entity and handles protected health information on its behalf. In compliance programs, the term helps identify which external parties need contractual safeguards, security controls, monitoring, and breach notification obligations.
A business associate supports healthcare operations, payment, administration, technology, legal, analytics, or other services that require access to regulated health information. Examples include billing, claims processing, hosting, software support, data analysis, consulting, and managed IT services.
An organization or individual may qualify as a business associate when they create, receive, maintain, transmit, or otherwise handle protected health information for a covered entity or another business associate. The label depends on the role and data access, not just the vendor's industry or contract title.
A vendor is any supplier or service provider, while a business associate is a specific type of vendor that handles protected health information for a covered entity. Not every vendor is a business associate, but vendors with access to regulated health information often require additional contractual and security obligations.
A business associate agreement is generally required when a third party performs services for a covered entity and needs access to protected health information, or when a subcontractor handles protected health information for a business associate. The agreement documents how the information may be used, protected, reported, returned, destroyed, and shared with approved subcontractors.
A business associate agreement should define permitted uses of protected health information, required safeguards, breach reporting duties, subcontractor requirements, access and amendment support, audit cooperation, termination obligations, and expectations for returning or destroying data when the relationship ends.
Yes. A business associate is expected to apply appropriate administrative, technical, and physical safeguards to protect regulated health information. This may include access control, encryption, logging, workforce training, incident response, risk assessment, backup procedures, and vendor oversight.
Yes. A subcontractor that receives or handles protected health information from a business associate may also have business associate responsibilities. Organizations should ensure downstream subcontractors are contractually bound to appropriate privacy, security, breach reporting, and data handling requirements.
Common examples include billing services, electronic health record vendors, cloud hosting providers, claims processors, data analytics firms, legal counsel, accounting firms, managed service providers, transcription services, and consultants that access protected health information while supporting healthcare operations.
Organizations should assess business associate risk by reviewing the data shared, systems accessed, security controls, subcontractors, incident history, contractual commitments, audit evidence, and breach notification procedures. Higher-risk relationships should receive stronger due diligence, ongoing monitoring, and documented remediation tracking.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |
