Foundational Guide

HIPAA Business Associates: Definition, Examples & Obligations

Q: Do business associates have to sign a BAA?

Yes. A covered entity must obtain a signed Business Associate Agreement (BAA) from every business associate before sharing PHI with them, as required by 45 CFR § 164.504(e). Without a BAA, the disclosure of PHI to a vendor is a HIPAA violation. The BAA must contain specific provisions required by HHS, including permitted uses, safeguard requirements, and breach reporting obligations.

Q: Are subcontractors business associates?

Yes. Under the 2013 Omnibus Rule implementing HITECH, subcontractors of business associates that create, receive, maintain, or transmit PHI on behalf of the BA are themselves business associates — directly subject to HIPAA. The BA must obtain a BAA from its subcontractors, just as the covered entity obtained a BAA from the BA. This chain of BAAs flows down through every layer of the vendor relationship.

Q: What are a business associate's HIPAA obligations?

Under HITECH, business associates are directly subject to the HIPAA Security Rule (all administrative, physical, and technical safeguard requirements for ePHI), the Breach Notification Rule, and certain Privacy Rule provisions. BAs must conduct their own risk assessments, implement security policies and procedures, train their workforce, and report breaches to covered entities. They are subject to the same civil and criminal penalties as covered entities.

Q: What happens if a business associate violates HIPAA?

Since HITECH, business associates are directly liable for HIPAA violations — OCR can investigate and penalize BAs without going through the covered entity. Civil monetary penalties range from $137 per violation (unknowing) up to $68,928 per violation (willful neglect not corrected), with annual caps. Criminal prosecution through DOJ referral is also possible for intentional misuse of PHI. The BA may also face contractual liability under the BAA.

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Quick answer: A HIPAA business associate is any vendor or contractor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity. Once you identify your business associates, you must execute a Business Associate Agreement (BAA) with each one before sharing any PHI. Under HITECH, BAs are also directly liable for HIPAA violations — not just contractually, but legally.

The business associate framework is one of HIPAA's most practically important concepts. Almost every healthcare organization — from solo practices to large hospital systems — relies on third-party vendors for functions that require handling patient data. Understanding exactly who qualifies as a business associate, what they must agree to, and what happens when they violate those agreements is essential for maintaining HIPAA compliance.

The Definition Under 45 CFR § 160.103

The regulatory definition of "business associate" appears at 45 CFR § 160.103. An entity is a business associate if it performs or assists in the performance of a function or activity on behalf of a covered entity that involves the use or disclosure of PHI — or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services where the provision of those services involves PHI. The key phrase is "on behalf of." If a vendor handles PHI solely for its own purposes, it may not qualify as a BA — though this is a narrow exception.

The 2013 Omnibus Rule expanded the definition significantly. Subcontractors of business associates that create, receive, maintain, or transmit PHI on behalf of the BA are now themselves BAs — directly subject to HIPAA and required to have their own BAAs with the BA that hired them.

Common Business Associate Examples

EHR and Practice Management Vendors

Electronic health record (EHR) platforms — such as Epic, Cerner, Athenahealth, SimplePractice, and TherapyNotes — store and process PHI on behalf of covered entity practices. They are paradigmatic business associates and are required to provide a signed BAA to every covered entity customer. Most reputable EHR vendors have a standard BAA process.

Medical Billing and Revenue Cycle Companies

Billing companies submit claims to payers on behalf of practices, which requires access to diagnosis codes, procedure codes, and patient identifiers — all PHI. Every billing company handling claims for a covered entity is a business associate.

Cloud Storage and IT Infrastructure Providers

Cloud storage vendors (AWS, Microsoft Azure, Google Cloud) and managed IT providers who store or have access to ePHI are business associates. Major cloud providers offer Business Associate Agreements — ensure you have signed one before storing any PHI in their environment.

Transcription and Documentation Services

Medical transcription companies that convert voice recordings of clinical encounters to text handle PHI directly. AI-assisted transcription tools (ambient documentation platforms, voice-to-text services) are BAs and require BAAs.

Legal and Accounting Firms

An attorney or accounting firm is a business associate if its work requires reviewing or analyzing PHI. A healthcare attorney reviewing patient records for litigation support is a BA. An accountant auditing a hospital's financials who accesses patient billing records is a BA. General corporate counsel who never touches PHI is not.

Health Information Exchanges and Data Aggregators

Health information exchanges (HIEs), analytics platforms, and population health vendors that aggregate or analyze PHI on behalf of covered entities are business associates, as are researchers who receive PHI under data use agreements from covered entities.

Answering Services and Patient Communication Platforms

An after-hours answering service that takes patient messages — which may include PHI — is a business associate. Patient communication platforms that send appointment reminders, test results, or portal messages are BAs if they access PHI to do so.

What Is NOT a Business Associate

Not every third party that interacts with a healthcare organization is a BA. Key exceptions: (1) healthcare providers disclosing PHI to other providers for treatment purposes — this is a permitted disclosure, not a BA relationship; (2) a covered entity's own employees — workforce members are not BAs; (3) a conduit exception for entities like postal services and internet service providers that transmit but do not store PHI; (4) financial institutions processing payment card transactions when limited to that function.

Subcontractor Business Associates

One of HITECH's most significant expansions is the subcontractor rule. If your EHR vendor uses a cloud hosting provider to store your patient data, that cloud provider is a BA of your EHR vendor — and the EHR vendor must have a BAA with its cloud provider. The compliance obligation flows down through every layer of subcontracting. As a covered entity, you may wish to ask your primary BAs what BAAs they have in place with their own subcontractors, and whether those subcontractors have access to your specific PHI.

Business Associate Obligations Under HITECH

Before HITECH, business associates had HIPAA obligations only through the contractual terms of their BAAs — they were not directly regulated by HHS. HITECH changed this fundamentally. Since the 2013 Omnibus Rule took effect, business associates are directly subject to:

The full HIPAA Security Rule — all administrative, physical, and technical safeguards for ePHI
The Breach Notification Rule — BAs must notify covered entities of breaches within 60 days of discovery
Privacy Rule provisions prohibiting sale of PHI and limiting uses for marketing
Civil monetary penalties — OCR can fine BAs directly without involving the covered entity
Criminal prosecution through DOJ referral for intentional misuse

This means business associates cannot rely solely on contractual compliance — they must implement their own HIPAA compliance programs, including risk assessments, security policies, workforce training, and incident response procedures.

What the BAA Must Contain

The required provisions of a Business Associate Agreement are specified at 45 CFR § 164.504(e). A compliant BAA must include:

A description of the permitted and required uses and disclosures of PHI by the BA
A prohibition on the BA using or disclosing PHI for purposes not permitted by the agreement or required by law
A requirement for the BA to use appropriate safeguards to prevent unauthorized use or disclosure
A requirement for the BA to report to the covered entity any security incident it becomes aware of, including breaches
A requirement for the BA to ensure any subcontractors agree to the same restrictions
A requirement for the BA to make PHI available to the covered entity for patient access, amendment, and accounting of disclosures requests
A requirement to return or destroy PHI at termination of the agreement
Authorization for the covered entity to terminate the agreement if the BA violates a material term

You can generate a BAA that meets all these requirements at BAAGenerator.com. Also see our guide to BAA vs. NPP to understand how these two HIPAA documents relate.

Frequently Asked Questions

What is a HIPAA business associate?

A HIPAA business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity, as defined at 45 CFR § 160.103. Since HITECH, subcontractors that handle PHI on behalf of a BA are also BAs themselves. Common examples include EHR vendors, billing companies, cloud storage providers, and IT support firms.

Do business associates have to sign a BAA?

Yes — a covered entity must obtain a signed BAA from every business associate before sharing PHI, as required by 45 CFR § 164.504(e). Similarly, a BA must obtain a BAA from each of its subcontractors who handle PHI. Without a BAA, the PHI disclosure is a HIPAA violation subject to civil monetary penalties.

Are subcontractors business associates?

Yes. Under the 2013 Omnibus Rule, any subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate is itself a business associate — directly subject to HIPAA and required to have a BAA with the BA that hired it. This chain of accountability flows down through every level of subcontracting.

What are a business associate's HIPAA obligations?

Under HITECH, BAs are directly subject to the Security Rule (full administrative, physical, and technical safeguards), the Breach Notification Rule (60-day reporting to covered entities), and Privacy Rule prohibitions on selling PHI or using it for unauthorized marketing. BAs must conduct their own risk assessments and maintain their own HIPAA compliance programs.

What happens if a business associate violates HIPAA?

OCR can investigate and impose civil monetary penalties directly on business associates — ranging from $137 per violation for unknowing violations up to $68,928 per violation for willful neglect that is not corrected. Criminal referrals to DOJ are possible for intentional misuse. The BA also faces contractual liability under the BAA. See our HIPAA penalties guide for current penalty tiers.