Are Business Associates a Covered Entity Under HIPAA? (w/Examples) + FAQs

No, business associates are not covered entities under the Health Insurance Portability and Accountability Act. They are a separate legal category with their own duties. But since the 2013 Omnibus Final Rule, business associates face direct liability for many of the same rules that bind covered entities.

The problem is simple to describe and hard to live through. A hospital, a health plan, or a clearinghouse hires a vendor to help with its work. That vendor touches protected health information (PHI). If the two sides mislabel the relationship, skip the written contract, or ignore the HIPAA Security Rule, both sides can face fines, lawsuits, and reputation damage.

The rulebook is clear about who is who. The definitions at 45 CFR 160.103 split the world into covered entities and business associates. The HITECH Act of 2009 made business associates directly accountable to federal regulators. According to the HHS Office for Civil Rights, more than 133 million individuals were affected by large healthcare breaches reported in 2023, and business associates were involved in many of the worst incidents.

Here is what you will learn in this guide:

• 📘 The exact legal line between a covered entity and a business associate
• 🔍 How to spot a business associate relationship in your own vendor list
• ⚖️ The direct penalties business associates face after HITECH and Omnibus
• 🧾 What a valid Business Associate Agreement (BAA) must contain
• 🛡️ Real OCR enforcement cases and the lessons each one teaches

The Two Legal Categories Under HIPAA

HIPAA sorts regulated parties into two main buckets. The first bucket holds covered entities. The second bucket holds business associates. Each bucket has its own duties, its own penalties, and its own place in the law.

A covered entity is defined in 45 CFR 160.103 as one of three things. It is a health plan, a healthcare clearinghouse, or a healthcare provider that sends certain transactions in electronic form. Think of a hospital, a dentist who bills insurance, a Medicare Advantage plan, or a billing clearinghouse that reformats claims.

A business associate is a person or company that performs work for or on behalf of a covered entity and touches PHI to do it. The HHS business associate guidance gives the full list of example functions. These include claims processing, data analysis, utilization review, billing, legal services, accounting, and cloud storage of PHI.

The two groups are not the same. A covered entity delivers or pays for care. A business associate supports that work from the outside. Mixing them up is a common and costly mistake.

Why the Distinction Matters

The category controls the duties. Covered entities must follow the full HIPAA Privacy Rule, including patient rights like the right to access records. Business associates follow the Privacy Rule only to the extent their BAA says so.

The consequence of guessing wrong is steep. A covered entity that treats a true business associate as a random vendor and skips the BAA can face penalties up to $2,134,831 per violation category per year, under the 2025 civil penalty adjustments. A business associate that ignores the HIPAA Security Rule can face the same fines directly from OCR.

A common misconception is that only doctors and hospitals get fined. That is wrong. OCR has fined cloud vendors, medical transcription firms, and IT contractors for their own failures.

The Hybrid and Affiliated Entity Wrinkles

Some organizations do both covered and non-covered work. A university with a student health clinic is a classic example. The hybrid entity rule at 45 CFR 164.105 lets the university wall off its healthcare components and apply HIPAA only to those parts.

Affiliated covered entities are different. Two or more legally separate covered entities under common ownership can designate themselves as a single covered entity for HIPAA purposes. This matters when a large hospital system shares services across subsidiaries.

The misconception here is that picking “hybrid” status is a shortcut to avoid HIPAA. It is not. The designated healthcare component still owes every HIPAA duty, and the non-healthcare side still must not improperly share PHI back.

When a Vendor Becomes a Business Associate

Not every vendor to a hospital is a business associate. The test is whether the vendor creates, receives, maintains, or transmits PHI on behalf of the covered entity. The HHS guidance on business associates walks through this in plain language.

A janitor who empties trash in a clinic is usually not a business associate. The janitor does not use PHI to do the job. Any glimpse of a chart on a desk is incidental and does not trigger HIPAA.

A shredding company that hauls away boxes of patient records is a business associate. The company holds PHI to destroy it. That is use on behalf of the covered entity, and a BAA is required.

The “Conduit Exception” Is Narrow

Many IT vendors want to claim the conduit exception. This exception covers pure transmission services like the US Postal Service, UPS, or an internet service provider that only carries packets and does not store them. HHS reads this exception narrowly.

Cloud storage providers like Amazon Web Services, Microsoft Azure, and Google Cloud are business associates. They maintain PHI, even if they never look at it. The HHS cloud computing guidance made this crystal clear in 2016, and it still controls today.

The consequence of misreading the conduit exception is ugly. A cloud vendor that refuses to sign a BAA puts the hospital in violation. The hospital must either pull the data or find a new vendor.

Subcontractors Are Also Business Associates

A business associate can hire help. That helper is a subcontractor business associate. Under the Omnibus Final Rule, a subcontractor that touches PHI is itself a business associate and has direct HIPAA duties.

The chain can go many layers deep. A hospital hires a billing company. The billing company hires a coding firm. The coding firm uses a cloud database. Every link needs a written contract flowing down the same HIPAA terms.

The common mistake is to assume the top BAA covers everyone below. It does not. Each layer needs its own signed agreement, or the chain is broken.

How the HITECH Act Changed the Game

Before 2009, business associates were bound to HIPAA only through contract. OCR could not fine them directly. The only remedy was the covered entity suing the vendor for breach of contract.

The HITECH Act changed that. It extended direct statutory liability to business associates for many Security Rule provisions and for certain Privacy Rule duties. The 2013 Omnibus Final Rule put that change into the regulations.

The consequence is that OCR can now knock on a business associate’s door. It can audit them, fine them, and name them in a resolution agreement. The hospital does not have to be sued to trigger enforcement.

Direct Liability Provisions

OCR published a fact sheet on direct liability listing the exact duties business associates owe. The list includes failing to provide the Secretary with records, failing to enter BAAs with subcontractors, failing to give breach notice to the covered entity, and failing to comply with the Security Rule.

A real example is the 2018 Fresenius settlement. The company paid $3.5 million after five separate breaches at its subsidiaries. OCR cited the failure to conduct an accurate risk analysis across business units.

The common misconception is that a small vendor is “too small” to be audited. OCR has fined small-town medical practices and single-office vendors. Size is not a shield.

Breach Notification Duties

The Breach Notification Rule at 45 CFR 164.410 gives business associates a hard deadline. A business associate must tell the covered entity of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery.

The covered entity then has its own 60-day clock to notify patients and, for breaches of 500 or more, the HHS Office for Civil Rights. The media must also be told for large breaches.

The consequence of a late breach notice is doubled exposure. The business associate can be fined for the breach itself and fined again for late notice.

Three Real-World Scenarios

Here are three common situations and the results you would see under HIPAA.

Scenario One: The Billing Vendor

Scenario Two: The SaaS Analytics Platform

Named Examples You Can Picture

These short scenarios put faces on the rules. Each name is fictional, but the legal outcome is real.

Maria runs a small pediatric clinic in Austin, Texas. She hires a virtual receptionist service in another state that takes calls and books appointments. Because the service hears patient names, dates of birth, and reasons for visits, it is a business associate under 45 CFR 160.103. Maria must get a signed BAA before the first call is answered. She must also check Texas HB 300, which adds state-level duties on top of HIPAA.

David owns a medical transcription company in New Jersey. A hospital sends him dictated notes every night. David hires two overseas contractors to speed up the typing. Under the Omnibus Rule, David is a business associate and the overseas contractors are subcontractor business associates. David must sign a BAA with the hospital and separate BAAs with each contractor.

Priya is general counsel at a California health plan. She hires outside counsel to fight a class action. The outside firm will review claim files that contain PHI. The law firm is a business associate. Priya must also think about the California Confidentiality of Medical Information Act, which runs alongside HIPAA and often goes further.

Mistakes to Avoid

Many HIPAA penalties trace back to the same short list of errors. Here are seven that OCR sees again and again.

• Skipping the BAA to save time. OCR treats a missing BAA as willful neglect, which carries the highest penalty tier under the Enforcement Rule.
• Relying on a vendor’s marketing claim of “HIPAA certified.” There is no federal HIPAA certification. Any vendor that says so is bluffing, and the covered entity still owes due diligence.
• Ignoring the annual risk analysis. The Security Rule at 45 CFR 164.308 requires it. The 2020 CHSPSC settlement of $2.3 million turned on this failure.
• Forgetting about subcontractors. A missing BAA three layers deep still breaks the chain. Every link needs paper.
• Treating cloud storage as a conduit. HHS cloud guidance makes clear that cloud providers are business associates.
• Missing the 60-day breach notice. Even a one-day delay without good cause is a separate violation under 45 CFR 164.410.
• Using patient data to train AI without authorization. The 2024 OCR tracking technologies bulletin signals that analytics and AI pipelines get the same scrutiny as older tools.

Key Entities You Must Know

HIPAA is a web of agencies, laws, and players. Knowing who does what saves hours of confusion later.

• The Department of Health and Human Services (HHS) writes the rules.
• The Office for Civil Rights (OCR) enforces them through audits, settlements, and fines.
• The Department of Justice handles criminal HIPAA cases under 42 USC 1320d-6.
• The Federal Trade Commission enforces the Health Breach Notification Rule for non-HIPAA health apps.
• State attorneys general can sue under HITECH on behalf of state residents.

Covered entities, business associates, and subcontractors fit inside this web. Each has duties up the chain and down the chain.

Covered Entities in Detail

The three types of covered entity are listed in 45 CFR 160.103. Health plans include group health plans, HMOs, Medicare, and Medicaid. Healthcare clearinghouses process non-standard data into standard formats and back again.

Healthcare providers include any person or organization that furnishes, bills, or is paid for healthcare. The trigger is whether the provider sends any of the standard HIPAA transactions electronically. A cash-only therapist who never bills insurance is often not a covered entity at all.

The consequence of this line is that small boutique practices can sit entirely outside HIPAA, while a solo primary care doctor who bills Medicare is fully inside it.

Business Associates in Detail

Business associate functions are listed in the HHS guidance. The list includes claims processing, data analysis, quality assurance, billing, benefits management, and practice management.

Business associate services include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services. The common thread is that PHI is needed to do the work.

A common misconception is that “business associate” means a business partner. It does not. It is a technical HIPAA term with a precise meaning.

Pros and Cons of Being a Business Associate

Being a business associate opens doors to healthcare contracts but comes with real duties. Weigh both sides before saying yes.

• Pro: Access to a large market. U.S. healthcare spending topped $4.9 trillion in 2023 per CMS National Health Expenditure data.
• Pro: Higher trust with clients. A signed BAA signals maturity and security discipline.
• Pro: Clear legal framework. Unlike many privacy laws, HIPAA gives a defined playbook.
• Pro: Competitive moat. Many small vendors cannot meet HIPAA, so compliance narrows the field.
• Pro: Alignment with other frameworks. HIPAA controls map cleanly to NIST 800-66 and HITRUST.
• Con: Direct OCR liability. You can be fined without the covered entity suing you first.
• Con: Breach notice duty on a 60-day clock. Missed notices are separate violations.
• Con: Subcontractor paperwork. Every downstream vendor needs a BAA.
• Con: Insurance costs. Cyber insurance for HIPAA-regulated vendors runs higher.
• Con: Audit exposure. OCR audits can demand years of records on short notice.

Do’s and Don’ts for Business Associates

These quick rules keep most vendors out of trouble. Each has a “why” behind it.

• Do sign a BAA before any PHI moves, because pre-contract exposure is uninsurable.
• Do conduct an annual risk analysis under 45 CFR 164.308, because OCR’s first document request is always the risk analysis.
• Do encrypt PHI at rest and in transit, because encryption triggers the breach safe harbor.
• Do train every employee yearly, because workforce error drives most breaches.
• Do keep BAA copies for six years, because the Privacy Rule retention period is six years.
• Don’t use PHI for marketing without authorization, because unauthorized marketing is a separate violation category.
• Don’t store PHI on personal devices, because stolen laptops are the single most common OCR case type.
• Don’t sign a BAA you have not read, because many BAAs try to shift all liability downstream.
• Don’t ignore a subpoena for PHI, because the Privacy Rule has specific rules for legal demands.
• Don’t assume state law is preempted, because stricter state laws like California’s CMIA stand alongside HIPAA.

Anatomy of a Valid Business Associate Agreement

The sample BAA language at HHS is the safest starting point. A valid BAA must contain several required clauses, and each clause has a purpose.

The agreement must describe the permitted and required uses of PHI. It must ban any further use or disclosure beyond those limits. It must require safeguards that meet the Security Rule.

The BAA must require the business associate to report any breach to the covered entity. It must require the business associate to bind its own subcontractors to the same terms. And it must require return or destruction of PHI at the end of the contract.

Why Each Clause Exists

The use limitation clause prevents mission creep. Without it, a billing vendor could start selling de-identified data for research.

The safeguard clause pulls the Security Rule into the contract so the covered entity has a private right of action on top of OCR enforcement. The breach clause makes sure the covered entity can hit its own 60-day patient-notice deadline.

The consequence of missing any required clause is that the BAA is not valid under 45 CFR 164.504(e), and the covered entity is treated as if it had no BAA at all.

Penalty Tiers and Recent Enforcement

OCR’s penalty structure lives at 45 CFR 160.404. The four tiers scale with the violator’s level of fault.

Tier 1 covers a violator who did not know and could not have known. Tier 2 covers reasonable cause. Tier 3 covers willful neglect that is corrected in 30 days. Tier 4 covers willful neglect that is not corrected.

Annual caps per violation category reach $2,134,831 in 2025 after the inflation adjustment. Criminal fines and prison time can apply under 42 USC 1320d-6.

Recent OCR Resolution Agreements

The 2024 Change Healthcare incident exposed PHI belonging to an estimated one-third of Americans and put OCR’s business associate enforcement front and center. The 2020 CHSPSC settlement of $2.3 million punished a business associate for failing to run a risk analysis. The Aetna settlement of $1 million showed that even sophisticated payers slip up on mailings and websites.

These cases share common threads. Risk analysis was missing or stale. Access controls were weak. Breach notices were late. Each of those failures is fixable with basic hygiene.

State Law Layers on Top

HIPAA sets a floor, not a ceiling. State laws can be stricter, and they often are.

California’s CMIA gives patients a private right of action HIPAA does not offer. Texas HB 300 adds broader training requirements and a wider definition of covered entity. New York’s SHIELD Act adds data security duties that reach any business holding New Yorker health data.

The consequence of ignoring state law is double exposure. A vendor can settle with OCR and still be sued by a state attorney general or by patients under state statutes.

FAQs

Are business associates considered covered entities under HIPAA?

No, business associates are a separate legal category under 45 CFR 160.103. They have direct duties but are not covered entities themselves.

Can a business associate be fined directly by OCR?

Yes, since the HITECH Act and the 2013 Omnibus Rule, OCR can fine a business associate directly for Security Rule and certain Privacy Rule violations.

Is a cloud storage provider a business associate?

Yes, the HHS cloud guidance treats any cloud service that stores PHI as a business associate, even if the provider never views the data.

Does a janitorial service need a BAA?

No, routine cleaning staff do not use PHI to do their job, so they fall outside the business associate definition under HIPAA’s incidental use rules.

Must a business associate sign a BAA with each subcontractor?

Yes, the Omnibus Rule requires each layer of the chain to have its own written BAA, or the entire chain is out of compliance.

Can a covered entity also be a business associate?

Yes, a hospital that performs billing services for an unrelated clinic acts as a business associate in that relationship, even though it is a covered entity in its own practice.

Is there a HIPAA certification for business associates?

No, HHS does not endorse any certification. Any vendor claiming “HIPAA certified” status is using marketing language, not a federal credential.

Do business associates owe patients the right to access records?

No, the right of access runs against the covered entity. But a business associate must help the covered entity respond if the BAA says so.

Are law firms business associates when handling healthcare cases?

Yes, when a law firm receives PHI to represent a covered entity, the firm is a business associate and must sign a BAA before seeing the records.

Does HIPAA preempt stricter state laws?

No, HIPAA sets a floor. Stricter state laws like California’s CMIA and Texas HB 300 stand alongside federal rules.

Can a business associate be criminally prosecuted?

Yes, under 42 USC 1320d-6, knowing misuse of PHI by a business associate employee can lead to fines and up to ten years in prison.

Does a business associate have to report breaches to HHS directly?

No, the business associate reports to the covered entity within 60 days, and the covered entity then reports to HHS under 45 CFR 164.408.