A person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve access to protected health information.
A business associate (BA) is any person or organization other than a member of a covered entity's workforce that performs functions or activities involving the use or disclosure of protected health information on behalf of the covered entity. Common examples include IT service providers who manage electronic health records, billing companies that process claims, cloud hosting providers storing ePHI, consultants who perform utilization review, attorneys providing legal services that require access to PHI, and document shredding companies that destroy records containing PHI.
Since the HITECH Act amendments finalized in 2013, business associates are directly liable for compliance with many HIPAA provisions. This was a significant change from the original HIPAA framework, which only held covered entities directly responsible. Business associates must now comply with the Security Rule, certain provisions of the Privacy Rule, and the Breach Notification Rule. They can be investigated, audited, and penalized by the Office for Civil Rights (OCR) independently of their covered entity partners. Subcontractors of business associates are also considered business associates and must sign their own business associate agreements.
Business associates must implement appropriate administrative, physical, and technical safeguards to protect ePHI. They must sign a Business Associate Agreement (BAA) with each covered entity they serve, report breaches of unsecured PHI to the covered entity, ensure their own subcontractors sign BAAs, and return or destroy PHI upon contract termination. Many business associates also pursue voluntary certifications like SOC 2 or HITRUST to demonstrate their security posture to healthcare clients. Failure to meet these obligations can result in civil monetary penalties, criminal prosecution, and exclusion from government healthcare programs.