What is a Business Associate? | Definition for HIPAA

3. What is a Business Associate (BA) for Purposes of HIPAA?

Answer: The definition of a “business associate” has fundamentally changed with the Final Omnibus Ruling of January, 2013, which effectively expands and increases the scope and accountability of such organizations. Initially, a business associate was defined as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity”. With the Final Omnibus Ruling, it’s been significantly enhanced to include the following provisions:

“…a person or entity that creates, receives, maintains or transmits protected health information to perform certain functions or activities on behalf of a covered entity”. Additionally, the following three (3) different types of service providers are now specifically identified as business associates under the final rule:

  1. Health information organizations, e-prescribing gateways, and other people or entities that provide data transmission services to a covered entity with respect to protected health information and that require access on a routine basis to such protected health information
  2. People or entities that offer personal health records to one or more individuals on behalf of a covered entity
  3. Subcontractors that create, receive, maintain or transmit protected health information on behalf of business associates

In summary, there’s now a clear “downstream effect” in place - specifically, rights, duties, and obligations for which a business associate is responsible for are now also the responsibility of subcontractors and other related parties. Ultimately, business associates will need to enter into “business associate contracts” with such downstream providers - and in turn - these downstream providers will need to enter into contractual relationships with their providers, etc.


According to www.hhs.gov, the following are examples of business associates:

  • A third party administrator that assists a health plan with claims processing.
  • An accounting firm whose accounting services to a health care provider involve access to protected health information.
  • An attorney whose legal services to a health plan involve access to protected health information.
  • A consultant that performs utilization reviews for a hospital.
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
  • An independent medical transcriptionist that provides transcription services to a physician.
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.

Download HIPAA Policies and Compliance Toolkits Today
hipaapoliciesandprocedures.com also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.

If your organization is in need of a HIPAA audit, and or SSAE 16 SOC 1, and SOC 2 assessments that include testing of HIPAA provisions & mandates, please contact Charles Denyer at This email address is being protected from spambots. You need JavaScript enabled to view it., or at 1-800-277-5415, ext. 705 with the NDB Alliance of Firms. Learn more about NDB by visiting ndbcpa.com today.