What is a HIPAA Business Associate?

For the purposes of the HIPAA Security Rule a HIPAA Business Associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI. A HIPAA Business Associate is not a member of the health care provider, health plan, or other covered entity's workforce. A health care provider, health plan, or other covered entity can also be a business associate to another covered entity. 

Examples of HIPAA business associates include:

  • A third party administrator that assists a health plan with claims processing
  • A CPA firm whose accounting services to a health care provider involve access to protected PHI
  • An IT service provider who may view unencrypted protected health information
  • An attorney whose legal services to a health plan involve access to protected health information
  • A consultant that performs utilization reviews for a hospital
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer
  • An independent medical transcriptionist that provides transcription services to a physician.
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.

For more information on HIPAA Business Associates and the full compliance of your health care organization, download our HIPAA Security Assessment Toolkit™



  1. HIPAA phi | HIPAA Security Assessment - 08/10/2010

    [...] HIPAA phi laws requires all health care Covered Entities (CEs) and their HIPAA Business Associates (BAs) to safeguard the privacy of patient health information. The HIPAA laws also requires CEs and [...]

  2. Implications of the HITECH Act | HIPAA Security Assessment - 08/10/2010

    [...] Business Associates and others are fully and completely “in scope” [...]

  3. HIPAA Rules Summary | HIPAA Security Assessment - 08/14/2010

    [...] of PHI within health care organizations. As of February 17, 2010, both Covered Entities and Business Associates are statutorily obligated to meet the requirements of the HIPAA Security Final Rule and The HITECH [...]

Leave a Reply