What Makes Someone a Business Associate

Before the agreement, there is the classification. A business associate is any person or entity that, on behalf of a covered entity, creates, receives, maintains, or transmits protected health information to perform a function or activity for that covered entity. The definition lives at 45 CFR 160.103, and it is broad by design.

Your billing company is a business associate. So is your EHR vendor, your answering service, your transcription service, your cloud backup provider, your e-prescribing platform, your medical waste disposal company if it handles paper records, your IT contractor if they access systems that contain ePHI, and your attorney if you’ve shared patient information in the course of legal representation. The test is not whether they are in the healthcare industry. The test is whether they touch PHI on your behalf.

Covered entities frequently undercount their business associates. A practice that has a signed BAA with its EHR vendor and billing company but not with its cloud storage provider, scheduling software, or IT support firm has a compliance gap regardless of how well the existing agreements are drafted.

What the BAA Must Contain

The required content of a Business Associate Agreement is specified at 45 CFR 164.504(e)(2). This is not a flexible standard. The regulation enumerates what the agreement must establish, and an agreement that omits required provisions is deficient regardless of how professional it looks.

The BAA must establish the permitted and required uses and disclosures of PHI by the business associate. This means the agreement must specify what the vendor is allowed to do with your patients’ information, not just broadly authorize them to handle it. A BAA that says the vendor “may use PHI as necessary to perform services” without further specificity is weaker than it needs to be and may not satisfy the requirement.

The agreement must require the business associate to not use or disclose PHI other than as permitted by the agreement or required by law. It must require the business associate to use appropriate safeguards and, for ePHI specifically, to comply with the applicable requirements of the Security Rule at 45 CFR Part 164, Subpart C. That Security Rule compliance obligation on the business associate is explicit in the regulation and was reinforced by the HITECH Act. Your vendor is not just contractually obligated to protect your patients’ data. They are directly regulated by HIPAA.

The BAA must require the business associate to report any use or disclosure of PHI not provided for by the agreement, including breaches of unsecured PHI under the Breach Notification Rule. It must require the business associate to ensure that any subcontractors who access PHI agree to the same restrictions and conditions. It must provide that at termination of the contract, the business associate will return or destroy all PHI received from the covered entity, if feasible. And it must authorize the covered entity to terminate the contract if the business associate has violated a material term.

If your current BAA with a key vendor is missing any of those provisions, it is deficient. Deficient BAAs do not insulate you from liability. In some enforcement contexts they have been treated as evidence of insufficient vendor oversight.

The Subcontractor Problem

The requirement that business associates flow down their obligations to subcontractors is one of the most consistently overlooked provisions in BAA management. Your billing company may have a perfectly drafted agreement with you. But if your billing company uses a clearinghouse, a coding service, or a cloud platform to do its work, and if those subcontractors are not themselves bound by HIPAA-compliant agreements, the chain of protection for your patients’ data has a gap.

You cannot audit every subcontractor relationship your vendors maintain. But you can and should require your key business associates to confirm that their subcontractor agreements meet HIPAA standards, and you should document that confirmation. When OCR investigates a breach that traces back through a vendor chain, the question of whether the covered entity exercised appropriate oversight over its business associates is squarely on the table.

The Change Healthcare incident is the largest recent illustration of this dynamic. When a business associate used by an enormous swath of covered entities was compromised, the breach notification obligations and OCR scrutiny flowed upstream to those covered entities. The contract provisions governing what would happen in exactly that scenario were suddenly very important documents. Practices without comprehensive BAAs discovered that gap under the worst possible circumstances.

What “Appropriate Safeguards” Means

The BAA provision requiring appropriate safeguards is not self-executing. Requiring the vendor to implement safeguards in a contract does not mean the safeguards exist. Covered entity responsibility for vendor oversight extends beyond getting a signature on the right form.

This is where vendor due diligence becomes a compliance function, not just a procurement function. Before engaging a business associate, covered entities should understand what security controls the vendor maintains for PHI, whether the vendor has undergone independent security assessments, how the vendor handles breach detection and notification, and whether their security posture is consistent with the sensitivity of the PHI being shared.

After engagement, that oversight responsibility continues. A BAA signed five years ago with a vendor whose security practices have changed, whose personnel have turned over, or whose technical environment has expanded to include new subprocessors is not a guarantee of ongoing appropriate safeguards. Periodic vendor review is part of a defensible compliance program.

OCR has pursued covered entities for inadequate vendor oversight in cases where the business associate breach was the proximate cause of the patient data exposure. The theory is straightforward: the covered entity had an obligation to ensure its vendors were protecting PHI appropriately, and the evidence of how seriously the covered entity took that obligation lives in the BAA and the vendor management practices surrounding it.

Building a Business Associate Inventory

A defensible BAA program starts with knowing who your business associates are. That requires a written inventory. Not a mental list. Not a folder of miscellaneous vendor contracts. A documented inventory that identifies each business associate, the nature of the PHI they access, the date the BAA was executed, and the date it was last reviewed.

That inventory serves multiple functions. It tells you where your BAA coverage gaps are. It gives you a starting point for periodic vendor review. And in an OCR investigation, it demonstrates that you have treated business associate management as a structured compliance activity rather than an afterthought.

Practices that discover their BAA inventory during an investigation, rather than before one, tend to discover it is incomplete. The billing company has a signed agreement. The EHR vendor has one. The answering service that has been routing calls and taking messages containing patient information for four years does not. That gap did not become a compliance problem the day the investigation started. It became one the day the answering service first received a message with a patient’s name and callback number.

The BAA is a foundational compliance document. It is not a formality, it is not a liability transfer, and it is not a substitute for knowing what your vendors are doing with your patients’ information. Getting this right is one of the more tractable parts of HIPAA compliance. The requirements are specific, the deficiencies are identifiable, and the corrective action is a documented, supervised process rather than an infrastructure overhaul.

Start with the inventory. Then read the agreements you have. You may find that the most important compliance work on your list this quarter is a stack of contract amendments and a handful of conversations with vendors who thought the paperwork was a formality too.