Skip to Content

Business Associates and HIPAA Compliance

Pursuant to HIPAA, business associates of health care organizations have until September 23, 2013 to become HIPAA-compliant. This alert sets forth the factors often used to determine whether a company will be considered a business associate (BA) for HIPAA purposes, and, if so, what its obligations are under the Act.

Defining "Business Associate"

A HIPAA BA is a person or organization that performs functions, services, or activities on behalf of a health care organization (a covered entity) that has access to a patient’s protected health information (PHI). In addition, if a BA delegates a function, service, or activity to a subcontractor that involves disclosing PHI to the subcontractor, then that subcontractor is also a BA. An organization is a BA if it meets the definition of a BA regardless of whether it knows it, or whether it has a BA agreement in place.

The following business types are often deemed BAs when they perform services for a covered entity, such as a hospital, physician’s office, or health care plan:

  • CPA firms and auditors
  • Consultants, including those used for quality assurance, utilization review, data analysis, and accrediting
  • Management companies
  • Third party administrators
  • Pharmacy benefit managers
  • Medical transcriptionists
  • Claims processors, coders, or billing providers
  • Copy services
  • Translators
  • Answering services
  • Waste disposal, recycling and shredding vendors
  • Data processing firms
  • Software and hardware providers who may access patient information for installation, maintenance, and support services
  • Health information organizations and e-prescribing gateways
  • Data storage companies, including cloud storage vendors
  • Document storage facilities
  • Law firms

The following are not typically deemed BAs:

  • The U.S. Postal Service, UPS, Internet service providers, or other courier services
  • Telecommunications companies that only have occasional random access to PHI
  • Banking and financial institutions that only undertake payment processing functions
  • External researchers who do not create PHI
  • Janitorial companies

The Obligations of a Business Associate

The new HIPAA rule makes BAs directly liable for compliance with the HIPAA Security Rule. Failure to comply may result in civil and criminal penalties. Among other requirements, by the compliance date of September 23, 2013, BAs must:

  • Appoint a security officer who will be responsible for the organization’s compliance with the HIPAA rules
  • Perform a HIPAA risk assessment to identify current risks and areas that need improved protection
  • Develop and implement HIPAA administrative, technical, and physical safeguard policies and procedures
  • Provide HIPAA privacy and security training to all employees
  • Require that all BA subcontractors comply with the same HIPAA rules

While the existence of a business associate relationship is not dependent on a formal agreement, should you be asked to sign one, there are several important aspects to any such agreement. You should consult an attorney experienced in this field to assist you.

Carlton Fields will continue monitoring developments related to HIPAA. Please do not hesitate to contact us for more information regarding HIPAA compliance and enforcement.


Authored By
Related Industries
Health Care
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.