Business Associate
A person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- HIPAA & Privacy
- Primary sources
- 2
- Workspace handoff
- compliance binder →
Where this comes up
Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.
Full definition
What it is in practice
45 CFR 160.103 defines a business associate as any third party doing work for a covered entity that involves PHI: billing companies, transcription services, IT vendors hosting ePHI, attorneys, accountants with chart access, cloud storage, EHR vendors. Since the 2013 Omnibus Rule, business associates are directly liable under HIPAA.
How it shows up in your practice
You need a BAA before sending PHI to a business associate. The vendor is independently obligated to follow Security Rule safeguards, report breaches, and police its own subcontractors.
Sources
- 45 CFR 160.103 — Definitionshttps://www.ecfr.gov/current/title-45/section-160.103
- HHS — Business Associateshttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
List every business associate in the Compliance Binder vendor register
Open compliance binder →Related terms
- HIPAA & PrivacyBAA (Business Associate Agreement)A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
- HIPAA & PrivacyCovered EntityA health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with a HIPAA transaction.
- HIPAA & PrivacySubcontractor Business AssociateA business associate that creates, receives, maintains, or transmits PHI on behalf of another business associate.
- HIPAA & PrivacyHIPAA Omnibus RuleThe 2013 final rule that implemented the HITECH Act amendments to HIPAA, making business associates directly liable and tightening the breach notification standard.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryBAA (Business Associate Agreement)A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
- GlossarySubcontractor Business AssociateA business associate that creates, receives, maintains, or transmits PHI on behalf of another business associate.
- GlossaryCovered EntityA health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with a HIPAA transaction.
- GlossaryHIPAA Omnibus RuleThe 2013 final rule that implemented the HITECH Act amendments to HIPAA, making business associates directly liable and tightening the breach notification standard.
- GlossaryePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- SRABAA Vendor List: Which Vendors a Small Practice Needs to Sign WithA working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.