Business Associate

Define Your Relationship- Vendor or Business Associate?

Healthcare organizations have many relationships to manage, including patients, providers, payers, and vendors.  On top of this, some relationships require a Business Associate Agreement (BAA) to comply with HIPAA. In order to determine if such an agreement is necessary, it is crucial to look at each relationship individually in order to provide proper treatment and to act appropriately. The following definitions and examples will simplify the decision making process.

How is a vendor defined and why is this important? All vendors must be screened against the OIG’s List of Excluded Individuals and Entities (LEIE) database in order to determine if the business relationship is legal or whether it must be terminated immediately based on their exclusion from participation in Medicare, Medicaid, and other Federal health care programs.

Your organization may have business relationships with patients, providers, payers and vendors as defined below:

  • Patients refer to individuals who receive medical care from healthcare providers.
  • Providers refer to health care providers that provide services to patients billed to payers.
  • Payers refer to insurance providers that pay providers for patient care.
  • Vendors refer to any entity that provides services and/or products in exchange for a fee, which includes contractors and suppliers.

Obviously, providers and payers are not vendors. However, many organizations find it challenging to determine which vendor relationships require a BAA.

What is a “Business Associate?” A “Business Associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The HIPAA Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a Business Associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.  

Business Associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business Associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. The definition of a Business Associate is provided in 45 CFR § 160.103 and other helpful information can be found at

Examples of Business Associates:

  • A third party administrator that assists a health plan with claims processing. 
  • A CPA firm whose accounting services to a health care provider involve access to protected health information. 
  • An attorney whose legal services to a health plan involve access to protected health information. 
  • A consultant that performs utilization reviews for a hospital. 
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. 
  • An independent medical transcriptionist that provides transcription services to a physician. 
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.


Making the determination of which entities are Business Associates is not always straightforward and can be confusing. Below are a few good questions we’ve heard repeatedly.

What about the phone company or the internet provider? They could access my patient information, so we need a BAA with them, right?

BAAs are not necessary with certain organizations considered to be mere conduits. Examples are the U.S. Postal Service, some private couriers, telephone companies, and Internet Service Providers. This is because a conduit transports the information, but does not access it.  No disclosure is intended by the covered entity (healthcare provider) and there is low likelihood of disclosure of PHI in these situations.

What about the landlord or the cleaning service? They have access to the office where we keep PHI.

It is unnecessary to have a BAA with the cleaning service because they are not contracted to perform services involving use or disclosure of PHI.  However, you need to have reasonable safeguards in place to protect PHI.  Ideally, you should store paper PHI in a locked cabinet.

Do I need to have a BAA with my accountant? She’s been working with us for years, but isn’t an employee.

It is common to overlook a business associate who has been working with your organization for a long period of time.  However, if an independent contractor is providing services such as accounting or anything that involves PHI, then you must have a BAA in place.

Managing all of the relationships within a healthcare organization can be a daunting task.  If you have additional questions about your obligations related to vendors or business associates please schedule a complimentary demo with our team!