What is a HIPAA Business Associate or Vendor?

Modified on Tue, 2 Jul at 2:43 PM

A HIPAA business associate (sometimes referred to as a “HIPAA vendor”) is: 


“[A] person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. A [BA] also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another [BA].”

Specifically, if a vendor is performing a function, activity, or service on or behalf of a covered entity, and that function, activity, or service involves the vendor’s creation, transmission, receipt, or maintenance of PHI, the vendor is a HIPAA business associate.


Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. 


Examples of Business Associates include (but are not limited to):

  1. Managed Service Providers (MSPs) - because of the access these/IT providers will have to a covered entity's electronic protected health information.

  2. A third party administrator that assists a health plan with claims processing. 

  3. A CPA firm whose accounting services to a health care provider involve access to protected health information. 

  4. An attorney whose legal services to a health plan involve access to protected health information. 

  5. A consultant that performs utilization reviews for a hospital. 

  6. A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. 

  7. An independent medical transcriptionist that provides transcription services to a physician. 

  8. A pharmacy benefits manager that manages a health plan’s pharmacist network. 


If a business associate is performing these functions, activities, or services on behalf of another business associate (who, in turn, is performing these functions, activities, or services on behalf of a covered entity), the business associate performing the functions on behalf of the other business associate, is referred to as a business associate subcontractor. Both business associates and business associate subcontractors must comply with HIPAA.





Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article