DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
This article was last updated on August 12, 2025.
Introduction
This article discusses circumstances under which entering into a business associate agreement is not required.
What are the Circumstances Under Which Entering into a Business Agreement is Not Required?
The HIPAA Privacy Rule includes certain exceptions to the business associate standard. In these situations, a covered entity is not required to have a business associate agreement or other written agreement in place before protected health information may be disclosed to the person or entity.
Circumstances under which entering into a business associate agreement is not required, include:
1. An entity is not a business associate. Under the HIPAA Privacy Rule, to meet the definition of "business associate," an entity must create, maintain, receive, and/or transmit PHI, in the course of performing specified services for or on behalf of a covered entity. An entity that does not engage in these activities is not a business associate, and as such no business associate agreement is required.
2. Entities acting on their own behalf or on behalf of the patient. The business associate requirements only apply to entities who are performing a function involving PHI on behalf of a covered entity or its business associate.
Entities handling PHI for their own purposes are not business associates. For example, a provider that submits a claim to a health plan and a health plan that assesses and pays the claim are each acting on its own behalf as a covered entity, and not as the ‘business associate’ of the other.
Similarly, a bank or financial institution is not a business associate of a covered entity when it “processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums." In these cases, “the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity” and is not a business associate."
In addition, where a physician or other provider has staff privileges at an institution, neither party to the relationship is a business associate based solely on the staff privileges because neither party is providing functions or activities on behalf of the other. Likewise, covered entities that simply provide PHI for another covered entity’s healthcare operations are not business associates of the other entity.
Finally, an entity performing services on behalf of a patient, not on behalf of a healthcare provider, is not a business associate (e.g., an attorney who requests health information to represent the patient, or a company that collects and interprets data on behalf of a patient) with respect to that provider.
3. Entities who are mere “conduits” for PHI. Entities that transmit PHI for a covered entity are not business associates if they are not required to access the PHI on a routine basis, i.e., they are merely “conduits” of the PHI (e.g., internet service providers, phone companies, etc.).
Whether an entity has access to PHI on a routine basis is a fact-specific determination, based on the nature of the services provided and the extent to which the entity needs access to PHI to perform the service for the covered entity. The "conduit exception" to being a business associate is a narrow one, intended to apply to only those entities providing mere courier services, such as the U.S. Postal Service or UPS, and their electronic equivalents, such as internet service providers (ISPs) who merely provide data transmission services.
4. Members of a covered entity's or contractor's workforce. The definition of "business associate" under HIPAA specifically excludes members of a covered entity's or contractor's workforce.
The HIPAA regulations define "workforce" as "employees, volunteers, trainees, and other persons whose conduct, in performance of work for a covered entity or a business associate, is under the direct control of such entity or business associate, whether or not they are paid by the covered entity or business associate."
5. Certain Disclosures. Disclosures to a health plan sponsor, such as an employer, by a group health plan, or by the health insurance issuer or health maintenance organization (HMO) that provides the health insurance benefits or coverage for the group health plan, provided that the group health plan’s documents have been amended to limit the disclosures or one of the exceptions at 45 CFR 164.504(f) have been met.
6. Certain Collection and Sharing of PHI. The collection and sharing of protected health information (PHI) by a health plan that is a public benefits program, such as Medicare, and an agency other than the agency administering the health plan, such as the Social Security Administration (SSA), that collects protected health information to determine eligibility or enrollment, or determines eligibility or enrollment, for the government program, where the joint activities are authorized by law.
7. Certain Payment Situations. When a health care provider discloses protected health information to a health plan for payment purposes, or when the health care provider simply accepts a discounted rate to participate in the health plan’s network. A provider that submits a claim to a health plan and a health plan that assesses and pays the claim are each acting on its own behalf as a covered entity, and not as the “business associate” of the other.
8. Healthcare providers to whom a covered entity provides PHI to treat patients.
A healthcare provider is not a business associate of other covered entities while rendering treatment to patients. The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures of PHI by a covered entity to a health care provider for treatment purposes.
For example,
- A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
- A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual.
- A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article