Are you a Business Associate?
Key Questions to Determine if You're a Business Associate
Will you create, maintain, receive, or transmit PHI on behalf of a covered entity?
Covered Entity (CE): Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.
Examples: Claims processing, quality assurance, billing, transcriptionist, cloud services provider, accounting services, legal counsel
Note: The U.S.P.S. and similar services are conduits and do not access or store PHI.
Will you provide services to a CE that require them to disclose PHI to you?
Examples: Data aggregation, accreditation, financial services
Will you routinely have access to PHI?
This includes any regular access to protected health information as part of your services.
Is there a possibility that PHI in your control could be compromised?
Examples: Document shredding companies, data storage vendors
Examples of Business Associates
Healthcare Services
- • Shredding/Mobile Shredding Services
- • Medical Billing
- • Medical Coding
- • Telehealth
- • Telemental Health
Technology Services
- • Hosting Services
- • Mobile Apps
- • Software as a Service (SaaS)
- • EHR
- • EMR
- • Practice Management Software
Communication Services
- • Answering Services
- • Texting Services
- • Messaging Services
- • Marketing Companies
Financial & Administrative
- • Clearing Houses
- • Print and Mailing Services
- • Transportation Services
- • Managed Service Providers (MSP's)
Professional Services
- • Website Development
- • Consultants
Additional Considerations
Do you need to enter into a (Subcontractor) BAA with a third party?
If you are a Business Associate and you engage subcontractors who will have access to PHI, you must enter into Business Associate Agreements (BAAs) with those subcontractors as well.
Official Resources
For more detailed information about Business Associates, refer to the official HHS guidance:
HHS Business Associates Guidance (PDF)