Skip to Main Content
All Trimarc services are now delivered through TrustedSec! Learn more
September 23, 2025

HIPAA Business Associates - What’s Your Function?

Written by Chris Camejo
HIPAA/HITECH Information Security Compliance Privacy Compliance

Table of contents

Many organizations that work with health care providers receive requests to sign a Business Associate Agreement (BAA) or inquiries about their compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security, Breach Notification, and Privacy Rules. In many cases these requests are an unnecessary result of the sender not understanding the HIPAA requirements related to Business Associates or choosing to treat every partner as a Business Associate because they feel that it results in less liability versus only sending BAAs to partners that fit the HIPAA definition of a Business Associate. This post takes a deep dive into the HIPAA definition of Business Associate to help organizations determine whether HIPAA applies to them.

This post is part of a series that helps understand HIPAA applicability. For other posts in this series see:

*This blog has yet to be published and is coming soon.

Various terms throughout this post are linked to further definitions, either within this post or directly to definitions in laws and regulations.

TrustedSec has years of experience helping organizations meet HIPAA security and privacy compliance requirements. Please get in touch with us for any questions on this topic or if your organization needs assistance with its HIPAA Compliance program.

Unnecessary BAA Problems

While some organizations may believe that sending BAAs to all partners reduces liability, this raises a few concerns.

Organizations that send unnecessary BAAs are excluding themselves from working with partners that may be a better fit but are not willing to agree to implement HIPAA requirements that don’t apply to them. Instead, these organizations are setting themselves up for partnerships with organizations that do not understand HIPAA well enough to realize the requirements do not apply (which does not bode well for their ability to implement the requirements).

Meanwhile, organizations that receive and sign unnecessary BAAs are wasting time and money attempting to comply with HIPAA requirements that should not apply to them. They are also exposing themselves to direct liability for their non-compliance if they do not properly implement the HIPAA requirements in accordance with the BAA.

Proposed changes to the HIPAA Security and Privacy regulations also present a greater challenge to the unnecessary use of BAAs: Currently, Covered Entities are required to receive written assurances that their Business Associates implement the HIPAA Security Rule safeguards (accomplished via the BAA). The proposed changes take this a step further by making Covered Entities responsible for verifying that their Business Associates have deployed the technical safeguards required by the HIPAA Security Rule. This will burden these Covered Entities (and their partners) with the time and cost required to analyze and document the safeguards of the organizations with which they have established unnecessary BAAs.

Business Associate Definition

The HIPAA Rules only apply to organizations that are not Covered Entities if they meet the definition of a Business Associate and have a BAA in place with a Covered Entity. The definition of a Business Associate in 45 Code of Federal Regulations (CFR) 160.103 tells us that organizations that fall into either of the following categories are Business Associates:

  • Creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity or organized health care arrangement in which a Covered Entity participates for any of the following functions or activities:
    • Claims processing or administration
    • Data analysis, processing, or administration
    • Utilization review
    • Quality assurance
    • Patient safety activities
    • Billing
    • Benefit management
    • Practice management
    • Repricing
  • Receives PHI from a Covered Entity or Business Associate in the process of providing any of the following services to or for a Covered Entity or organized health care arrangement in which a Covered Entity participates:
    • Legal
    • Actuarial
    • Accounting
    • Consulting
    • Data aggregation
    • Management
    • Administrative
    • Accreditation
    • Financial services

The definition of a Business Associate goes on to explicitly include the following:

  • A Health Information Organization, E-Prescribing Gateway, or other person that provides data transmission services with respect to PHI to a Covered Entity and that requires access to the PHI on a routine basis
  • A person (or organization) that offers a personal health record (PHR) to one or more individuals on behalf of a Covered Entity
  • A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a Business Associate

The following are explicitly excluded from the definition of Business Associate and should not sign BAAs:

  • A health care provider, with respect to disclosures by a Covered Entity to the health care provider concerning the treatment of the individual
  • A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or Health Maintenance Organization (HMO) with respect to a group health plan), that meets the Privacy Rule requirements for group health plans at 45 CFR 164.504(f)
  • A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting PHI for such purposes, to the extent such activities are authorized by law
  • A Covered Entity participating in an organized health care arrangement that performs a function or activity as described by the first bullet point of the Business Associate definition for or on behalf of such organized health care arrangement, or that provides a service as described in the second bullet point of the Business Associate definition to or for such organized health care arrangement by virtue of such activities or services.

A Covered Entity may also be a Business Associate if they meet this definition, e.g., if the Covered Entity is handling PHI on behalf of another Covered Entity while participating in or providing any of the listed functions, activities, and/or services.

The following flowchart can help organizations determine whether they are a Business Associate based on this definition:

Common Points of Confusion

Many Covered Entities believe that any organization that provides services to them must be a Business Associate. This is false. To be a Business Associate under this definition an organization must receive PHI from or be handling PHI on behalf of a Covered Entity or a Business Associate. Covered Entities and Business Associates should not ask any organization that does not handle PHI on their behalf to sign a BAA, even if they participate in or provide any of the functions, activities, and/or services listed in the definition of a Business Associate.

Similarly, many organizations believe that any other organization that handles PHI on their behalf must be a Business Associate. This is also false. To be a Business Associate under this definition an organization must participate in or provide any of the listed functions, activities, and/or services. Covered Entities and Business Associates should not ask organizations to sign a BAA if they do not participate in or provide any of the listed functions, activities, and/or services, even if they handle PHI on behalf of the Covered Entity or Business Associate.

Some organizations that are asking for a BAA may falsely believe they are a Covered Entity or Business Associate, e.g., health care providers often believe they are Covered Entities despite not transmitting Covered Transactions as explained in the post in this series on Covered Entities. Organizations that are not Covered Entities or Business Associates are not required to and should not be asking anyone to sign a BAA.