When is an IT Company a HIPAA Business Associate?

Written By GT

In many clinics, the IT company is a HIPAA business associate, even if it never “intends” to look at patient data. The reason is simple: HIPAA’s business associate definition is driven by function and access, not by intent. If your IT vendor creates, receives, maintains, or transmits protected health information (PHI) on your behalf, or if it needs access to PHI to perform its services, HIPAA generally treats it as a business associate and expects a business associate agreement (BAA) to be in place before PHI is involved. 

That said, “IT company” is a broad label. Some vendors are true business associates because their work necessarily involves PHI. Others are not, because their services can be performed without using or disclosing PHI, and any contact with PHI would be incidental at most. HIPAA draws that distinction explicitly, and small clinics benefit from making the classification deliberately rather than signing BAAs blindly or skipping them because “they’re just IT.” 

Informational note: This article is for informational purposes only and does not constitute legal advice.

Why this classification matters

The BAA is not paperwork for its own sake. HIPAA generally requires covered entities to obtain written “satisfactory assurances” that a business associate will appropriately safeguard PHI. In practice, those satisfactory assurances are embodied in a HIPAA-compliant BAA with required terms. 

If an IT vendor is a business associate and you allow it to handle ePHI without a BAA, you have a compliance gap regardless of whether anything bad happens. If something does happen, the lack of a BAA is one of the easiest problems for regulators to identify because it is binary: the agreement exists or it does not. 

The definition that drives everything

HIPAA defines “business associate” broadly. It includes entities that create, receive, maintain, or transmit PHI on behalf of a covered entity for regulated functions like billing and practice management, and it also includes entities that provide services like management or administrative services when the service involves disclosure of PHI. It also includes subcontractors that handle PHI on behalf of a business associate. 

Two implications matter for IT vendors:

  1. “Maintain” is in the definition. A vendor can be a business associate even if it is not actively viewing charts. If it hosts or stores PHI, it is generally in scope. 

  2. Subcontractors matter. If your IT company uses another vendor to host backups or provide remote tooling that touches PHI, that downstream vendor can become part of the business associate chain. HIPAA expects flow-down obligations to subcontractors. 

The practical test for an IT company

A clinic does not need legal gymnastics to classify an IT vendor. You can usually get to the right answer by walking through a few practical questions.

Does the IT company have access to systems that contain PHI as part of its service?

If your IT company administers user accounts, resets passwords, manages endpoints, remotes into workstations, manages servers, manages network storage, manages backups, or supports the EHR environment, then it typically has the ability to access PHI in the course of doing its job. HIPAA does not require that the vendor routinely reads PHI for it to be a business associate. If access to PHI is part of providing the service, the relationship generally fits the business associate definition and should be governed by a BAA. 

HHS gives a straightforward example in its FAQ about software vendors: if the vendor needs access to the PHI of the covered entity in order to provide its service, the vendor would be a business associate. That logic maps cleanly to most IT support relationships where troubleshooting, administration, or hosting touches PHI. 

Does the IT company host, store, back up, or process ePHI for you?

If your IT company provides backup services, disaster recovery, managed hosting, cloud storage, or any service where it stores or processes ePHI on your behalf, it is generally operating as a business associate and should have a BAA. HHS is explicit that a cloud service provider is a business associate when it creates, receives, maintains, or transmits ePHI on behalf of a covered entity or another business associate, and that the covered entity or business associate must enter into a HIPAA-compliant BAA with the cloud service provider. 

This holds even in “no-view” situations where data is encrypted and the cloud provider does not have the decryption key. HHS’s cloud computing guidance is explicit that a BAA is still required in that model. 

Is the vendor more like a workforce member under your direct control?

HIPAA’s business associate definition excludes members of the covered entity’s workforce. In some limited scenarios, HHS notes that when a contractor’s employee has a primary duty station on-site at the covered entity, the covered entity may choose to treat the individual as a workforce member rather than a business associate, referencing HIPAA’s workforce concept. 

This is often misunderstood. Treating someone as workforce is not a loophole. It implies you are exercising direct control over how they perform work for you and that they are covered by your internal controls like training, supervision, access governance, and sanctions. If the IT company is operating independently, with its own methods, tools, and staff rotation, it is usually more accurate to treat the company as a business associate and use a BAA. 

Situations where a BAA is often required for IT vendors

Managed service providers and remote administration

If your IT company uses remote access tools, administers accounts, supports systems that store PHI, or monitors environments where ePHI exists, the vendor’s service commonly involves creating, receiving, maintaining, or transmitting ePHI on your behalf, or at minimum requires access to it for troubleshooting and administration. That relationship usually belongs in the business associate bucket with a BAA in place. 

Cloud storage, backups, and hosted infrastructure

If the IT vendor uses a cloud platform to store or process ePHI for your clinic, HHS’s guidance is direct: you can use cloud services, but you need a HIPAA-compliant BAA with the cloud provider and you must otherwise comply with HIPAA requirements. This applies whether the cloud provider can view the data or not. 

This is also where subcontractors enter the picture. If your IT company is the business associate and it uses a cloud provider as a subcontractor that maintains ePHI, HIPAA expects the business associate to obtain satisfactory assurances from that subcontractor through a contract with the required elements. 

Situations where a BAA may not be required

Purely incidental contact with PHI

HIPAA does not require a business associate contract with persons or organizations whose services do not involve the use or disclosure of PHI and where any access to PHI would be incidental, if at all. HHS uses examples like janitorial services to illustrate this category. 

For IT vendors, this could apply in narrow cases where the vendor’s work truly does not require PHI access and any exposure would be accidental and avoidable through ordinary safeguards. In practice, most meaningful IT support work is not incidental because system administration and troubleshooting often entail access capability.

Mere conduits

HHS recognizes a narrow “conduit” concept. The Privacy Rule does not require BAAs with organizations such as the U.S. Postal Service, certain private couriers, and their electronic equivalents that act merely as conduits, transporting PHI without accessing it other than on a random or infrequent basis necessary to perform the transportation service. 

Clinics frequently misapply this to cloud storage and managed IT services. HHS’s cloud computing guidance makes clear that cloud storage and processing services that maintain ePHI are business associates that generally require BAAs. “We are just a conduit” is not a strong argument for most IT vendors that store, host, back up, or administer systems containing ePHI. 

What a HIPAA-compliant BAA should do for an IT company

A BAA is not a generic confidentiality agreement. The HIPAA regulations specify required elements for business associate contracts, including restricting uses and disclosures to those permitted by the contract, requiring safeguards, requiring breach reporting, addressing subcontractors, supporting certain patient rights obligations where applicable, and addressing return or destruction of PHI at termination where feasible. 

HHS publishes sample business associate agreement provisions and a model BAA as reference points. For small clinics, these are useful anchors because they reflect the regulatory requirements and reduce the chance you sign a “BAA” that is missing essential clauses. 

The Security Rule also ties business associate arrangements directly to safeguarding ePHI. Covered entities may permit a business associate to handle ePHI on their behalf only if they obtain satisfactory assurances that the business associate will appropriately safeguard the information under the Security Rule’s organizational requirements. 

A defensible way to handle this in a small clinic

The fastest way to get this right is to treat vendor classification as part of your security risk analysis and vendor inventory, not as an afterthought when a vendor asks for paperwork. HHS’s cloud guidance explicitly points back to the Security Rule requirement to consider risks in risk analysis and risk management when using cloud services and other business associates. 

A practical clinic-grade approach looks like this:

You map where ePHI lives and moves, including backups, endpoints, email, file storage, remote access, and any vendor platforms. Then you map which vendors have access to those systems or maintain those systems. Vendors in that map are very likely business associates. Once the classification is clear, you execute BAAs before PHI is involved, store them centrally, and ensure your business associates understand incident reporting expectations and subcontractor obligations.

This is one area where tooling is genuinely helpful. A clinic can be “doing the right thing” and still lose track of BAAs because they live in email threads, vendor portals, or a folder no one owns. A platform like Timber can keep the vendor list, BAA status, renewal reviews, and incident contact paths in one place, which reduces operational drift without changing any HIPAA obligations.

Sources

HHS OCR: Business Associates guidance
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

HHS OCR FAQ 256: Software vendor is not a BA unless it accesses PHI; on-site contractor may be treated as workforce in certain circumstances
https://www.hhs.gov/hipaa/for-professionals/faq/256/is-software-vendor-business-associate/index.html

HHS OCR: Guidance on HIPAA and Cloud Computing
https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html

HHS OCR FAQ 2075: Using a cloud service to store or process ePHI requires a HIPAA-compliant BAA
https://www.hhs.gov/hipaa/for-professionals/faq/2075/may-a-hipaa-covered-entity-or-business-associate-use-cloud-service-to-store-or-process-ephi/index.html

HHS OCR FAQ 245: Conduit concept (USPS, certain couriers and their electronic equivalents)
https://www.hhs.gov/hipaa/for-professionals/faq/245/are-entities-business-associates/index.html

HHS OCR FAQ 243: No BAA required for incidental contact with PHI (janitorial-type example)
https://www.hhs.gov/hipaa/for-professionals/faq/243/is-a-business-associate-contract-required-for-inadvertent-contact-with-phi/index.html

45 CFR 160.103 definition of Business Associate and Workforce (Cornell LII)
https://www.law.cornell.edu/cfr/text/45/160.103

45 CFR 164.504(e) Business associate contract requirements
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504

HHS OCR: Sample Business Associate Agreement Provisions
https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

HHS OCR: Model Business Associate Agreement (PDF)
https://www.hhs.gov/sites/default/files/model-business-associate-agreement.pdf

45 CFR 164.314 Organizational requirements (Security Rule, business associate arrangements)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.314
GT
Previous

We Sent Records to the Wrong Person: Is It a HIPAA Breach?
Next

Do You Have to Report a HIPAA Incident if No Data Left the System?