Names such as “healthcare company,” “software vendor,” or “consultant” do not decide HIPAA status. The analysis should follow regulated transactions, plan functions, services performed for covered entities, actual PHI access, contracts, and subcontractor relationships.
Identify each legal organization and each function
List the legal entity, locations, service lines, workforce, payer relationships, and functions. A larger organization may perform covered and noncovered activities; a documented hybrid-entity analysis may be relevant. Do not assume one brand name means one uniform HIPAA status.
Test for covered-entity activity
Determine whether the organization is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically in connection with a transaction for which HHS has adopted a standard. Record the transactions and systems supporting the conclusion.
Test every service relationship
For an organization serving a covered entity, document the service performed, whether PHI is created, received, maintained, or transmitted, whether access is routine or merely possible, and whether an exclusion applies. Cloud storage, support administration, analytics, billing, legal, accounting, consulting, and data services can require careful analysis.
Extend the analysis to subcontractors
A business associate that delegates a PHI-related function cannot stop at its direct contract. Map hosting providers, support contractors, offshore teams, identity services, backup providers, monitoring platforms, and other subcontractors that may maintain or access PHI.
Document uncertainty and obtain legal review
The record should state the known facts, missing facts, assumptions, competing interpretations, decision owner, counsel involved, and date. If the answer depends on transaction details or a regulatory exclusion, avoid presenting a website checklist as a legal conclusion.
Set reassessment triggers
Revisit status when services, ownership, contracts, data access, transaction methods, customers, subcontractors, or technology change. A vendor that did not handle PHI last year may become a business associate after a new integration or support arrangement.
Minimum decision file
Keep the organization chart, service descriptions, transaction evidence, representative contracts, data-flow diagram, PHI categories, customer relationship map, subcontractor list, legal analysis when obtained, signed approval, and a scheduled review date. This makes the conclusion explainable during diligence, an incident, or an audit.