Covered entities, business associates, and vendor responsibility

Determine HIPAA Applicability Across Covered Entities, Vendors, and Subcontractors

HIPAA responsibility often extends beyond the doctor or dentist. Billing companies, managed IT providers, cloud backup vendors, answering services, transcription services, consultants, and software platforms may all create risk when they touch PHI.

Classify the organization before choosing controls.
Trace PHI through contracts and subcontractors.
Document the facts, rationale, owner, and review trigger.
\n
Written applicability decision

Build a HIPAA Status Record That Another Reviewer Can Reconstruct

Names such as “healthcare company,” “software vendor,” or “consultant” do not decide HIPAA status. The analysis should follow regulated transactions, plan functions, services performed for covered entities, actual PHI access, contracts, and subcontractor relationships.

Identify each legal organization and each function

List the legal entity, locations, service lines, workforce, payer relationships, and functions. A larger organization may perform covered and noncovered activities; a documented hybrid-entity analysis may be relevant. Do not assume one brand name means one uniform HIPAA status.

Test for covered-entity activity

Determine whether the organization is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically in connection with a transaction for which HHS has adopted a standard. Record the transactions and systems supporting the conclusion.

Test every service relationship

For an organization serving a covered entity, document the service performed, whether PHI is created, received, maintained, or transmitted, whether access is routine or merely possible, and whether an exclusion applies. Cloud storage, support administration, analytics, billing, legal, accounting, consulting, and data services can require careful analysis.

Extend the analysis to subcontractors

A business associate that delegates a PHI-related function cannot stop at its direct contract. Map hosting providers, support contractors, offshore teams, identity services, backup providers, monitoring platforms, and other subcontractors that may maintain or access PHI.

Document uncertainty and obtain legal review

The record should state the known facts, missing facts, assumptions, competing interpretations, decision owner, counsel involved, and date. If the answer depends on transaction details or a regulatory exclusion, avoid presenting a website checklist as a legal conclusion.

Set reassessment triggers

Revisit status when services, ownership, contracts, data access, transaction methods, customers, subcontractors, or technology change. A vendor that did not handle PHI last year may become a business associate after a new integration or support arrangement.

Minimum decision file

Keep the organization chart, service descriptions, transaction evidence, representative contracts, data-flow diagram, PHI categories, customer relationship map, subcontractor list, legal analysis when obtained, signed approval, and a scheduled review date. This makes the conclusion explainable during diligence, an incident, or an audit.

Boundary analysis

Test the Difficult Cases Before Finalizing HIPAA Status

Technology vendors that cannot easily view data

Encryption or customer-controlled keys may reduce access, but status should not be decided from a marketing claim alone. Document whether the service maintains ePHI, whether support personnel or subprocessors can access metadata or content, how keys and recovery work, what contracts promise, and how HHS guidance applies to the actual service.

Professional services and incidental exposure

Legal, accounting, consulting, accreditation, administrative, and technical services can require analysis when PHI is involved. Distinguish a service performed for a regulated entity that requires PHI from incidental contact that does not define the service. Preserve the factual basis and counsel’s conclusion when needed.

Employers, wellness programs, and group health plans

Employment records held in the employer role are not automatically PHI, while a group health plan may be a covered entity. Separate plan functions from employment functions, systems, staff, and records. Do not casually move plan information into HR workflows without a documented basis and appropriate controls.

Researchers, app developers, and patient-directed services

Health-related information is not always PHI, and a consumer application is not automatically a business associate. Analyze who provides the data, whether the service acts for a covered entity or business associate, applicable authorizations or patient directions, contracts, and any other privacy laws that may apply.

Scope decisions should identify what is outside HIPAA too

A disciplined record names noncovered functions, the facts supporting exclusion, other applicable privacy or security duties, and controls preventing inappropriate mixing. “Not HIPAA” never means “no privacy or cybersecurity responsibility.”

\n

Use a Transaction-and-Relationship Test, Not a Job-Title Test

1

Identify the organization’s function

Determine whether it is a health plan, healthcare clearinghouse, or healthcare provider. A provider becomes a HIPAA covered entity when it conducts one or more HIPAA standard transactions electronically, directly or through another entity. Electronic claims, eligibility inquiries, claim-status requests, remittance advice, and referral authorization workflows are common indicators, but the exact analysis should use the transaction standards and qualified legal advice.

2

Identify work performed for a regulated entity

If an organization creates, receives, maintains, or transmits PHI while performing a function or service for a covered entity or another business associate, analyze business associate status. Cloud storage, managed IT, billing, analytics, legal, accounting, consulting, data processing, and secure destruction may qualify when the service involves PHI.

3

Separate workforce, conduit, and independent activities

A workforce member is not a business associate of the same organization. A true conduit generally transports information without persistent access, while a service that maintains ePHI is not automatically a conduit merely because data is encrypted. Also separate services performed on behalf of the covered entity from a vendor’s independent consumer-facing activities.

Organizations Commonly Mistaken for HIPAA-Covered Businesses

Employers, life insurers, schools, many fitness applications, and many direct-to-consumer health technology companies are not automatically covered by HIPAA simply because they hold health-related information. Their obligations may instead arise from state privacy law, employment law, contractual promises, the FTC Act, the FTC Health Breach Notification Rule, or another sector-specific requirement.

The same company may perform both HIPAA-regulated and non-HIPAA activities. Document the data, relationship, purpose, systems, contracts, and legal basis for each service line rather than placing the entire organization into one label without analysis.

Map the Full Business Associate Chain

A signed Business Associate Agreement between a practice and its primary vendor does not complete the analysis. The vendor may rely on a hosting provider, support platform, backup operator, payment service, analytics tool, transcription service, or offshore support team that also handles PHI. Business associates must obtain appropriate assurances from subcontractors that create, receive, maintain, or transmit PHI on their behalf.

Contract record

Record the covered function, permitted uses and disclosures, safeguard obligations, breach and security-incident reporting, subcontractor duties, return or destruction terms, termination rights, and responsibility for records or access requests.

Technical record

Record systems accessed, data categories, privileged accounts, remote-support method, encryption, authentication, logging, backup responsibility, data locations, integration keys, and how access is removed.

Oversight record

Assign an internal owner, review security documentation, track material changes, monitor incidents and service issues, reassess access, and document action when the organization learns of a material breach or violation.

Document the HIPAA Status Decision

A defensible scoping memo should identify the legal role, business function, relevant transaction or service relationship, PHI involved, systems and locations, counterparties, agreements, responsible executive, counsel or compliance reviewer, decision date, assumptions, and next review trigger. Revisit the decision when services, acquisitions, software, data flows, billing arrangements, or contracts change.

After status is established, use the HIPAA vendor risk guide to build the oversight record. Covered practices can use the small medical practice requirements guide, while dental organizations can move to the dental-office HIPAA implementation guide.

Sources for the Applicability Decision

These HHS materials should anchor the classification analysis; counsel should resolve organization-specific legal questions.

Scope and Applicability Questions

Does HIPAA apply to dental offices?

Yes, dental practices commonly qualify as covered entities when they conduct covered electronic transactions and handle patient records, imaging, billing, insurance, and treatment information.

Can an IT company be a business associate?

Yes. If an IT company can access systems containing PHI or ePHI, it may be a business associate and should have appropriate agreements and safeguards.

Does every vendor need a BAA?

Not every vendor does, but vendors that create, receive, maintain, transmit, or can access PHI for a covered entity should be reviewed carefully.

Resolve HIPAA Scope Before Building the Program

OC Security Audit can help organize the technical and operational facts behind an applicability decision, map PHI relationships, and turn the confirmed scope into risk, control, and evidence work.

Legal counsel should determine disputed regulatory status. Once status is established, technical findings can be assigned to practical implementation projects through IT Perfection when appropriate.