HIPAA for Business Associates: What Healthcare Vendors Must Know in 2026

A HIPAA business associate is any individual or organization, outside of a covered entity's workforce, that creates, receives, maintains, or transmits protected health information while performing services on behalf of a covered entity. Since the HITECH Act of 2009, business associates have been directly liable for HIPAA violations—not just contractually obligated through their clients. HHS estimates the first-year cost of new Security Rule compliance requirements for the industry at $9 billion (HHS, 2025), with business associates responsible for a significant share of that investment.

Who Qualifies as a HIPAA Business Associate?

Any third party that handles PHI on behalf of a covered entity is a business associate. Common examples include: medical billing and coding services, EHR vendors, patient intake software platforms, cloud storage and hosting providers, IT support companies with access to systems containing PHI, healthcare attorneys and accountants who access patient records, transcription and translation services, and document shredding companies. If your business touches patient health data in any capacity while working for a healthcare provider or health plan, you are almost certainly a business associate.

What Is a Business Associate Agreement (BAA)?

A Business Associate Agreement is a written contract between a covered entity and a business associate that defines the permissible uses and disclosures of PHI, required security safeguards, breach notification obligations, and what happens to PHI when the contract ends (return or destruction). A BAA is legally required before any PHI can be shared with or accessed by a business associate. Using a vendor without a signed BAA is itself a HIPAA violation—regardless of the vendor's own security practices.

What Are Business Associates Required to Do Under HIPAA?

Business associates must comply with the HIPAA Security Rule in full, including implementing administrative, physical, and technical safeguards to protect ePHI. Specific requirements include: conducting a security risk analysis, implementing encryption for ePHI in transit and at rest (mandatory under proposed 2025 Security Rule updates), using multi-factor authentication, maintaining audit logs, training workforce members on HIPAA policies, and reporting security incidents and breaches to their covered entity clients within 60 days of discovery.

Business associates must also ensure that any subcontractors who handle PHI on their behalf—called subcontractors or downstream business associates—also sign a BAA and comply with HIPAA requirements. The liability chain extends through the entire vendor ecosystem.

What Are the Penalties for Business Associates Who Violate HIPAA?

Since 2009, business associates can be penalized directly by HHS OCR—not just through their covered entity clients. Penalties follow the same tiered structure as for covered entities: from $145 per violation (Tier 1, lack of knowledge) to $2,190,294 per violation category (Tier 4, willful neglect uncorrected) as of January 2026. In 2024, HHS OCR resolved 22 enforcement cases—many involving business associates—making it one of the most active enforcement years on record (HHS OCR, 2025).

Common Compliance Failures for Business Associates

The most frequently cited compliance failures for business associates in HHS enforcement actions are: operating without a signed BAA, failure to conduct or document a security risk analysis, inadequate encryption of ePHI, lack of a documented incident response plan, insufficient workforce HIPAA training, and failure to notify covered entity clients of breaches within the required 60-day window. The 2025 proposed Security Rule updates add new requirements including annual verification of technical safeguard deployment and documented network segmentation.

How Zentake Meets Business Associate Obligations

As a patient intake platform, Zentake is a business associate for every healthcare practice that uses it. Zentake provides a signed BAA to all practices as a standard part of onboarding, operates with end-to-end encryption, role-based access controls, and full audit logging, and maintains SOC2-aligned security infrastructure. See Zentake's HIPAA compliance documentation.

Frequently Asked Questions About HIPAA Business Associates

Is my patient intake software a HIPAA business associate?
Yes. Any software platform that stores or transmits patient health information on your behalf qualifies as a business associate under HIPAA. You must have a signed BAA with them before using their platform for PHI. Zentake provides a BAA to every practice as a standard part of onboarding.

What must a Business Associate Agreement include?
A BAA must define: permissible uses and disclosures of PHI, required safeguards, subcontractor BAA obligations, breach notification requirements (within 60 days of discovery), and provisions for return or destruction of PHI at contract termination.

Can a business associate be fined directly for HIPAA violations?
Yes. Since the HITECH Act of 2009, business associates are directly liable for HIPAA violations and can be penalized by HHS OCR independently of their covered entity clients. Penalties range up to $2,190,294 per violation category.

How long does a business associate have to report a breach?
A business associate must notify the affected covered entity within 60 days of discovering a breach. The covered entity then has its own 60-day clock to notify affected patients and report to HHS OCR.

Do subcontractors of business associates also need to comply with HIPAA?
Yes. If a business associate uses a subcontractor that handles PHI, that subcontractor is also a business associate and must sign a BAA with the primary business associate. HIPAA liability flows through the entire vendor chain.

What happens to PHI when a business associate contract ends?
The BAA must specify whether PHI is returned to the covered entity or destroyed when the contract ends. Business associates cannot retain PHI beyond the contract period without explicit authorization. Destruction must be documented and verifiable.

Working with a patient intake platform that takes its business associate obligations seriously? Schedule a Zentake demo and review our BAA, security infrastructure, and compliance documentation.

Last reviewed: April 2026