A business associate is an outside company that performs work involving protected health information (PHI) for a covered healthcare entity, such as a provider, insurer, billing service, or portal vendor. Because it can create, receive, maintain, or transmit PHI, the business associate is not just a contractor; it has its own HIPAA-related security and breach-notification obligations.
This matters because many healthcare incidents begin at a vendor boundary. If attackers compromise a business associate, they may reach patient data through claims systems, messaging platforms, or support portals even when the provider’s own network is intact. Defenders reduce this risk with strong contracts, access limits, MFA, logging, segmentation, and periodic vendor reviews. In an investigation, the key questions are what PHI was exposed, whether access was authorized, and how long the vendor remained in the environment.