Data Privacy & Compliance

Does My Business Need to Comply With HIPAA If We're Not in Healthcare?

Many non-healthcare businesses are HIPAA business associates without knowing it. Learn who must comply, what's required, and how to get compliant.

By COMNEXIA
#HIPAA compliance#business associate#health data#HIPAA requirements#cybersecurity#compliance

If you think HIPAA only applies to hospitals and doctors’ offices, you might be in for an unpleasant surprise. Every year, businesses that have nothing to do with patient care — IT companies, accounting firms, law offices, billing services, shredding companies, cloud software vendors — discover they’ve been legally obligated to protect health information all along. Under HIPAA, these companies are called business associates, and they carry real compliance obligations with real penalties attached.

At COMNEXIA, we’ve spent 35 years helping Atlanta-area businesses manage their technology, and HIPAA questions come up far more often from non-healthcare clients than you’d expect. Here’s a practical guide to figuring out whether HIPAA applies to you and what to do about it.

What Is HIPAA and Who Does It Apply To?

HIPAA — the Health Insurance Portability and Accountability Act — is a federal law enacted in 1996 that sets national standards for protecting sensitive patient health information. It applies directly to two groups: covered entities and business associates.

Covered entities are the obvious ones:

  • Healthcare providers (hospitals, physician practices, dentists, chiropractors, pharmacies)
  • Health plans (insurers, HMOs, employer group health plans)
  • Healthcare clearinghouses (entities that process health information between formats)

Business associates are everyone else who touches protected health information (PHI) on behalf of a covered entity. That second category is where non-healthcare businesses get pulled in — often without realizing it.

What Is a Business Associate Under HIPAA?

A business associate is any person or company that creates, receives, maintains, or transmits protected health information while performing services for a covered entity. You don’t have to deliver care. You don’t have to bill insurance. If PHI flows through your systems or your hands as part of the work you do for a healthcare client, you’re likely a business associate.

Common examples include:

  • IT service providers and MSPs that manage servers, email, or networks containing patient data
  • Cloud storage and SaaS vendors that host applications where PHI lives
  • Medical billing and coding companies
  • Accountants and CPAs whose work involves access to patient accounts
  • Attorneys handling matters that involve medical records
  • Document shredding and records storage companies
  • Answering services and call centers for medical practices
  • Collection agencies pursuing medical debt
  • Email encryption, backup, and disaster recovery vendors

Importantly, subcontractors of business associates are also business associates. If a medical billing company hires your firm to handle its data backups, HIPAA obligations flow downstream to you, too.

What Counts as Protected Health Information (PHI)?

PHI is any individually identifiable health information that is created, stored, or transmitted by a covered entity or business associate — including names, dates, contact details, medical record numbers, and treatment or payment information. It covers information in any form: electronic, paper, or spoken.

The key test is whether the information (1) relates to someone’s health condition, care, or payment for care, and (2) can identify the person. A spreadsheet of patient names and appointment dates is PHI. A server backup containing medical billing records is PHI. Even an email thread mentioning a patient by name can be PHI.

Electronic PHI — usually abbreviated ePHI — is the focus of HIPAA’s Security Rule, and it’s where most modern compliance work happens, because that’s where most breaches happen.

Do Business Associates Face Direct Liability Under HIPAA?

Yes. Since the HITECH Act of 2009 and the HIPAA Omnibus Final Rule that followed in 2013, business associates are directly liable under HIPAA — meaning federal regulators can investigate and penalize them directly, not just their healthcare clients.

Before HITECH, a business associate’s obligations existed mostly through contract. If something went wrong, the covered entity took the regulatory heat. That era is over. Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) — the agency that enforces HIPAA — can bring enforcement actions against business associates for violations of the Security Rule, the Breach Notification Rule, and certain Privacy Rule provisions.

Civil penalties are tiered based on the level of culpability, ranging from violations the entity couldn’t reasonably have known about up to willful neglect that goes uncorrected. Penalty amounts are adjusted periodically for inflation and can reach into the millions of dollars for serious, uncorrected violations across a calendar year. Criminal penalties are also possible for knowingly obtaining or disclosing PHI improperly.

The practical takeaway: “we’re just the vendor” is not a defense.

What Is a Business Associate Agreement (BAA)?

A Business Associate Agreement is a legally required contract between a covered entity and its business associate that spells out how PHI will be protected, what the business associate is permitted to do with it, and what happens when there’s a breach. HIPAA requires a BAA to be in place before PHI is shared.

If a healthcare client has ever asked you to sign a BAA, that’s your clearest signal that they consider you a business associate. Signing it isn’t just paperwork — it activates a set of obligations you’re expected to actually meet, including:

  • Using PHI only as permitted by the agreement
  • Implementing safeguards required by the Security Rule
  • Reporting breaches and security incidents to the covered entity
  • Ensuring your own subcontractors sign BAAs
  • Returning or destroying PHI when the relationship ends

A word of caution we share with our IT consulting clients: don’t sign a BAA you can’t honor. It’s a binding commitment, and a breach investigation will examine whether you did what you promised.

What Does HIPAA Actually Require a Business Associate to Do?

Business associates must comply with the HIPAA Security Rule, which requires administrative, physical, and technical safeguards for electronic PHI, plus breach notification obligations and the terms of their BAAs. The Security Rule is intentionally flexible — it scales to the size and complexity of your organization — but the core requirements are consistent.

Administrative Safeguards

These are the policies, procedures, and people side of security:

  • Risk analysis — a documented assessment of where ePHI lives in your environment and what threatens it. This is the foundation of everything else, and its absence is one of the most common findings in OCR enforcement actions.
  • Risk management — actually fixing the problems the analysis finds
  • Workforce training on handling PHI
  • Access management — granting PHI access only to people who need it
  • Contingency planning — data backup, disaster recovery, and emergency operations plans
  • A designated security official responsible for the program

Physical Safeguards

  • Facility access controls (locked server rooms, visitor policies)
  • Workstation security policies
  • Device and media controls — including how drives, laptops, and backup media containing ePHI are tracked, reused, and destroyed

Technical Safeguards

  • Access controls — unique user IDs, automatic logoff, and (where reasonable and appropriate) encryption
  • Audit controls — logging and reviewing activity in systems containing ePHI
  • Integrity controls — protecting ePHI from improper alteration or destruction
  • Transmission security — encrypting ePHI in transit, such as over email or between offices

If that list looks like a general cybersecurity program, that’s because it largely is. Businesses that already follow a solid security framework are most of the way there. Businesses that don’t are exposed on two fronts: HIPAA and ordinary cyber risk. Our cybersecurity services are built around exactly these fundamentals — risk assessment, access control, encryption, monitoring, and tested backups.

What Happens If a Business Associate Has a Data Breach?

Under the HIPAA Breach Notification Rule, a business associate must notify the affected covered entity of a breach of unsecured PHI without unreasonable delay — and in no case later than 60 days after discovering it. The covered entity is then responsible for notifying affected individuals, HHS, and in larger breaches, the media.

Two details matter here:

  1. “Unsecured” is the trigger word. PHI that is properly encrypted according to HHS guidance generally falls outside breach notification requirements if the encryption keys weren’t compromised. This is one of the strongest business cases for encryption: it can turn a lost laptop from a reportable breach into a non-event.
  2. Discovery starts the clock. A breach is considered discovered on the first day it’s known — or reasonably should have been known — to anyone in your organization other than the person who caused it. Weak monitoring doesn’t delay your obligations; it just means you find out late and start behind.

Your BAA may impose tighter timelines than the regulatory maximum, so read it. Many covered entities require notification within days, not weeks.

How Does a Small Business Get HIPAA Compliant Without a Compliance Department?

Start with a risk analysis, put the essential safeguards in place, document everything, and formalize the program with policies and training — in that order. Here’s the practical sequence we recommend:

  1. Inventory your PHI. You can’t protect what you haven’t located. Map every system, folder, mailbox, backup, and device where PHI could live — including places it shouldn’t be, like personal devices and old file shares.
  2. Run a risk analysis. Identify threats and vulnerabilities for each location and rate the risk. This doesn’t have to be a 200-page document for a small firm, but it must exist and be honest.
  3. Close the obvious gaps. In our experience, the highest-impact controls are multi-factor authentication, full-disk and in-transit encryption, role-based access, offboarding procedures, patched systems, and tested backups.
  4. Write it down. HIPAA is a documentation regulation as much as a security one. Policies, procedures, training records, and risk analyses need to be retained — HIPAA requires documentation to be kept for six years.
  5. Train your team. Most breaches start with a person, not a firewall. Phishing awareness and PHI handling training are required and genuinely effective.
  6. Review your BAAs. Make sure one exists for every healthcare relationship — upstream and downstream — and that you can meet its terms.
  7. Reassess regularly. A risk analysis is not a one-time event. Revisit it when your environment changes and at least annually as a matter of good practice.

For a business without in-house compliance staff, this is a very reasonable project to run with an experienced IT partner. COMNEXIA has been serving businesses across the Atlanta metro area since 1991, and we regularly help firms in financial services, legal, and professional services stand up exactly this kind of program — because those are the industries most likely to become business associates without planning for it.

Why HIPAA Compliance Is Worth It Even If You’re on the Edge of Coverage

Some businesses genuinely sit in a gray area — they might touch PHI occasionally, or a client might send them something they shouldn’t. Here’s our honest advice: build the safeguards anyway.

Every control HIPAA requires — risk assessment, encryption, access management, backups, incident response, training — is something a well-run business should have regardless. Georgia businesses face the same ransomware, phishing, and data-theft threats as everyone else, and other regulations — like the FTC Safeguards Rule for businesses that handle consumer financial data — expect a similar security baseline. Meeting HIPAA’s Security Rule essentially means meeting the baseline for modern business security.

And commercially, compliance is becoming a ticket to entry. Healthcare organizations are scrutinizing vendors harder than ever, and the ability to say “yes, we’ll sign your BAA, and here’s our security program” wins business that less-prepared competitors lose.

Frequently Asked Questions

Q: We only occasionally see health information from one client. Are we still a business associate? A: Frequency doesn’t matter — function does. If you create, receive, maintain, or transmit PHI on behalf of a covered entity as part of your services, you’re a business associate even if it happens rarely. The volume of PHI affects your risk profile, not your legal status.

Q: Our healthcare client never asked us to sign a BAA. Does that mean we’re off the hook? A: No. The absence of a BAA doesn’t erase business associate status — it just means both parties are out of compliance. HIPAA obligations attach based on what you do with PHI, not on whether the paperwork was completed. If you believe you’re functioning as a business associate, raise the BAA question with your client.

Q: Is cloud storage a business associate even if the provider never opens our files? A: Generally yes. HHS has made clear that cloud service providers that maintain ePHI are business associates even if the data is encrypted and the provider lacks the decryption key. “We just store it” is maintaining PHI, which is squarely within the definition.

Q: What’s the single most important first step toward HIPAA compliance? A: A documented risk analysis. It’s the foundation the Security Rule builds on, it’s what regulators ask for first in an investigation, and its absence is one of the most frequently cited failures in enforcement actions. Everything else — controls, policies, training — should flow from what the risk analysis finds.

Q: Does HIPAA require encryption? A: Encryption is what HIPAA calls an “addressable” specification — which does not mean optional. It means you must implement it if reasonable and appropriate, or document why an equivalent alternative protects ePHI just as well. In practice, encryption at rest and in transit is reasonable and appropriate for nearly every modern business, and it provides a powerful safe harbor under the Breach Notification Rule.


Not sure whether your business handles PHI — or whether you could pass a HIPAA risk analysis today? COMNEXIA has helped Atlanta businesses secure their technology for 35 years. Talk to our cybersecurity team or explore our IT consulting services to get a clear answer.

Need Expert Technology Guidance?

Don't navigate complex technology decisions alone. Our consulting team provides the strategic guidance you need to make informed technology investments.