Most business owners hear “HIPAA” and immediately think of hospitals, doctor’s offices, and insurance companies. That instinct makes sense — the Health Insurance Portability and Accountability Act was originally designed to protect patient health information flowing through the healthcare system. But here’s the part that catches thousands of businesses off guard every year: if your company touches protected health information (PHI) in any capacity, HIPAA likely applies to you, even if you’ve never treated a patient in your life.
From IT service providers and cloud hosting companies to law firms, accounting practices, and shredding services, the list of non-healthcare businesses subject to HIPAA is far longer than most people realize. Penalties for non-compliance range from $141 per violation up to $2.13 million per violation category per year, with criminal penalties possible for willful neglect. Understanding whether your business qualifies — and what to do about it — isn’t optional anymore.
What Is a HIPAA Business Associate?
A HIPAA business associate is any person or organization that creates, receives, maintains, or transmits protected health information on behalf of a covered entity (such as a hospital, physician practice, or health insurer). This definition was significantly expanded under the HITECH Act of 2009 and further clarified in the 2013 Omnibus Rule.
Before 2013, business associates had limited direct liability under HIPAA. The Omnibus Rule changed that entirely. Business associates are now directly liable for HIPAA compliance and face the same penalties as covered entities for violations. This isn’t a gray area — it’s settled regulation enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR).
What Types of Non-Healthcare Businesses Qualify?
The range of businesses that fall under HIPAA business associate requirements is broader than most expect:
- IT service providers and managed service providers (MSPs) — if you manage servers, networks, or cloud infrastructure for a healthcare client, you’re a business associate
- Cloud storage and hosting providers — storing PHI on your servers or platforms triggers HIPAA obligations
- Accounting and billing firms — processing claims or handling financial records that contain health information
- Law firms — providing legal services that involve access to patient records
- Consulting firms — performing utilization review, quality assurance, or practice management
- Shredding and document destruction companies — handling physical records containing PHI
- Software vendors — if your application processes, stores, or transmits PHI
- Answering services — taking messages for healthcare providers that include patient details
- Data analytics firms — analyzing health data sets, even de-identified data in some cases
If your business serves even one healthcare client and could potentially access PHI through that relationship, you likely need a Business Associate Agreement (BAA) and a compliance program to back it up.
What Does HIPAA Actually Require From Business Associates?
HIPAA compliance for business associates centers on three core rule sets: the Privacy Rule, the Security Rule, and the Breach Notification Rule. Each carries specific obligations that non-healthcare businesses must implement.
The Privacy Rule
The Privacy Rule governs how PHI can be used and disclosed. As a business associate, you must:
- Use PHI only for the purposes specified in your BAA
- Implement policies restricting employee access to PHI on a need-to-know basis
- Provide individuals access to their PHI upon request (if you maintain it)
- Track disclosures of PHI for an accounting of disclosures
The Security Rule
The Security Rule specifically covers electronic PHI (ePHI) and requires three categories of safeguards:
Administrative safeguards include designating a security officer, conducting regular risk assessments, implementing workforce training, and establishing incident response procedures. The risk assessment is arguably the most important — OCR has stated repeatedly that failure to conduct a thorough, documented risk assessment is the most common finding in HIPAA enforcement actions.
Physical safeguards include facility access controls, workstation security policies, and device and media controls for any hardware that stores or accesses ePHI.
Technical safeguards include access controls (unique user IDs, emergency access procedures, automatic logoff, encryption), audit controls for tracking access to ePHI, integrity controls, and transmission security including encryption of data in transit.
The Breach Notification Rule
If a breach of unsecured PHI occurs, business associates must notify the affected covered entity within 60 days of discovering the breach. The covered entity then handles individual and media notifications, but the business associate bears responsibility for timely reporting and cooperation with the investigation.
How Do I Know If My Company Handles PHI?
Protected health information is any individually identifiable health information that relates to a person’s past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. PHI includes 18 specific identifiers defined by HIPAA, including:
- Names, addresses, dates (birth, admission, discharge, death)
- Phone numbers, email addresses, Social Security numbers
- Medical record numbers, health plan beneficiary numbers
- Account numbers, certificate/license numbers
- Device identifiers, IP addresses, biometric identifiers
- Full-face photographs, any other unique identifying number
Here’s where it gets tricky for non-healthcare businesses: you may be handling PHI without realizing it. If a healthcare client sends you an email with a patient name and diagnosis for a billing question, that’s PHI in your email system. If you back up a medical practice’s server, those backup files contain PHI. If your help desk logs include screenshots of a healthcare client’s EHR system, those logs contain PHI.
The practical test is straightforward: does your business interact with any healthcare organizations in a way that could expose you to patient-identifiable health information? If yes, assume HIPAA applies until you’ve formally assessed otherwise.
What Happens If a Non-Healthcare Business Violates HIPAA?
OCR enforces HIPAA violations through a tiered penalty structure updated annually for inflation:
| Tier | Knowledge Level | Penalty Range Per Violation |
|---|---|---|
| 1 | Did not know (and wouldn’t have known) | $141 – $35,581 |
| 2 | Reasonable cause, not willful neglect | $1,424 – $71,162 |
| 3 | Willful neglect, corrected within 30 days | $14,232 – $71,162 |
| 4 | Willful neglect, not corrected | $71,162 – $2,134,831 |
These are per-violation penalties, and a single breach incident can involve thousands of individual violations. Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years for offenses committed with intent to sell or use PHI for personal gain.
Real enforcement actions against business associates have included settlements of $650,000 against a medical records storage company (2016), $2.3 million against a medical management company (2018), and $4.3 million against a health plan’s business associate (2019). OCR does not limit enforcement to healthcare companies — business associates are investigated and penalized with the same rigor.
How Should a Small Business Start HIPAA Compliance?
Starting HIPAA compliance doesn’t require hiring a dedicated compliance department, but it does require a structured approach. Here’s a practical implementation path:
Step 1: Conduct a risk assessment. Document every system, process, and location where PHI is created, received, stored, or transmitted in your organization. Identify vulnerabilities and threats to each. The NIST Cybersecurity Framework and HHS’s own Security Risk Assessment Tool provide useful starting templates.
Step 2: Execute Business Associate Agreements. Every relationship involving PHI access needs a signed BAA. This is a legal contract specifying how you’ll protect PHI, what you’ll do in case of a breach, and what happens when the relationship ends.
Step 3: Implement security controls. Based on your risk assessment, deploy technical controls including encryption (AES-256 for data at rest, TLS 1.2+ for data in transit), multi-factor authentication, access logging, endpoint protection, and network segmentation for systems handling PHI.
Step 4: Train your workforce. Every employee who could potentially access PHI needs documented HIPAA training — at hire and annually. Training should cover what PHI is, how to handle it, how to report incidents, and the consequences of violations.
Step 5: Create and test an incident response plan. Document your breach detection, investigation, containment, and notification procedures. Test them at least annually through tabletop exercises.
Step 6: Document everything. HIPAA requires retention of compliance documentation for six years. Policies, risk assessments, training records, BAAs, and incident reports all need organized, accessible storage.
Working with an experienced IT partner who understands HIPAA requirements can significantly streamline this process. At COMNEXIA, we’ve helped businesses across the Atlanta metro area implement HIPAA-compliant infrastructure for over 35 years — from network architecture and encryption to ongoing monitoring and incident response planning. Our IT consulting team works with companies to assess their compliance posture and close gaps before they become enforcement issues.
Does HIPAA Apply If I Only Handle De-Identified Data?
Properly de-identified data is not considered PHI under HIPAA, but the de-identification standard is strict. HIPAA recognizes two methods: Expert Determination (a qualified statistician certifies re-identification risk is very small) and Safe Harbor (all 18 identifiers are removed and the covered entity has no actual knowledge that the remaining information could identify an individual).
If your business receives data that has been de-identified using one of these approved methods, HIPAA does not apply to that data. However, many businesses incorrectly assume their data is de-identified when it actually retains identifiers — particularly dates, geographic data smaller than a state, or unique account numbers. When in doubt, treat the data as PHI until formally assessed.
Frequently Asked Questions
Q: Do I need HIPAA compliance if I only have one healthcare client? A: Yes. HIPAA applies based on whether you access PHI, not on the number of healthcare clients you serve. Even one client relationship involving PHI triggers full compliance obligations.
Q: Is signing a BAA enough to be HIPAA compliant? A: No. A BAA is a legal agreement, not a compliance program. You need policies, technical safeguards, training, risk assessments, and incident response procedures to actually comply with what the BAA commits you to. Signing a BAA without implementing the required protections can increase your liability.
Q: Does HIPAA apply to data stored in the cloud? A: Yes. Cloud service providers that store PHI are business associates. Major cloud platforms (AWS, Azure, Google Cloud) offer HIPAA-eligible configurations and will sign BAAs, but the responsibility for proper configuration, access controls, and monitoring remains with the business associate.
Q: How often do I need to update my HIPAA risk assessment? A: HIPAA doesn’t specify an exact frequency, but OCR guidance and industry best practice recommend conducting a comprehensive risk assessment at least annually and whenever significant changes occur — such as new systems, new business relationships, security incidents, or changes in regulatory guidance.
Q: Can my business be fined for a HIPAA violation if we didn’t know we were a business associate? A: Yes. Ignorance of business associate status is not a defense. OCR evaluates whether a reasonable person in your position should have known that HIPAA applied. If your business handles PHI and lacks a BAA and compliance program, you’re exposed to Tier 1 penalties at minimum and potentially higher tiers depending on the circumstances.
COMNEXIA has provided cybersecurity and IT consulting services to businesses across metro Atlanta since 1991. If you’re unsure whether HIPAA applies to your organization, contact us for a confidential compliance assessment.