A business associate is any organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity. The category is deliberately broad: cloud hosting providers, video communications platforms (CPaaS), analytics processors, AI medical scribes, and even a subcontractor of another business associate all fall inside it. If PHI passes through your systems in service of a provider or health plan, you are almost certainly a business associate.
This matters more than many founders expect because of how liability works. Since the 2013 HIPAA Omnibus Rule, business associates carry direct liability under the Security Rule and parts of the Privacy Rule — not merely contractual exposure to the covered entity that hired them. The Office for Civil Rights (OCR) can investigate and penalize a business associate directly. So being "just the vendor" does not move HIPAA risk entirely onto your customer; a meaningful share sits with you.
For a telemedicine product team, the practical consequence is that your business-associate status — not the fact that you are a technology company — defines your legal duties. You must sign a Business Associate Agreement (BAA) with each covered-entity customer, flow equivalent BAAs down to your own subprocessors, run a documented risk analysis, and implement the Security Rule safeguards yourself. A frequent pitfall is integrating a new third-party tool (a transcription service, a support platform, a logging vendor) that will see PHI without first putting a BAA in place — quietly creating an uncovered link in the chain and a direct compliance gap.
