HIPAA Omnibus Rule section 164.103 states:
(2) A covered entity may be a business associate of another covered entity.
(3) Business associate includes:
(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
(4) Business associate does not include:
(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance Issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.
(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.
Here is a partial list of what to look for in the businesses you share ePHI or PHI with. If you are sharing info with one or more of these types of businesses, you should be acquiring HIPAA Business Associate Agreements from them along with assurances that they themselves are complying with HIPAA Privacy (Some Business Associates will be required to comply with parts of the Privacy Rule) and all of the HIPAA Security Rule.
• Dental and Prescription Insurance Agent
• Health Insurance Agents
• Supplemental Insurance (AFLAC/Colonial)
• Life Insurance Agent
• Joint Ventures
• Collection Agencies
• IT/Website/Web Hosting
• Data Storage/Hard Copy
• Customer Call Center
• Shredding Company
• Marketing/Direct Mail
• Analytics firms
• Medical billing companies
• IT consultants
• Health Information Organizations
• e-prescribing gateways
• Personal Health Record vendors for CEs (covered entities)
• Subcontractors
• Physical storage facilities and electronic storage vendors of PHI and ePHI.