A term used in the HIPAA Privacy NPRM to identify organizations that perform business functions for a covered entity, and should therefore be required to accept the same obligations for protecting any individually identifiable health care information that they receive from the covered entity.