I incorporated the following definitions into my BAA which has helped simplify the understanding of each:
“Covered Entity” is defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.
“Business Associate” is generally a person or entity that creates, receives, maintains, or transmits protected health information (PHI) in fulfilling certain functions or activities for a HIPAA-covered entity. Health information that is created or received by a covered entity, identifies an individual, and relates to that individual’s physical or mental health condition, treatment, or payment for health care in considered PHI when it is transmitted or maintained in any form or medium, including electronic media.
Therefore, to answer the question about "shredding companies" - YES, they receive and transmit PHI so they definatley need a BAA. Even though they are not suppose to view the documents, the become responsible for their safe keeping and destruction - which is key!
Hope this helps!