Business Associate vs Covered Entity Explained: Compliance Duties and BAA Checklist

Definition of Covered Entities

Under HIPAA, covered entities are organizations that create, receive, maintain, or transmit Protected Health Information (PHI). They include health plans, health care clearinghouses, and health care providers who conduct standard electronic transactions, such as claims or eligibility checks.

• Health plans: insurers, HMOs, employer group health plans, and government programs.
• Health care providers: hospitals, clinics, physicians, dentists, pharmacies, and others that bill electronically.
• Health care clearinghouses: entities that translate nonstandard health data to standard formats and vice versa.

Covered entities are primarily responsible for meeting the HIPAA Privacy Rule and HIPAA Security Rule, setting the baseline for how PHI is used, disclosed, and safeguarded across their operations and vendor relationships.

Definition of Business Associates

A business associate is a person or entity that performs functions or services for a covered entity that involve the use or disclosure of PHI. Common examples include billing companies, IT and cloud providers, EHR vendors, third-party administrators, legal and accounting firms, analytics firms, and document destruction services.

Under the HITECH Act, subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are also business associates. This Subcontractor Compliance requirement means responsibilities must “flow down” through all downstream vendors that handle PHI.

An organization can be both a covered entity and a business associate in different roles. What matters is the specific activity being performed with PHI in each relationship.

Compliance Obligations of Covered Entities

HIPAA Privacy Rule duties

• Use and disclose PHI only as permitted or as authorized by individuals; apply the minimum necessary standard.
• Publish a Notice of Privacy Practices, honor patient rights (access, amendments, and accounting of disclosures), and manage authorizations.
• Establish policies for workforce access, role-based controls, and sanctions for violations.

HIPAA Security Rule duties

• Conduct a risk analysis and implement administrative, physical, and technical safeguards for ePHI.
• Adopt controls such as access management, audit logging, integrity monitoring, and transmission security.
• Develop contingency plans, incident response processes, and ongoing security evaluations.

Program management and vendor oversight

• Execute a Business Associate Agreement (BAA) before allowing vendors to access PHI and monitor their performance.
• Train the workforce, maintain documentation, and regularly review policies and procedures.
• Meet the Breach Notification Requirement by investigating incidents and issuing timely notices when required.

Compliance Obligations of Business Associates

Security and privacy compliance

• Comply directly with the HIPAA Security Rule for ePHI, including risk analysis, safeguards, and ongoing monitoring.
• Comply with applicable HIPAA Privacy Rule provisions, including minimum necessary and limits on uses and disclosures.
• Use or disclose PHI only as permitted by the BAA or as required by law; implement workforce training and sanctions.

Reporting and cooperation

• Report security incidents and breaches to the covered entity per the BAA and the Breach Notification Requirement.
• Support individual rights (access, amendments, and accounting) when delegated in the BAA.
• Make records and practices related to PHI available to regulators upon request.

Subcontractor Compliance

• Ensure subcontractors that handle PHI sign BAAs with equivalent restrictions and safeguards.
• Verify downstream vendors’ security controls and monitor their performance.

Business Associate Agreement Requirements

BAA checklist (what to include)

• Permitted and required uses/disclosures of PHI by the business associate, including minimum necessary.
• Obligation to implement administrative, physical, and technical safeguards and to comply with the HIPAA Security Rule.
• Reporting duties for security incidents and breaches, with a defined notification timeframe (often shorter than 60 days).
• Subcontractor Compliance: require downstream BAAs that mirror the same protections and obligations.
• Procedures for access, amendment, and accounting of disclosures when the business associate is responsible.
• Right to audit/assess controls, ongoing monitoring expectations, and cooperation during investigations.
• Return or destruction of PHI upon termination; if infeasible, extend protections and limit further use/disclosure.
• Provisions for termination for cause if a material breach occurs.
• Allowable management and administrative uses (e.g., de-identification) with safeguards against re-identification.
• Allocation of risk (e.g., indemnification, cyber insurance) and specifics on encryption, logging, and incident response.

Direct Liability of Business Associates

The HITECH Act makes business associates directly liable for HIPAA violations. Liability covers failure to implement required security safeguards, impermissible uses or disclosures of PHI, failure to provide breach notifications, not ensuring subcontractor compliance, and not providing records to regulators when required.

Civil penalties can escalate with the level of culpability (from reasonable cause to willful neglect), and egregious conduct may trigger criminal exposure. Strong governance, documented controls, and prompt reporting are essential risk mitigations.

Breach Notification Obligations

What triggers notification

Notification is generally required when unsecured PHI is breached. Covered entities and business associates must perform a risk assessment considering: the nature and extent of PHI involved, the unauthorized person who used/received it, whether PHI was actually acquired or viewed, and the extent to which risks were mitigated.

Who notifies whom and when

• Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovery, providing details to support the covered entity’s notices.
• Covered entities must notify affected individuals, and for larger incidents may also notify regulators and, when applicable, the media within prescribed timeframes.

Content and coordination

• Notices should describe what happened, the types of PHI involved, steps individuals should take, what the organization is doing, and contact information.
• Coordination between the covered entity and business associate ensures accurate facts, consistent messaging, and timely delivery.

Key takeaways

• Covered entities set the privacy baseline and oversee vendors; business associates must meet Security Rule standards and applicable Privacy Rule duties.
• A precise Business Associate Agreement operationalizes roles, safeguards, Subcontractor Compliance, and the Breach Notification Requirement.
• Direct liability under the HITECH Act makes strong security, documentation, and rapid incident handling nonnegotiable.

FAQs

What distinguishes a business associate from a covered entity?

A covered entity delivers or pays for care and manages PHI as part of its core operations. A business associate performs services or functions for a covered entity that involve PHI. The role is activity-based: if you handle PHI on behalf of a covered entity, you are a business associate for that engagement.

What are the key compliance duties of a business associate?

Business associates must comply with the HIPAA Security Rule, applicable HIPAA Privacy Rule provisions, and the Breach Notification Requirement. They must limit uses and disclosures to what the Business Associate Agreement allows, secure ePHI, report incidents, support individual rights when delegated, and ensure Subcontractor Compliance.

When is a business associate agreement required?

A BAA is required whenever a vendor or subcontractor will create, receive, maintain, or transmit PHI for a covered entity or another business associate. The BAA must specify permitted uses, safeguards, reporting timelines, downstream obligations, and how PHI will be returned or destroyed.

How does HIPAA assign liability between covered entities and business associates?

Both parties can be liable for their own violations. The HITECH Act imposes direct liability on business associates for security failures, impermissible uses/disclosures, breach notification failures, and lapses in subcontractor oversight, while covered entities remain responsible for their Privacy and Security Rule compliance and vendor management.