Business Associate vs. Covered Entity: How HIPAA Defines Responsibilities

Covered Entity Definition

Who qualifies as a covered entity

Under HIPAA, covered entities include health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses. If you create, receive, maintain, or transmit Protected Health Information (PHI) in these roles, HIPAA’s Privacy Rule and HIPAA Security Rule apply to you directly.

PHI and permitted PHI disclosure

Protected Health Information is any individually identifiable health data in any form. As a covered entity, you may use or disclose PHI for treatment, payment, and health care operations, and as otherwise authorized or required by law. Every PHI disclosure must follow the minimum necessary standard unless an exception applies (for example, disclosures for treatment or those authorized by the individual).

Business Associate Definition

What makes an organization a business associate

A business associate is any person or organization that performs functions or services for a covered entity that involve PHI, such as claims processing, billing, data analysis, cloud hosting, EHR support, telehealth platforms, or legal and consulting services. Workforce members are not business associates, but vendors and contractors often are.

Subcontractors and the “flow-down” rule

If a business associate engages a subcontractor that will create, receive, maintain, or transmit PHI, that subcontractor also becomes a business associate. Subcontractor compliance must mirror the same privacy and security obligations through a written Business Associate Agreement.

Covered Entity Responsibilities

Establish governance and safeguards

You must implement administrative, physical, and technical safeguards for PHI under the HIPAA Security Rule, adopt Privacy Rule policies, train your workforce, and designate privacy and security officials. Routine risk analyses, mitigation plans, and sanction policies are part of a robust compliance program.

Manage business associate relationships

Before sharing PHI, execute a Business Associate Agreement that defines permitted uses and disclosures, security requirements, and reporting duties. Conduct due diligence, monitor performance proportional to risk, and, upon learning of a material breach by a business associate, take reasonable steps to cure the issue or terminate the relationship if cure is not feasible.

Patient rights and reporting

Covered entities must honor individual rights (access, amendments, accounting of disclosures) and handle Unauthorized Use Reporting and breach notifications in a timely manner. After a breach of unsecured PHI, you must notify affected individuals and other required parties without unreasonable delay and consistent with statutory timelines.

Business Associate Responsibilities

Direct HIPAA obligations

Business associates are directly subject to the HIPAA Security Rule and to key Privacy Rule provisions. You may use or disclose PHI only as permitted by your Business Associate Agreement or as required by law, and you must apply the minimum necessary standard whenever appropriate.

Safeguards, risk management, and documentation

Implement risk-based safeguards such as access controls, audit logging, encryption where reasonable and appropriate, secure disposal, and incident response. Maintain written policies and workforce training, keep documentation to demonstrate compliance, and be prepared to cooperate with regulatory investigations.

Subcontractor compliance and reporting duties

Flow down all relevant obligations to subcontractors that handle PHI and obtain signed Business Associate Agreements with them. Perform Unauthorized Use Reporting and notify covered entities of security incidents or breaches of unsecured PHI without unreasonable delay, including the facts needed for risk assessment and notification.

Business Associate Agreements

Purpose and core elements

A Business Associate Agreement is the contract that sets boundaries for PHI use and disclosure and requires appropriate safeguards. It should define permitted purposes, require compliance with the HIPAA Security Rule, mandate prompt breach and incident reporting, and prohibit uses such as unauthorized marketing or sale of PHI.

Operational clauses that reduce risk

Effective agreements address subcontractor compliance, minimum necessary practices, audit and assessment rights, cooperation with investigations, return or destruction of PHI upon termination, documentation retention, and termination for cause. Many organizations also include service levels for incident response and reasonable time frames for PHI Disclosure accounting support.

Liability for Business Associate Actions

When each party is directly liable

Business associates are directly liable for failing to safeguard ePHI, for impermissible uses or disclosures, and for not meeting breach notification duties. Covered entities are directly liable for their own HIPAA violations, including inadequate safeguards, improper PHI disclosures, and failure to honor individual rights.

Agency, knowledge, and shared exposure

A covered entity may be liable for a business associate’s actions if the business associate is acting as its agent within the scope of agency, or if the covered entity knew of a pattern of noncompliance and failed to act. Conversely, a properly structured relationship with a compliant Business Associate Agreement reduces—though does not eliminate—downstream risk.

Conclusion

HIPAA draws a clear line between covered entities and business associates, but both must protect Protected Health Information. Covered entities govern access and disclosures and oversee vendors; business associates implement safeguards, restrict use, ensure subcontractor compliance, and report incidents promptly. Strong Business Associate Agreements and vigilant oversight align responsibilities and minimize liability.

FAQs.

What is a business associate under HIPAA?

A business associate is a vendor or partner that performs services for a covered entity involving PHI—such as billing, IT hosting, analytics, legal, or consulting—and therefore must meet specific privacy and security obligations, including executing a Business Associate Agreement and complying with the HIPAA Security Rule.

How do business associate agreements protect PHI?

They contractually limit how PHI may be used or disclosed, require safeguards aligned to the HIPAA Security Rule, mandate Unauthorized Use Reporting and breach notification, impose subcontractor compliance, and establish remedies—including termination—if obligations are not met. Together, these provisions tighten control over PHI throughout your vendor ecosystem.

What responsibilities do covered entities have regarding business associates?

Covered entities must identify business associate relationships, execute compliant Business Associate Agreements before sharing PHI, exercise reasonable oversight, and act when aware of noncompliance. They also maintain their own safeguards, manage PHI disclosures under the minimum necessary standard, and perform required notifications when breaches of unsecured PHI occur.