Business Associate vs. Covered Entity Under HIPAA: How to Tell

Knowing whether you are a business associate or a covered entity is the first step to safeguarding Protected Health Information (PHI) and meeting the HIPAA Privacy Rule and Security Rule. This guide explains how to tell the difference, what each role must do, and how to avoid impermissible disclosure, with practical examples and clear compliance takeaways.

Definitions of Covered Entities and Business Associates

Covered entities

Covered entities are the core organizations directly regulated by HIPAA. They include: health plans (such as group health plans and insurers), health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions. If you diagnose, treat, pay for, or operate the infrastructure of care and submit standard electronic transactions, you are likely a covered entity.

Business associates

A business associate is any person or organization that performs functions or services for, or on behalf of, a covered entity (or another business associate) that involve creating, receiving, maintaining, or transmitting PHI. Subcontractors that handle PHI for a business associate are also business associates. Typical examples include billing vendors, IT service providers, cloud storage, and consultants who access PHI to deliver their services.

How to tell at a glance

• If you need PHI to perform a service for a covered entity or its vendor, you are likely a business associate.
• If you provide treatment and directly deliver care as a provider, you are likely a covered entity in that role (not a business associate for that treatment activity).
• If you merely transmit PHI as a true conduit with no routine access (for example, the postal service), you are generally not a business associate.

Key Roles and Responsibilities

Covered entity responsibilities

• Establish and enforce privacy policies governing uses and disclosures of PHI under the HIPAA Privacy Rule, including the minimum necessary standard.
• Provide individuals with rights of access, amendment, and accounting of disclosures, and issue a Notice of Privacy Practices.
• Enter into a Business Associate Agreement (BAA) before sharing PHI with a vendor that qualifies as a business associate.
• Implement Security Rule safeguards for electronic PHI (ePHI): administrative, physical, and technical protections across systems and workflows.
• Manage Breach Notification obligations to affected individuals, the media (when required), and regulators.

Business associate responsibilities

• Use and disclose PHI only as permitted by the BAA and applicable law; prevent impermissible disclosure or use.
• Comply with the Security Rule for ePHI, including risk analysis, risk management, and continuous security monitoring.
• Support Privacy Rule duties that apply to business associates, such as providing access to PHI when needed by the covered entity to satisfy an individual’s request.
• Flow down HIPAA obligations to subcontractors that create, receive, maintain, or transmit PHI.
• Report security incidents and potential breaches to the covered entity without unreasonable delay, following Breach Notification requirements.

Examples of Business Associates

Common examples you can quickly recognize

• Claims processing, medical billing, and coding companies handling PHI to receive payment.
• Electronic health record (EHR) vendors and cloud service providers that store or maintain ePHI, even if encrypted.
• IT support, managed service providers, data backup, disaster recovery, and cybersecurity firms with access to PHI systems.
• Data analytics, utilization review, quality improvement, and population health services using PHI for operations.
• Legal, actuarial, accounting, consulting, accreditation, and financial services that need PHI to perform their work.
• Document management, scanning, printing, and shredding vendors handling PHI content.
• Third-party administrators (TPAs) for group health plans that receive PHI to administer benefits.

Not business associates in these scenarios

• True conduits that merely transport information (for example, postal carriers) without routine access to PHI content.
• Health care providers receiving PHI for treatment purposes—those providers are covered entities for that activity, not business associates.
• Vendors that receive only de-identified data (no reasonable basis to identify an individual) because de-identified information is not PHI.

Business Associate Agreements (BAA)

When a BAA is required

You must have a Business Associate Agreement in place before a covered entity (or a business associate) shares PHI with a vendor that will create, receive, maintain, or transmit PHI to perform services. No BAA is required for disclosures solely for treatment between providers or when sharing de-identified data.

Core elements to include

• Permitted and required uses and disclosures of PHI, aligned to the specific services provided.
• Obligations to implement administrative, physical, and technical safeguards under the Security Rule.
• Requirements to prevent and report impermissible disclosures, including Breach Notification timelines and processes.
• Flow-down clauses requiring subcontractors to agree to the same restrictions and safeguards.
• Support for individual rights (for example, access and amendment) and cooperation with the covered entity.
• Provisions to return or destroy PHI at contract termination when feasible, and to limit further uses if retention is required.
• Audit and termination rights for material breach of the BAA.

Operational tips

• Map the specific PHI needed for the service to honor the minimum necessary standard in the BAA.
• Define practical incident reporting steps, points of contact, and evidence preservation obligations.
• Align security requirements with your vendor’s environment, including encryption, access controls, and monitoring.

Direct Liability and Compliance Requirements

What business associates are directly liable for

• Complying with the Security Rule for ePHI, including comprehensive risk analysis and risk management.
• Using or disclosing PHI only as permitted by the Privacy Rule, the BAA, or as required by law.
• Providing Breach Notification to the covered entity without unreasonable delay after discovery of a breach.
• Ensuring subcontractors that handle PHI agree to equivalent restrictions and safeguards.
• Disclosing PHI to the covered entity (or HHS) as required for compliance, audits, or investigations.

Administrative Safeguards you must implement

• Security management process: documented risk analysis, risk treatment, and ongoing evaluation.
• Assigned security responsibility and role-based information access management.
• Workforce security, security awareness and training, and sanction policies.
• Security incident procedures and contingency planning (backup, disaster recovery, emergency mode operations).
• Periodic security evaluations and BAA management with vendors and subcontractors.

Consequences of noncompliance

Violations can lead to corrective action plans, penalties, and reputational harm. Impermissible disclosure or failure to safeguard PHI often triggers costly remediation and mandatory notifications under Breach Notification requirements.

Exclusions and Exceptions

Conduit exception

Carriers that merely transport information—without persistent storage or routine access to PHI content—are generally not business associates. The conduit exception is narrow; most cloud or managed services that maintain ePHI are business associates.

Treatment disclosures

Provider-to-provider sharing for treatment does not require a BAA. In that context, each provider operates as a covered entity and can use or disclose PHI for treatment under the Privacy Rule.

De-identified data and limited data sets

Information that has been de-identified is not PHI and falls outside HIPAA. Limited data sets used for research, public health, or health care operations require a data use agreement; depending on the arrangement, the recipient may not be a business associate if no other services are performed on behalf of the covered entity.

Personal health apps at individual direction

When an individual directs a covered entity to send PHI to a consumer app of their choosing, the app developer is typically not a business associate for that data flow. Nonetheless, you should clearly document the individual’s direction and separate it from routine vendor access.

Relationship Between Covered Entities and Business Associates

Vendor due diligence and data flow mapping

Start with an inventory of vendors and subcontractors, then map where PHI is created, received, maintained, or transmitted. This clarifies who is a business associate and where the Business Associate Agreement (BAA) is required.

Ongoing oversight and minimum necessary

Use the minimum necessary standard to limit PHI shared with each business associate. Monitor performance through security reviews, audit rights, incident drills, and periodic reassessments of risk and access.

Coordinated incident response

Define how you and your vendors detect, evaluate, and escalate incidents. Timely coordination enables accurate Breach Notification and reduces the likelihood of impermissible disclosure.

Conclusion

Understanding business associate vs. covered entity under HIPAA centers on who needs PHI and why. If you deliver care or operate core health functions, you are likely a covered entity; if you provide services requiring PHI for that entity, you are likely a business associate. Use precise BAAs, implement strong Security Rule safeguards, and manage vendors proactively to protect PHI and maintain compliance.

FAQs

What is a business associate under HIPAA?

A business associate is a person or organization that creates, receives, maintains, or transmits PHI to perform services or functions for, or on behalf of, a covered entity (or another business associate). Subcontractors that handle PHI for a business associate are included in this definition.

How does a covered entity differ from a business associate?

A covered entity delivers care, processes claims, or operates health plan or clearinghouse functions and is directly regulated across the full HIPAA framework. A business associate is a service provider that needs PHI to perform work for the covered entity and is limited to the uses and disclosures permitted by the Privacy Rule and the BAA.

What are the responsibilities of business associates under HIPAA?

Business associates must implement Security Rule safeguards for ePHI, use and disclose PHI only as allowed by the BAA and law, report incidents and suspected breaches promptly, ensure subcontractors follow the same protections, and assist covered entities with applicable Privacy Rule obligations such as access requests.

When is a business associate agreement required?

A BAA is required before a covered entity or business associate shares PHI with a vendor that will create, receive, maintain, or transmit PHI to provide services. It is not required for provider-to-provider treatment disclosures or when sharing de-identified data.