Covered Entities vs Business Associates Key Differences

Definitions of Covered Entities and Business Associates

Understanding Covered Entities vs Business Associates key differences starts with clear definitions. A covered entity is a health plan, health care clearinghouse, or health care provider that transmits health information electronically in HIPAA-covered transactions. These organizations create or steward Protected Health Information (PHI) as part of delivering or paying for care.

A business associate is any person or organization that performs services for, or on behalf of, a covered entity and involves creating, receiving, maintaining, or transmitting PHI. Typical business associates include EHR vendors, billing companies, cloud and data hosting providers, telehealth platforms, analytics firms, and legal or consulting services handling PHI under a Business Associate Agreement.

• Covered entities: deliver care or administer benefits and are directly subject to the HIPAA Privacy Rule and HIPAA Security Rule.
• Business associates: support covered entities and must meet Security Rule standards and specified Privacy Rule obligations via Omnibus Rule provisions.

HIPAA Regulatory Requirements for Covered Entities

Covered entities must comply with the HIPAA Privacy Rule, which governs permissible uses and disclosures of PHI, minimum necessary standards, notices of privacy practices, and individual rights such as access, amendments, and accounting of disclosures. Workforce training, role-based access, and policies are core expectations.

They also must satisfy the HIPAA Security Rule for electronic PHI (ePHI): conduct a risk analysis, implement administrative, physical, and technical PHI safeguards, manage vendors through due diligence and BAAs, and maintain ongoing risk management. HITECH Act compliance strengthened enforcement, breach notification, and patient rights, while the Omnibus Rule provisions expanded responsibilities and clarified vendor accountability.

Business Associate Agreements and Obligations

A Business Associate Agreement (BAA) contractually binds a business associate to protect PHI and limits how it may use or disclose PHI. The BAA must require Security Rule compliance, define permissible uses, mandate breach and incident reporting, and flow down obligations to subcontractors that handle PHI.

• Key terms: safeguard requirements, breach notification timelines and content, cooperation on investigations, access and amendment support, and return or secure destruction of PHI at contract end.
• Prohibitions: unauthorized marketing or sale of PHI and any use not explicitly permitted by the BAA or HIPAA.
• Governance: documentation retention, right of audit or assurance, and allocation of responsibilities for HITECH Act compliance.

PHI Handling and Safeguards

PHI safeguards apply across the data lifecycle—creation, receipt, maintenance, transmission, and disposal. Both covered entities and business associates must align controls to the HIPAA Security Rule, with business associates directly responsible for ePHI protection.

Administrative, Physical, and Technical Controls

• Administrative: risk analysis, risk management, sanction policies, workforce training, vendor oversight, and contingency planning.
• Physical: facility access controls, device/media management, secure storage, and disposal procedures.
• Technical: unique user IDs, multi-factor authentication where feasible, encryption at rest and in transit, audit logs, integrity monitoring, and transmission security.

Data Minimization and De-identification

Apply minimum necessary access to limit PHI exposure. Where practical, use de-identified data or a limited data set with a data use agreement to reduce risk and streamline compliance.

Direct Liability and Compliance Enforcement

Under HITECH Act compliance and Omnibus Rule provisions, business associates (and their subcontractors) are directly liable for impermissible uses or disclosures of PHI, failure to implement required Security Rule safeguards, failure to provide breach notification to covered entities, and failure to ensure subcontractor compliance. Covered entities remain liable for overall HIPAA program governance and patient rights.

Enforcement actions by the Office for Civil Rights may include corrective action plans, monitoring, and civil monetary penalties, with tiers that scale by culpability and harm. Patterns of noncompliance, willful neglect, or delayed breach reporting increase enforcement risk for both covered entities and business associates.

Responsibilities for Patient Data Access

Covered entities must provide individuals timely access to PHI—generally within 30 calendar days, with one allowable 30-day extension and a written explanation. Access should be in the requested format if readily producible, and fees must be reasonable and cost-based.

Business associates must support this right by furnishing PHI to the covered entity (or directly to the individual if the BAA so states) in a usable format and within agreed timelines. BA systems that store ePHI—such as EHR hosting or cloud archiving—should maintain exportable, patient-readable outputs and documented fulfillment procedures.

Breach Notification and Reporting Procedures

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. After discovery, covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days; large breaches also require notice to HHS and, in some cases, the media. Notices must describe what happened, the PHI involved, steps individuals should take, and mitigation efforts.

Business associates must notify the covered entity of breaches they discover, supplying details to support downstream notifications. Risk assessments should evaluate the nature of PHI, the unauthorized recipient, whether the PHI was actually acquired or viewed, and mitigation steps. Encryption consistent with strong PHI safeguards can render PHI “secured,” avoiding breach notification obligations for those incidents.

Conclusion

In summary, covered entities drive care delivery and patient rights under the HIPAA Privacy Rule, while business associates enable those operations under BAAs and are directly accountable for Security Rule compliance. Clear contracts, disciplined PHI safeguards, timely access, and rigorous breach response are the practical levers that keep both parties aligned and compliant.

FAQs

What defines a covered entity under HIPAA?

A covered entity is a health plan, health care clearinghouse, or health care provider that transmits health information electronically in standard HIPAA transactions. These organizations create, receive, or pay for care and are primary stewards of PHI under the HIPAA Privacy Rule and HIPAA Security Rule.

How do business associates handle PHI differently?

Business associates handle PHI to perform services for covered entities and must follow Security Rule safeguards and specified Privacy Rule obligations set by Omnibus Rule provisions. Their use and disclosure of PHI are tightly limited by a Business Associate Agreement, which defines permissible purposes, required safeguards, and breach reporting.

Are business associates directly liable for HIPAA violations?

Yes. Under HITECH Act compliance and the Omnibus Rule, business associates and their subcontractors are directly liable for impermissible uses or disclosures of PHI, failure to implement Security Rule controls, failure to notify covered entities of breaches, and failure to bind subcontractors to equivalent protections.

What are the requirements for Business Associate Agreements?

BAAs must specify permitted PHI uses and disclosures, require HIPAA Security Rule compliance, mandate prompt incident and breach reporting, flow down obligations to subcontractors, support individual rights (such as access and amendments), and require return or secure destruction of PHI at termination. They also address documentation, audit rights, and cooperation with investigations.