Covered Entities vs Business Associates: The Four HIPAA Entities, Explained

Understanding covered entities vs business associates is essential to managing Protected Health Information (PHI) lawfully. This guide explains the four HIPAA entities—health plans, health care providers, health care clearinghouses, and business associates—so you can assign responsibilities, structure contracts, and implement safeguards with confidence.

Overview of Covered Entities

Covered entities are the organizations directly regulated by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. They include health plans, health care providers that conduct standard electronic transactions, and health care clearinghouses. These entities create, receive, maintain, or transmit PHI and carry primary compliance obligations.

As a covered entity, you must limit uses and disclosures to what the rules permit, apply the minimum necessary standard, safeguard PHI, and honor individual rights such as access, amendment, and accounting of disclosures. You are also responsible for entering into a Business Associate Agreement (BAA) when vendors handle PHI on your behalf.

Roles of Business Associates

A business associate is a person or organization that performs services or functions for a covered entity—and sometimes for another business associate—that involve creating, receiving, maintaining, or transmitting PHI. Common examples include billing firms, EHR and cloud providers, claims administrators, data analytics vendors, and legal or consultative services that require PHI access.

Under the HITECH Act, business associates assume direct liability for compliance with the Security Rule and specific provisions of the Privacy Rule. Practically, that means you must implement risk-based safeguards, restrict uses and disclosures to those permitted by the BAA, report incidents and breaches, and ensure downstream subcontractors follow the same requirements. This Direct Liability is independent of any contract remedies.

Examples of Covered Entities

Health plans include insurers, HMOs, Medicare, Medicaid, employer-sponsored group health plans, and certain government programs that pay for health care. If you administer or pay for care and handle enrollee PHI, you likely fall within this category.

Health care providers encompass hospitals, physicians, clinics, laboratories, pharmacists, dentists, therapists, urgent care and telehealth providers—so long as they conduct standard electronic transactions (such as claims, eligibility, or remittance). Most modern practices meet this threshold.

Health care clearinghouses transform nonstandard health information into standard formats (and vice versa). Examples include billing services, repricers, and health information exchanges when they perform data translation functions.

Business Associate Responsibilities

As a business associate, you must conduct a security risk analysis and implement administrative, physical, and technical safeguards aligned to the Security Rule. That includes workforce training, role-based access, encryption where feasible, audit logging, and incident response procedures proportionate to risk.

Your Privacy Rule duties include using and disclosing PHI only as permitted by the BAA and applicable law, applying minimum necessary, and supporting covered entities in meeting individual rights. When appropriate, you may use a limited data set under a data use agreement or de-identify data consistent with HIPAA standards.

If an incident occurs, you must evaluate it, mitigate harm, and notify the covered entity of reportable breaches without unreasonable delay and within the timeline set by the Breach Notification Rule. Maintain documentation of investigations, decisions, and corrective actions.

Business Associate Agreement Requirements

A compliant Business Associate Agreement should:

• Define permitted and required uses and disclosures of PHI, including any limitations on marketing, sale of PHI, or analytics.
• Require implementation of Security Rule safeguards and adherence to relevant Privacy Rule provisions.
• Mandate prompt reporting of security incidents and breaches, including the information the covered entity needs for notices.
• Flow down the same restrictions to subcontractors that create, receive, maintain, or transmit PHI.
• Obligate cooperation with access, amendment, and accounting requests, and with the covered entity’s obligations to individuals.
• Permit audits or inspections by the Department of Health and Human Services and require record retention.
• Address return or destruction of PHI upon termination, or continued protections if destruction is infeasible.
• Provide for termination for cause in case of material breach, with required mitigation steps.

Well-drafted BAAs also clarify permitted management and administrative uses, breach response coordination, minimum necessary practices, and allocation of responsibilities for encryption, logging, and subcontractor oversight.

Enforcement and Compliance

The Office for Civil Rights (OCR) enforces HIPAA through investigations, corrective action plans, and civil monetary penalties that scale by culpability. The Department of Justice may pursue criminal cases for knowing wrongful disclosures, and state attorneys general can bring civil actions under the HITECH Act.

For practical compliance, you should maintain a living risk assessment, written policies and procedures, current BAAs, workforce training, vendor due diligence, and a tested incident response plan. Document decisions, retain evidence of safeguards, and monitor for changes in your systems and relationships that could alter risk.

Business associates face Direct Liability for Security Rule violations and certain Privacy Rule failures, making proactive governance, technical controls, and contractual clarity essential.

Subcontractor Obligations

Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are also business associates. You must execute written agreements with them that impose the same Privacy Rule, Security Rule, and Breach Notification Rule requirements that apply to you.

Effective oversight includes screening and selecting vendors based on security maturity, flowing down specific safeguards, monitoring performance, requiring incident reporting, and ensuring minimum necessary access. The chain of trust is only as strong as your least mature subcontractor.

Conclusion

Covered entities originate HIPAA obligations; business associates inherit and share them through Direct Liability and BAAs. Map your data flows, classify vendors, and operationalize safeguards to protect Protected Health Information while enabling care, payment, and health operations.

FAQs

What are the four entities covered by HIPAA?

The “four HIPAA entities” commonly refers to three types of covered entities—health plans, health care providers that conduct standard electronic transactions, and health care clearinghouses—plus business associates. While business associates are not covered entities, they are directly regulated for key requirements and must comply through Direct Liability and Business Associate Agreements.

How do business associates differ from covered entities?

Covered entities primarily deliver or pay for health care and are directly responsible for the full sweep of HIPAA obligations. Business associates perform services for covered entities (or for other business associates) that involve PHI. They must follow the Security Rule and relevant Privacy Rule provisions, but their permissions and limits are defined by the BAA and the minimum necessary standard.

What obligations do covered entities have under HIPAA?

Covered entities must implement Security Rule safeguards, follow the Privacy Rule’s use and disclosure limits, provide a Notice of Privacy Practices, and honor individual rights to access, amendment, and accounting. They must investigate incidents, provide breach notifications as required by the Breach Notification Rule, train their workforce, manage vendors through BAAs, and maintain documentation of compliance activities.

When is a Business Associate Agreement required?

A BAA is required whenever a covered entity (or business associate) engages a vendor or partner to create, receive, maintain, or transmit PHI on its behalf. Typical triggers include claims processing, data hosting, analytics, customer support, or legal services involving PHI. Limited exceptions exist, such as mere conduits and certain disclosures for treatment, but when in doubt, evaluate the function and the level of PHI access to determine if a BAA is needed.