Covered Entities vs. Business Associates Under HIPAA: Scope and Requirements

Definition of Covered Entities

Under HIPAA, covered entities are the organizations primarily regulated for the handling of Protected Health Information (PHI). You are a covered entity if you are a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions.

Health plans include group and individual plans, HMOs, and certain government programs. Clearinghouses translate nonstandard data into standard formats. Providers range from hospitals and clinics to solo practitioners, so long as they conduct standard electronic transactions such as claims or eligibility checks.

PHI encompasses individually identifiable health information in any form—paper, electronic, or oral—created or received by a covered entity. De-identified data falls outside HIPAA, but re-identification risks must still be managed within your compliance program.

This guide is informational and does not constitute legal advice. Always confirm how federal and state requirements apply to your specific operations.

Roles of Business Associates

A business associate (BA) is any person or organization that performs functions or services for, or on behalf of, a covered entity that involve creating, receiving, maintaining, or transmitting PHI. You may also be a BA if you provide services to another BA and handle PHI in the process.

Common BA roles include claims processing, billing, data analysis, utilization review, cloud hosting, EHR and practice management vendors, e-prescribing gateways, transcription, legal or accounting services, and consultants who access PHI. If PHI is part of the service, BA obligations attach.

Business associates have direct compliance duties under HIPAA. You must safeguard PHI, limit uses and disclosures, support individual rights where applicable, and report incidents and breaches to the covered entity in a timely manner.

HIPAA Compliance Requirements for Covered Entities

HIPAA Privacy Rule

The HIPAA Privacy Rule governs how you may use and disclose PHI. Core Covered Entity Obligations include limiting uses and disclosures to what HIPAA permits, providing a Notice of Privacy Practices, honoring the minimum necessary standard, and securing valid authorizations for nonpermitted uses like most marketing.

You must also support individual rights: access to PHI, amendments, accounting of certain disclosures, and restrictions or confidential communications when appropriate. Policies must translate these requirements into everyday workflows.

HIPAA Security Rule

The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI. Key actions include conducting a risk analysis, implementing risk management, assigning security responsibility, managing workforce training, and enforcing access and audit controls.

Transmission security, integrity controls, authentication, device and media management, and contingency planning are essential. Encryption is an addressable safeguard—if you choose alternatives, you must document why and how residual risks are mitigated.

Breach Notification Rule

The Breach Notification Rule requires you to assess security incidents involving PHI and, if a breach is determined, notify affected individuals, regulators, and in some cases the media, without unreasonable delay and within defined timeframes. Documentation of risk assessments and decisions is critical.

Governance and Documentation

Effective programs rely on written policies and procedures, role-based training, sanctions for noncompliance, vendor oversight, and documentation that shows you implemented controls. Ongoing monitoring, audits, and corrective action sustain compliance maturity over time.

Business Associate Agreements

A Business Associate Agreement (BAA) is the contract that binds a BA to HIPAA requirements when PHI is involved. Before a BA begins work, you must execute a BAA that defines permitted uses and disclosures, requires safeguards, mandates breach reporting, and ensures Subcontractor Compliance through “flow-down” provisions.

BAAs also address access to PHI to meet individual rights, assistance with investigations, return or secure destruction of PHI at termination, and rights to monitor or audit. Clear performance metrics and escalation paths help both parties act quickly if issues arise.

Liability and Enforcement

Both covered entities and business associates can be directly liable for HIPAA violations. The HHS Office for Civil Rights enforces HIPAA through investigations, corrective action plans, and civil monetary penalties, while the Department of Justice may pursue criminal cases for intentional wrongful disclosures.

Penalty tiering considers factors such as the nature and extent of the violation, the number of individuals affected, level of culpability, history of noncompliance, and corrective efforts. State attorneys general may also bring actions, and settlements often require multi-year monitoring.

Exceptions and Subcontractor Responsibilities

When a BAA Is Not Required

A BAA is not required for disclosures between covered entities for treatment purposes, for individuals’ personal representatives, or for “conduit” services that only transmit PHI without persistent storage or routine access (for example, the postal service or a common carrier). However, most cloud services are not mere conduits and typically qualify as BAs.

Incidental disclosures that occur despite reasonable safeguards are not violations. De-identified data is not PHI; limited data sets may be used under a data use agreement for specific purposes like research, public health, or operations.

Subcontractor Compliance

If you are a BA, any subcontractor that creates, receives, maintains, or transmits PHI for you is also a BA and must sign a BAA with you. Flow-down terms should mirror your own obligations, including security safeguards, breach reporting, and termination rights.

Perform due diligence: assess security posture, review policies, limit PHI access to the minimum necessary, and require timely incident notification. Maintain an inventory of vendors and subcontractors and audit high-risk relationships regularly.

Scope of HIPAA Compliance

HIPAA applies to PHI handled by covered entities and their business associates across the full data lifecycle—collection, use, disclosure, storage, transmission, and destruction. Your scope should include people, processes, technology, and third parties that can touch PHI, directly or indirectly.

Boundary awareness matters. Consumer apps operating solely on behalf of individuals are generally outside HIPAA, whereas the same app acting on behalf of a covered entity becomes a BA. HIPAA also coexists with state privacy and breach laws; when both apply, follow the more protective rule.

Building a Practical Program

• Map PHI flows and systems; classify data and define access based on roles.
• Conduct risk analysis and implement controls aligned to the HIPAA Security Rule.
• Operationalize Privacy Rule requirements via clear procedures and training.
• Execute Business Associate Agreements and continuously monitor vendors.
• Test incident response and breach notification playbooks; document decisions.

Conclusion

Covered entities own primary stewardship of PHI under the Privacy, Security, and Breach Notification Rules, while business associates must meet parallel safeguards through BAAs and direct HIPAA duties. Clarifying roles, scoping data flows, and enforcing Subcontractor Compliance create a defensible, efficient compliance posture.

FAQs

What are the criteria to be considered a covered entity under HIPAA?

You are a covered entity if you are a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions, such as claims, eligibility, or referrals. Providers who never conduct standard electronic transactions generally are not covered entities.

How do business associates differ from covered entities?

Covered entities deliver or finance health care and are the primary custodians of PHI. Business associates provide services or functions for covered entities (or other BAs) that involve PHI—such as billing, cloud hosting, analytics, or legal support—and must comply with HIPAA through a Business Associate Agreement.

What are the main obligations of covered entities under HIPAA?

Core obligations include implementing the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule; providing a Notice of Privacy Practices; honoring individual rights; applying the minimum necessary standard; training the workforce; documenting policies; and managing vendors through BAAs and oversight.

When is a Business Associate Agreement required?

A BAA is required whenever a vendor or partner will create, receive, maintain, or transmit PHI for or on behalf of your organization. It is not needed for mere conduits or for disclosures to other covered entities for treatment, but most technology and service providers with more than transient PHI access qualify as business associates and require a BAA.

What penalties exist for HIPAA violations?

Enforcement can include corrective action plans, civil monetary penalties that scale by culpability and impact, and—in cases of intentional misuse—criminal penalties. Regulators consider factors such as the nature of the violation, number of people affected, harm caused, history of noncompliance, and remediation efforts.