Covered Entities vs. Business Associates Under HIPAA: Scope, Examples, and Risks

Definition of Covered Entities

Under the HIPAA Privacy Rule, a covered entity is one of three types of organizations that handle Protected Health Information (PHI): health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions (for example, claims or eligibility checks). PHI includes individually identifiable health information in any form, including Electronic PHI.

In practice, you are a covered entity if you fall into one of these categories and conduct the specified electronic transactions. The definition is functional: it focuses on your role and activities rather than your industry label, which is why most modern providers and plans qualify.

Examples of Covered Entities

• Health plans: commercial insurers, HMOs, Medicare Advantage plans, Medicaid agencies, and employer-sponsored group health plans.
• Health care providers: hospitals, ambulatory clinics, physician practices, dentists, chiropractors, psychologists, pharmacies, and clinical laboratories that submit electronic claims or other standard transactions.
• Health care clearinghouses: entities that translate nonstandard health data into standard transaction formats, such as claims clearinghouses and certain billing intermediaries.

Note that an employer is not a covered entity merely by employing people; the employer’s group health plan is the covered entity. Likewise, many organizations that support providers and plans are not covered entities themselves—they are business associates.

Definition of Business Associates

A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity to perform a regulated function or provide a service. Subcontractors that handle PHI on behalf of a business associate are themselves business associates and inherit the same obligations.

Common examples include revenue cycle and billing vendors, EHR and practice management providers, cloud and data hosting services that store ePHI, data analytics firms, e-prescribing gateways, call centers, transcription services, legal or consulting firms needing PHI, and secure document destruction vendors. The “conduit” exception is narrow and typically limited to entities that merely transmit PHI without persistent storage (for example, certain postal or telecom carriers), not to cloud services.

Business Associate Agreements

A Business Associate Agreement (BAA) is a contract that must be in place before a business associate receives PHI. It sets the rules for how PHI may be used and disclosed, and it binds the associate (and its subcontractors) to HIPAA’s requirements.

Core provisions a BAA should include

• Permitted and required uses/disclosures of PHI, including the minimum necessary standard.
• Obligation to implement administrative, physical, and technical safeguards for Electronic PHI Safeguards aligned with the Security Rule.
• Duty to report security incidents and potential breaches, including timelines and the content of notifications.
• Flow-down requirements ensuring subcontractors that handle PHI sign BAAs and follow the same protections.
• Support for individual rights (access, amendment, and accounting of disclosures) as directed by the covered entity.
• Restrictions on marketing, sale of PHI, and other Privacy Rule–sensitive activities.
• Return or destruction of PHI upon contract termination where feasible, plus ongoing confidentiality obligations.
• Inspection rights for the covered entity and cooperation with Compliance Enforcement activities.

Retain BAAs and related documentation for at least six years from the date of creation or last effective date. Keep your BAA terms synchronized with your internal policies, technical controls, and vendor management practices.

Compliance Obligations of Business Associates

Business associates are directly liable for compliance with key parts of the HIPAA Privacy Rule and the full Security Rule. You must be able to demonstrate reasonable and appropriate Electronic PHI Safeguards, document your program, and show that your workforce understands and follows it.

Security Rule: safeguard requirements

• Administrative: designate security leadership; conduct an enterprise-wide Risk Assessment (risk analysis); implement risk management, vendor management, training, sanctions, and incident response plans.
• Physical: facility access controls, workstation security, and device/media controls (including secure disposal and encryption of portable media).
• Technical: unique user access, multi-factor authentication where appropriate, role-based access, audit logs and monitoring, integrity controls, and transmission security (e.g., TLS and encryption at rest).

Privacy Rule responsibilities

• Use and disclose PHI only as permitted by your BAA and the Privacy Rule; apply the minimum necessary standard.
• Provide PHI to the covered entity (or the individual when directed) to support access, amendment, and accounting of disclosures.
• Prohibit impermissible uses (such as unauthorized marketing or sale of PHI).

Breach Notification Rule

• Without unreasonable delay and no later than 60 calendar days after discovery, notify the covered entity of a breach and supply required details.
• Use a documented, objective risk assessment to evaluate the probability of compromise based on factors such as the nature of PHI, unauthorized person, whether PHI was actually acquired or viewed, and mitigation.

Maintain policies, procedures, and evidence of compliance; review and update them at least annually or upon material changes. Align technical controls with your Business Associate Agreement commitments.

Risks of Non-Compliance

HIPAA violations can trigger tiered civil monetary penalties that scale with culpability, and serious cases can lead to criminal exposure for knowingly obtaining or disclosing PHI. Penalties are assessed per violation with annual caps and are adjusted for inflation. Civil and Criminal Penalties may also be paired with corrective action plans, external monitoring, and reputational harm.

Compliance Enforcement actions are led primarily by the HHS Office for Civil Rights and can also be brought by state attorneys general. Beyond fines, you face contract termination, indemnity claims, litigation risk after breaches, required credit monitoring for affected individuals, and operational disruption during remediation.

Hybrid Entities Under HIPAA

A hybrid entity is a single legal entity that performs both covered and non-covered functions and formally designates its health care components. Examples include universities with medical centers or pharmacies within retail chains. HIPAA applies to the designated components as if they were separate covered entities.

If you are a hybrid entity, you must document the designation, separate workforce roles, and implement “firewalls” so PHI from health care components is not shared impermissibly with non-health components. Business associates should confirm whether their customer is a hybrid and ensure BAAs are scoped to the health care component actually disclosing PHI.

Key takeaway: clearly define who you are (covered entity, business associate, or hybrid component), sign the right Business Associate Agreement, and implement practical safeguards grounded in a current Risk Assessment. Doing so reduces breach likelihood, speeds audits, and limits regulatory and contractual exposure.

FAQs.

What is a covered entity under HIPAA?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions. These entities are directly subject to the HIPAA Privacy Rule and Security Rule for PHI and ePHI.

How do business associates differ from covered entities?

Business associates are vendors or partners that create, receive, maintain, or transmit PHI for a covered entity or another business associate. They are not delivering care or paying claims; instead, they provide services (e.g., IT, billing, cloud storage) and must sign a Business Associate Agreement and meet HIPAA requirements relevant to their role.

What are the compliance requirements for business associates?

They must implement administrative, physical, and technical safeguards, complete an organization-wide Risk Assessment, follow the minimum necessary standard, support individual rights via the covered entity, manage subcontractors with BAAs, and provide timely breach notifications. Their Electronic PHI Safeguards must align with the Security Rule.

What penalties apply for HIPAA violations by business associates?

Penalties range from tiered civil monetary fines per violation (with annual caps) to criminal liability for knowingly wrongful uses or disclosures of PHI. Enforcement may also impose corrective action plans, audits, and ongoing monitoring, alongside contractual damages and reputational harm.