Covered Entities vs. Business Associates Under HIPAA: Scope, Roles, and Compliance

Definitions and Examples of Covered Entities

Under HIPAA, covered entities are the organizations directly subject to the Privacy, Security, and Breach Notification Rules when handling Protected Health Information (PHI). PHI includes individually identifiable health information in any form—paper, verbal, or electronic (ePHI)—related to health status, care, or payment.

The three covered entity types

• Health care providers that transmit health information electronically in standard transactions (for example, hospitals, clinics, physicians, dentists, pharmacies, labs, home health agencies, and many telehealth providers).
• Health plans (for example, insurers, HMOs, Medicare, Medicaid, employer-sponsored group health plans, and certain government programs).
• Health care clearinghouses that standardize or translate nonstandard data content into HIPAA transaction standards.

Hybrid Entities

A single legal entity that performs both covered and non-covered functions may designate itself as a Hybrid Entity. You must identify your health care components, restrict PHI flows to those components, and document “firewalls” so non-health components do not access PHI unless a HIPAA permission applies.

Typical examples include universities with medical centers, municipal governments with employee clinics, and retailers operating in-store pharmacies. Hybrid designations help you scope Privacy Rule Compliance and Security Rule Safeguards to the components that handle PHI.

Roles and Responsibilities of Business Associates

Business associates (BAs) are persons or organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity—or for another BA—to perform services like claims processing, billing, IT hosting, data analytics, EHR support, cloud storage, legal, auditing, transcription, or secure destruction.

Core responsibilities

• Use and disclose PHI only as permitted by the Business Associate Agreement (BAA) or as required by law; apply the minimum necessary standard.
• Implement Security Rule Safeguards—administrative, physical, and technical—to protect ePHI, including access controls, audit logging, encryption strategies, and workforce training.
• Report any security incident or potential breach to the covered entity and support Breach Notification Rule duties.
• Flow down obligations to subcontractors that handle PHI by executing BAAs and monitoring their compliance.
• Provide support for individual rights (for example, access or amendment) when services make the BA the practical custodian of the records.
• Return or securely destroy PHI at contract end, if feasible, and maintain required documentation.

Business Associate Agreements (BAAs) Requirements

A Business Associate Agreement (BAA) is a written contract that sets the terms under which a BA may use and disclose PHI and the safeguards it must maintain. Without a BAA, sharing PHI with a vendor generally is impermissible.

What a compliant BAA must cover

• Permitted and required uses and disclosures of PHI, expressly prohibiting uses not authorized by the agreement or HIPAA.
• Obligation to implement Security Rule Safeguards and to comply with applicable Privacy Rule provisions.
• Procedures to report security incidents and suspected or confirmed breaches to the covered entity promptly.
• Flow-down requirements ensuring subcontractors execute BAAs and meet the same protections.
• Commitments to make internal practices and records available to HHS for compliance review.
• Processes for access, amendment, and accounting of disclosures when the BA holds the relevant PHI.
• Return or destruction of PHI upon termination and steps to extend protections if destruction is infeasible.
• Termination for cause if the BA materially breaches the agreement, including required mitigation steps.

Practical drafting tips

• Define breach and security incident reporting timelines, escalation paths, and incident response roles.
• Specify encryption requirements, logging expectations, vulnerability management, and third-party testing.
• Address cyber insurance, audit rights, subcontractor oversight, data retention, and transition assistance.

Compliance Obligations for Covered Entities

Covered entities must implement comprehensive programs spanning the Privacy Rule, Security Rule, and Breach Notification Rule. Your objective is to limit PHI uses/disclosures, secure ePHI, and honor individual rights while enabling care delivery and operations.

Privacy Rule Compliance

• Publish and follow a Notice of Privacy Practices; identify privacy and security officials; adopt policies and train your workforce.
• Use/disclose PHI for treatment, payment, and health care operations; obtain valid authorizations for uses outside permitted purposes.
• Apply the minimum necessary standard and implement role-based access to PHI.
• Honor individual rights to access, amendment, restrictions, confidential communications, and an accounting of disclosures.
• Manage vendors through BAAs and monitor for material noncompliance.

Security Rule Safeguards

• Administrative: enterprise-wide risk analysis and risk management, workforce training, contingency planning, and sanction policies.
• Physical: facility access controls, workstation security, and device/media controls (for example, secure disposal and reuse).
• Technical: unique user IDs, strong authentication, access control, encryption at rest/in transit where reasonable and appropriate, audit controls, and integrity protections.

Breach Notification Rule

• Evaluate incidents for probable compromise using risk factors (nature of PHI, unauthorized person, whether PHI was actually acquired or viewed, mitigation).
• Notify affected individuals without unreasonable delay and within prescribed timeframes; notify HHS and, when required, the media for larger incidents.
• Document all decisions and maintain evidence of risk assessments and notifications.

Common pitfalls to avoid

• Skipping or narrowing the risk analysis; failing to encrypt portable devices and backups.
• Using vendors without a signed BAA or without evaluating their controls.
• Delays in patient access or breach notifications; weak termination and offboarding processes.

Direct Liability of Business Associates

Business associates are directly liable under HIPAA for impermissible uses/disclosures of PHI, for failing to provide breach notifications to covered entities, and for not implementing required Security Rule Safeguards. They are also liable for not entering into BAAs with subcontractors that handle PHI and for failing to make compliance records available to HHS.

Direct liability means BAs can face investigations, corrective action plans, and HIPAA Enforcement Actions independent of the covered entity. Subcontractors stand in the same shoes as upstream BAs regarding PHI protections and breach duties.

Covered Entity Liability for Business Associates

As a covered entity, you are liable for your own violations—such as failing to obtain a BAA or ignoring a BA’s known pattern of noncompliance. You must take reasonable steps to cure a BA’s breach and terminate the BAA if the BA will not cure; if termination is infeasible, you should report the issue to HHS.

You may also be liable for a BA’s acts when the BA is your agent under federal common-law principles (for example, when you control the details of the BA’s performance). Strong vendor governance—due diligence, risk assessments, contract controls, security questionnaires, and audit rights—reduces your exposure.

Enforcement and Penalties under HIPAA

The HHS Office for Civil Rights (OCR) enforces HIPAA through complaint investigations, breach-driven compliance reviews, and audits. State attorneys general may also bring actions. Outcomes range from technical assistance to resolution agreements with multi-year corrective action plans and monetary settlements.

Civil penalties follow a tiered structure based on culpability—from lack of knowledge to willful neglect not corrected—with per-violation amounts and annual caps adjusted for inflation. Criminal penalties, enforced by the Department of Justice, apply to certain knowing or intentional violations and can include fines and imprisonment.

What drives HIPAA Enforcement Actions

• Incomplete risk analysis/risk management and missing or weak Security Rule controls.
• Lack of BAAs or failure to manage vendors handling PHI.
• Unencrypted devices, misconfigured cloud storage, and insecure remote access.
• Late breach notifications or failure to provide timely patient access to records.

Mitigating your risk

• Maintain an up-to-date, enterprise-wide risk analysis and track remediation to closure.
• Encrypt portable media and critical systems, monitor logs, and test incident response plans.
• Map PHI data flows, update BAAs, and verify subcontractor compliance.
• Document policies, training, decisions, and Breach Notification Rule assessments.

Conclusion

Understanding covered entities vs. business associates under HIPAA clarifies who must do what with PHI. By executing robust BAAs, implementing Security Rule Safeguards, and embedding Privacy Rule Compliance into daily operations, you reduce breach risk and position your organization to withstand scrutiny and enforcement.

FAQs.

What entities qualify as covered entities under HIPAA?

Covered entities are health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses. Many complex organizations operate as Hybrid Entities by designating health care components and limiting PHI access to those components.

What are the compliance responsibilities of business associates?

Business associates must use/disclose PHI only as the BAA permits, implement Security Rule Safeguards for ePHI, report incidents and breaches, flow down protections to subcontractors, assist with individual rights when applicable, and return or destroy PHI at contract end.

How do Business Associate Agreements ensure HIPAA compliance?

BAAs establish the legal boundaries for PHI use and disclosure, require Security Rule controls, set breach reporting duties, mandate subcontractor compliance, and provide enforcement mechanisms like termination for cause and access for HHS oversight.

What penalties apply for HIPAA violations?

OCR can impose tiered civil monetary penalties based on the level of culpability and may require corrective action plans; state attorneys general can also act. Certain intentional acts may trigger criminal penalties enforced by the Department of Justice.