Covered Entities vs. Business Associates Under HIPAA: What They Are, Examples, and Compliance Requirements

Definitions of Covered Entities and Business Associates

HIPAA regulates how Protected Health Information (PHI) is created, used, disclosed, and safeguarded. Two roles define who must comply: covered entities and business associates. Understanding where you fit determines which rules apply and what PHI safeguards you must implement.

Covered entities

Covered entities are organizations that directly handle PHI as part of delivering or paying for care or standard transactions. They include:

• Health care providers who transmit health information electronically in standard transactions (for example, claims, eligibility checks).
• Health plans of all types, including group health plans and insurers.
• Health care clearinghouses that process nonstandard health data into standard formats.

Business associates

Business associates are persons or companies that create, receive, maintain, or transmit PHI for a function or activity on behalf of a covered entity. Subcontractors that handle PHI for a business associate are also business associates. Workforce members are not business associates; they are part of the covered entity’s workforce.

Examples of Covered Entities

• Hospitals, health systems, ambulatory surgery centers, and urgent care clinics.
• Physician practices, dental practices, behavioral health providers, and chiropractors that bill electronically.
• Pharmacies and mail-order pharmacy operations.
• Health plans, HMOs, employer-sponsored group health plans, and government programs that pay for care.
• Health care clearinghouses that convert billing data to standard transaction formats.

Examples of Business Associates

• Billing services, medical transcription services, and coding vendors.
• Electronic health record (EHR) vendors and e-prescribing networks.
• Cloud service providers, data centers, backup/storage vendors, and email or messaging platforms that store ePHI.
• IT support, managed service providers, and cybersecurity firms with access to systems containing PHI.
• Revenue cycle and claims processing firms, utilization review, and quality analytics vendors.
• Consultants, accountants, and law firms when services require access to PHI.
• Health information exchanges (HIEs), patient engagement apps offered on behalf of providers, and mail/printing vendors.

Compliance Requirements for Covered Entities

Privacy Rule duties

You must limit uses and disclosures of PHI to the minimum necessary, issue a Notice of Privacy Practices, obtain authorizations when required, and honor individual rights, including access, amendment, and accounting of disclosures. Policies, procedures, and workforce training are mandatory, with appropriate sanctions for violations.

HIPAA Security Rule safeguards

For electronic PHI (ePHI), implement administrative, physical, and technical safeguards. At a minimum, perform a documented risk analysis, manage risks, control access, authenticate users, encrypt data where reasonable and appropriate, maintain audit controls, and establish contingency and disaster recovery plans.

HIPAA Breach Notification Rule

When unsecured PHI is compromised, conduct a risk assessment and, if a breach occurred, notify affected individuals and the U.S. Department of Health and Human Services without unreasonable delay and no later than 60 days after discovery. For large incidents, additional public notice may be required.

Vendor management and documentation

Identify all business associates and execute a Business Associate Agreement (BAA) before sharing PHI. Maintain documentation of policies, training, risk assessments, and incident response. Conduct periodic compliance audits to confirm controls are effective and up to date.

Compliance Requirements for Business Associates

Direct obligations under HIPAA

Business associates have direct liability for complying with the HIPAA Security Rule and specific Privacy Rule provisions. You must complete a risk analysis, implement appropriate PHI safeguards, enforce access controls, maintain audit logs, and monitor for security events.

Permitted uses and disclosures

Use or disclose PHI only as permitted by the BAA or as required by law, and apply the minimum necessary standard. Flow down the same restrictions to subcontractors that create, receive, maintain, or transmit PHI on your behalf by executing BAAs with them.

Breach reporting and incident response

Upon discovering a breach of unsecured PHI, notify the covered entity without unreasonable delay and no later than 60 days, or sooner if your BAA requires. Preserve evidence, investigate root causes, and document corrective actions to prevent recurrence.

Governance, training, and audits

Designate security and privacy leads, train your workforce, and retain documentation of policies, access reviews, and technical safeguards. Be prepared for compliance audits by customers and regulators, and regularly test your incident response and disaster recovery plans.

Business Associate Agreements and Their Importance

A Business Associate Agreement is the contract that authorizes a vendor to handle PHI and binds both parties to protect it. A robust BAA clarifies allowed uses and disclosures, assigns responsibilities, and aligns expectations for security and breach response.

Core elements to include

• Permitted and required uses/disclosures of PHI and the minimum necessary standard.
• Obligation to implement HIPAA Security Rule controls and other PHI safeguards.
• Timely breach and security incident reporting, investigation, and cooperation requirements.
• Subcontractor flow-down clauses ensuring downstream BAAs and equivalent protections.
• Individual rights support (access, amendment, accounting) when applicable.
• Return or destruction of PHI at termination and termination-for-cause rights.
• Allocation of responsibilities for Compliance Audits, documentation, and ongoing risk management.

Why BAAs matter

BAAs operationalize privacy and security obligations, reduce ambiguity, and establish enforcement mechanisms. They help demonstrate due diligence, support contract monitoring, and reinforce Direct Liability for mishandling PHI.

Liability and Enforcement Under HIPAA

Direct liability and shared risk

Covered entities and business associates face Direct Liability for violating applicable HIPAA provisions. Regulators can pursue both parties when a violation involves shared responsibilities or inadequate vendor oversight.

Civil, criminal, and corrective actions

HIPAA enforcement includes tiered civil monetary penalties based on culpability, settlement agreements with corrective action plans, and—in egregious cases—criminal prosecution for knowingly obtaining or disclosing PHI. Penalty caps adjust annually for inflation.

Regulatory investigations and compliance audits

The HHS Office for Civil Rights investigates complaints, breach reports, and patterns of noncompliance. It also conducts desk and onsite Compliance Audits to evaluate Privacy Rule, Security Rule, and HIPAA Breach Notification Rule readiness across both covered entities and business associates.

Practical risk reduction

Focus on fundamental controls: current risk analysis and remediation, strong identity and access management, encryption, vendor due diligence with enforceable BAAs, workforce training, logging and monitoring, and tested incident response. These steps reduce breach likelihood and demonstrate good-faith compliance.

Conclusion

Covered entities deliver and pay for care; business associates support them by handling PHI under contract. Both must implement PHI safeguards, follow the HIPAA Security Rule and HIPAA Breach Notification Rule, and be audit-ready. Clear BAAs, disciplined governance, and proactive risk management are the foundation of sustainable compliance.

FAQs

What is the difference between a covered entity and a business associate?

A covered entity is a provider, health plan, or clearinghouse that directly handles PHI to deliver or pay for care. A business associate is a vendor or subcontractor that creates, receives, maintains, or transmits PHI for a covered entity. The difference determines which HIPAA provisions apply directly and what a Business Associate Agreement must require.

What are the compliance responsibilities of business associates?

Business associates must implement Security Rule controls, restrict PHI uses to those allowed by the BAA, apply the minimum necessary standard, ensure subcontractor compliance via BAAs, and report breaches without unreasonable delay. They must maintain documentation, train their workforce, and prepare for Compliance Audits.

How do Business Associate Agreements protect PHI?

BAAs define permitted uses and disclosures, require PHI safeguards, set breach reporting timelines, and mandate subcontractor flow-downs. They also address data return or destruction, termination for cause, and cooperation during investigations—creating contractual accountability that complements HIPAA’s Direct Liability.

What penalties exist for HIPAA violations by business associates?

Business associates face tiered civil monetary penalties, corrective action plans, and potential criminal exposure for knowingly wrongful disclosures. Penalty amounts depend on the nature and extent of the violation and are adjusted annually for inflation. Strong controls and prompt breach response significantly reduce enforcement risks.