Covered Entities vs. Business Associates: Who HIPAA Covers and What’s Required

Definition of Covered Entities

Under HIPAA, covered entities are the organizations primarily regulated for how they create, receive, maintain, or transmit Protected Health Information (PHI). You fall into this group if you are a health plan, a health care clearinghouse, or a health care provider that conducts standard electronic transactions (such as eligibility checks, claims, or remittance advice).

Being a covered entity triggers core obligations under the HIPAA Privacy Rule and HIPAA Security Rule, along with the Breach Notification Rule when incidents occur. These rules set the baseline for how you safeguard PHI and honor patient rights.

Definition of Business Associates

A business associate is any person or organization that performs services or functions for a covered entity involving the use or disclosure of PHI. If your work lets you access, store, analyze, or transmit PHI on behalf of a covered entity, you are a business associate—even if you never look at the data. Subcontractors that handle PHI for a business associate are also business associates.

Business associates are not part of a covered entity’s workforce. However, they have direct compliance duties under HIPAA, including implementing Administrative Safeguards, Physical Safeguards, and Technical Safeguards and following the Breach Notification Rule.

Examples of Covered Entities

• Health care providers that bill electronically: hospitals, physician practices, clinics, dentists, chiropractors, mental health providers, pharmacies, laboratories, and imaging centers.
• Health plans: commercial insurers, HMOs, Medicare, Medicaid, employer-sponsored group health plans, and certain government health programs.
• Health care clearinghouses: entities that translate nonstandard health information into standard transaction formats (and vice versa).

Organizations that perform both covered and non-covered functions may operate as hybrid entities, applying HIPAA to designated health care components that handle PHI.

Examples of Business Associates

• Claims processing, billing, coding, and revenue cycle management vendors.
• Cloud service providers, data centers, backup/archive services, and managed IT or cybersecurity firms that host or maintain ePHI.
• EHR and patient portal providers, health information exchanges, e-prescribing gateways, and integration vendors.
• Legal, accounting, actuarial, auditing, consulting, transcription, and call center services handling PHI.
• Secure mailing, scanning, printing, shredding, device disposal, and records storage companies dealing with PHI or media containing PHI.

Business Associate Agreements Requirements

Before a business associate can handle PHI, you must execute Business Associate Agreements (BAAs). A compliant BAA should, at minimum, do the following:

• Specify permitted and required uses and disclosures of PHI by the business associate, and prohibit any other use or disclosure.
• Require implementation of Administrative, Physical, and Technical Safeguards consistent with the HIPAA Security Rule to protect ePHI.
• Mandate prompt reporting of breaches of unsecured PHI and relevant security incidents under the Breach Notification Rule.
• Obligate the business associate to ensure subcontractors that create, receive, maintain, or transmit PHI agree in writing to the same restrictions and safeguards.
• Require the business associate to provide access to PHI (and, as applicable, amendments and an accounting of disclosures) to support individual rights.
• Require the business associate to make its HIPAA-related practices and records available to the Secretary of Health and Human Services upon request.
• Address return or destruction of PHI upon termination of the BAA where feasible, and authorize termination if the business associate violates the agreement.
• Reinforce the “minimum necessary” standard for uses, disclosures, and requests involving PHI.

Business Associate Compliance Obligations

Business associates have direct HIPAA duties. You must maintain policies, procedures, and workforce training; conduct a risk analysis; manage risks; and document everything you implement. Your obligations include the following:

Security Rule: Safeguards to Protect ePHI

• Administrative Safeguards: risk analysis and management, workforce security, access management, security awareness training, contingency planning, and vendor oversight.
• Physical Safeguards: facility access controls, workstation and device security, and device/media controls for storage, reuse, and disposal.
• Technical Safeguards: unique user access, role-based permissions, audit controls and logs, integrity protections, authentication, and transmission security (e.g., encryption in transit).

Privacy Rule and Minimum Necessary

Use and disclose PHI only as permitted by your BAA or as required by law. Apply the minimum necessary standard to routine uses, disclosures, and requests not involving treatment.

Breach Notification Rule

If you discover a breach of unsecured PHI, notify the covered entity without unreasonable delay and within required timelines. Your incident response should include investigation, risk assessment, containment, mitigation, and documented notification.

Subcontractor Management and Documentation

Execute BAAs with subcontractors that handle PHI, and monitor them commensurate with risk. Maintain documentation (including risk analyses, policies, procedures, and training records) for at least six years or longer if required by contract or policy.

Covered Entity Responsibilities and Oversight

As a covered entity, you remain ultimately accountable for your HIPAA program. You must implement the HIPAA Security Rule (Administrative, Physical, and Technical Safeguards), comply with the Privacy Rule, and follow the Breach Notification Rule when incidents affect your patients.

When engaging business associates, perform due diligence, execute BAAs before PHI flows, and apply the minimum necessary standard. If you become aware of a business associate’s material breach or pattern of noncompliance, take reasonable steps to cure the issue or terminate the agreement if remediation is not feasible.

Build oversight that matches the risk: review SOC reports or security attestations where appropriate, verify required safeguards, and ensure subcontractor flows are covered by BAAs. Document your evaluations, decisions, and corrective actions to demonstrate ongoing compliance.

Key Takeaways

• Covered entities and business associates both have concrete, enforceable duties for protecting PHI.
• Business Associate Agreements define permissible PHI handling and hardwire Security Rule safeguards and breach reporting.
• Effective oversight, risk analysis, and documented safeguards reduce incidents and prove compliance.

FAQs

Does HIPAA require business associates to sign agreements?

Yes. Before a business associate creates, receives, maintains, or transmits PHI for you, a Business Associate Agreement must be in place. The BAA sets permitted uses and disclosures, requires Security Rule safeguards, and mandates breach reporting and subcontractor flow-down terms.

What are the compliance obligations for business associates?

Business associates must implement Administrative, Physical, and Technical Safeguards under the HIPAA Security Rule, follow applicable Privacy Rule provisions (including minimum necessary), and comply with the Breach Notification Rule. They must train staff, conduct risk analyses, manage vendors, document their program, and sign BAAs with any subcontractors that handle PHI.

Can a covered entity act as a business associate?

Yes. A covered entity can also function as a business associate when it performs services for another covered entity that involve PHI. In that role, it must sign a BAA and meet the same business associate requirements for how it uses, safeguards, and discloses PHI.