Covered Entities vs. Business Associates: Who Must Follow the HIPAA Privacy Rule

Understanding who must follow the HIPAA Privacy Rule helps you organize compliance duties, prevent misuse of protected health information (PHI), and build trust. This guide clarifies the difference between covered entities and business associates, what each must do, and how to manage risk while maintaining HIPAA compliance.

Covered Entities Definition

Covered entities are organizations directly regulated by the HIPAA Privacy Rule. They include health plans, health care clearinghouses, and health care providers that conduct standard electronic health transactions (such as claims, eligibility checks, referral authorizations, and remittance advice).

Categories and examples

• Health plans: health insurers, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and certain employee benefit plans.
• Health care providers: hospitals, physician practices, clinics, pharmacies, dentists, labs, behavioral health providers, and telehealth providers—when they transmit PHI in standard electronic transactions.
• Health care clearinghouses: entities that translate or reformat health information between different transaction standards for billing and other operations.

If a provider never conducts covered electronic health transactions, that provider is not a covered entity under HIPAA. Once covered, the organization must meet covered entity obligations for PHI safeguarding, individual rights, and permissible uses and disclosures.

Business Associates Definition

A business associate is a person or entity that performs functions or services for, or on behalf of, a covered entity that involve the use or disclosure of PHI. Business associates also include a covered entity’s subcontractors that handle PHI downstream.

Typical business associates

• Billing companies, revenue cycle vendors, coding and auditing firms.
• Cloud service providers, data centers, backup vendors, and IT managed service providers that store or process ePHI (even if encrypted and unreadable to them).
• EHR and patient portal vendors, e-prescribing gateways, HIEs/HIOs, analytics firms, and quality measurement vendors.
• Consultants, legal counsel, and accounting firms when their work requires PHI access.

Workforce members of a covered entity are not business associates. Carriers that merely transport information as a “conduit” without routine access to the content generally are not business associates; once a vendor stores or maintains PHI, it typically is.

HIPAA Privacy Rule Applicability

The HIPAA Privacy Rule sets when PHI may be used or disclosed and what safeguards and processes must be in place. Covered entities must comply with the full rule. Business associates must comply with the rule as required by law and as specified in their business associate agreements.

Permitted uses and disclosures

• Treatment, payment, and health care operations without patient authorization.
• Disclosures required by law or to public health authorities, subject to conditions.
• All other uses and disclosures require a valid, written authorization from the individual.

Minimum necessary standard

Outside of treatment and certain exceptions, you must limit uses, disclosures, and requests to the minimum necessary PHI to accomplish the purpose.

De-identified information

Data that are properly de-identified are not PHI and fall outside the Privacy Rule. Limited data sets remain PHI and require a data use agreement.

Business Associate Agreements

Before a business associate handles PHI, the parties must sign a business associate agreement (BAA). The BAA allocates responsibilities and is central to HIPAA compliance for both sides.

Core BAA requirements

• Define permitted and required uses and disclosures of PHI, including any limits tied to the covered entity’s notices and policies.
• Require PHI safeguarding with administrative, physical, and technical measures appropriate to the risk.
• Mandate breach notification to the covered entity without unreasonable delay and no later than 60 calendar days after discovery.
• Flow down obligations to subcontractors that create, receive, maintain, or transmit PHI.
• Support individual rights: make PHI available for access, amendment, and accounting of disclosures as the covered entity directs.
• Require cooperation with investigations by the regulator and the return or destruction of PHI at contract end if feasible.
• Allow termination if the business associate materially breaches the agreement.

Business Associate Direct Liability

Business associates are directly liable under HIPAA for certain violations, not just for breaking a contract. They must implement appropriate safeguards, restrict uses and disclosures to what the Privacy Rule or the BAA permits, and notify covered entities of breaches of unsecured PHI.

Common enforcement exposures

• Impermissible uses or disclosures of PHI (including beyond the minimum necessary).
• Failure to implement risk-based security controls for ePHI and related policies and workforce training.
• Failure to notify the covered entity of a breach of unsecured PHI promptly.
• Failure to ensure subcontractors agree to and follow equivalent protections.
• Failure to cooperate with regulator requests or retain required documentation.

Penalties can be substantial and scale with culpability, the nature of the violation, and corrective actions taken.

Covered Entity Responsibilities

Covered entities carry the primary duty for Privacy Rule compliance. Your program should be risk-based, documented, and actively monitored.

Key covered entity obligations

• Publish and follow a Notice of Privacy Practices; designate privacy and security leadership and train your workforce.
• Establish policies for uses/disclosures, apply the minimum necessary standard, and manage authorization processes.
• Execute and maintain business associate agreements; conduct due diligence and monitor performance proportionate to risk.
• Provide timely individual access to records and support requests for amendments and accounting of disclosures.
• Perform risk analysis, implement PHI safeguarding measures, and maintain documentation of your HIPAA compliance activities.
• Execute breach notification: investigate incidents, assess compromise, notify individuals and regulators as required, and mitigate harms.

Individual Rights Under HIPAA

The Privacy Rule gives people meaningful control over their health information. You must make these rights easy to exercise and respond within required timeframes.

Primary rights

• Access: obtain copies of PHI in the requested format if readily producible and within deadlines.
• Amendment: request corrections to inaccurate or incomplete PHI.
• Accounting of disclosures: receive a record of certain non-routine disclosures.
• Restrictions: request limits on sharing; if a person pays in full out-of-pocket, you must restrict disclosure to a health plan for that item or service unless required by law.
• Confidential communications: choose alternative addresses or contact methods.
• Notice and complaints: receive a Notice of Privacy Practices and file complaints without retaliation.

Conclusion

Covered entities and business associates both must follow the HIPAA Privacy Rule, but their roles differ. Covered entities own the overall program and individual rights processes, while business associates carry defined responsibilities through law and business associate agreements. Aligning contracts, safeguards, and workflows ensures PHI safeguarding, timely breach notification, and durable HIPAA compliance.

FAQs

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit PHI in standard electronic health transactions. Examples include insurers and HMOs; hospitals, clinics, and pharmacies; and entities that translate billing data between formats.

What responsibilities do business associates have under the HIPAA Privacy Rule?

Business associates must use and disclose PHI only as permitted by the Privacy Rule and their BAA, implement safeguards, notify the covered entity of breaches without unreasonable delay, flow down protections to subcontractors, and cooperate with investigations and access/amendment processes as directed.

How must covered entities manage their business associates to remain compliant?

Covered entities must execute compliant business associate agreements, vet and monitor vendors proportionate to risk, ensure subcontractors meet equivalent protections, and integrate vendors into incident response and breach notification workflows. They should document oversight activities as part of their HIPAA compliance program.

What rights do individuals have regarding their health information under HIPAA?

Individuals have rights to access and obtain copies of their PHI, request amendments, receive an accounting of certain disclosures, request restrictions (including self-pay restrictions to health plans), request confidential communications, receive a Notice of Privacy Practices, and file complaints without retaliation.