Covered Entity vs. Business Associate: How HIPAA Rules Apply to You

Understanding Covered Entity vs. Business Associate distinctions is essential to applying the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification requirements correctly. This guide clarifies who you are under HIPAA, what Protected Health Information (PHI) entails, and how your compliance obligations differ.

Defining Covered Entities

Who qualifies

• Health care providers that transmit PHI electronically in standard transactions (claims, eligibility, referrals), such as hospitals, physicians, dentists, and pharmacies.
• Health plans, including insurers, HMOs, employer group health plans, Medicare, Medicaid, and certain government programs.
• Health care clearinghouses that process nonstandard information into standard formats and vice versa.

What PHI includes

Protected Health Information is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate. When PHI is in electronic form, it is Electronic Protected Health Information (ePHI), which triggers specific HIPAA Security Rule safeguards.

Trigger for HIPAA

HIPAA applies to covered entities when they handle PHI or ePHI in connection with standard administrative and financial transactions. If a provider never conducts these transactions electronically, HIPAA may not apply, though state privacy laws can.

Identifying Business Associates

Core definition

A business associate is a person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity (or another business associate) for functions like claims processing, data analysis, IT services, or legal support. Subcontractors that handle PHI are business associates too.

What is not a business associate

• A covered entity’s workforce members (employees, volunteers, trainees) acting within their roles.
• Entities acting merely as conduits (for example, postal services or certain couriers) with only transient PHI access; the “conduit exception” is narrow and does not cover routine storage.
• Providers sharing PHI for treatment purposes with other providers, where a Business Associate Agreement is not required.

Common scenarios

• Vendors that store backups of ePHI or host EHR systems.
• Billing companies, practice management providers, and claims clearing services.
• Legal, accounting, and consulting firms that need PHI to serve the covered entity.

Understanding Business Associate Agreements

When a BAA is required

A Business Associate Agreement is required before a vendor or subcontractor creates, receives, maintains, or transmits PHI on your behalf. The BAA defines permissible uses and disclosures and binds the associate to HIPAA compliance obligations.

Essential elements

• Permitted and required uses/disclosures of PHI and limits on further use.
• Safeguards for PHI and ePHI consistent with the HIPAA Security Rule.
• Prompt Breach Notification to the covered entity, including required details.
• Flow-down: subcontractors must agree to the same protections.
• Support for individual rights (access, amendments, and, where delegated, accounting of disclosures).
• Return or secure destruction of PHI at termination, when feasible.
• Rights to terminate for material breach and obligations to document compliance.

Practical tips

• Map data flows first; execute BAAs only where PHI/ePHI exposure exists.
• Align the BAA with your risk analysis, security controls, and incident response plan.
• Review BAAs periodically to address new systems, subcontractors, or services.

Exploring Direct Liability of Business Associates

What business associates are directly responsible for

• Implementing administrative, physical, and technical safeguards for ePHI under the HIPAA Security Rule.
• Using or disclosing PHI only as permitted by the Privacy Rule, the BAA, or as required by law; applying the minimum necessary standard where it applies.
• Executing BAAs with subcontractors that handle PHI and overseeing their compliance.
• Providing timely Breach Notification to the covered entity after discovering an incident involving unsecured PHI.
• Supporting access to PHI and other individual rights if those duties are delegated.
• Maintaining required documentation and cooperating with compliance investigations.

Enforcement considerations

Business associates can face civil monetary penalties for violations, independent of the covered entity. Strong security practices, documented risk management, and rapid incident response are critical to reducing enforcement risk.

Responsibilities of Covered Entities

Privacy Rule responsibilities

• Provide a Notice of Privacy Practices, apply the minimum necessary standard, and manage uses/disclosures consistent with the HIPAA Privacy Rule.
• Honor individual rights: access, amendments, restrictions, confidential communications, and, when applicable, accounting of disclosures.

Security Rule responsibilities

• Conduct a risk analysis and implement risk management for ePHI.
• Establish administrative, physical, and technical safeguards (policies, training, access controls, encryption where reasonable and appropriate, and audit logging).

Breach Notification responsibilities

• Assess incidents for compromise of unsecured PHI and provide notifications to individuals, regulators, and when required, the media within required timeframes.
• Document investigations, mitigation steps, and corrective actions to demonstrate compliance.

Managing business associates

• Identify vendors that qualify as business associates and execute BAAs before PHI sharing.
• Exercise reasonable oversight, including onboarding due diligence and periodic review of safeguards and performance.

Examples of Covered Entities

• Hospitals, ambulatory surgery centers, urgent care clinics, and physician practices that bill electronically.
• Pharmacies that transmit electronic prescriptions and claims.
• Health plans such as commercial insurers, HMOs, Medicare Advantage plans, and employer group health plans.
• Health care clearinghouses that translate data between standard and nonstandard formats.

Examples of Business Associates

• EHR and practice management vendors; cloud hosting, backup, and data center providers that store ePHI.
• Medical billing services, revenue cycle management, and coding vendors.
• Law firms, accountants, actuaries, and consultants needing PHI to perform contracted tasks.
• IT managed service providers, device support firms, and secure messaging or telehealth platforms with PHI access.
• Third-party administrators, utilization review organizations, quality measurement and analytics firms.
• Document storage, scanning, e-discovery, and secure shredding companies handling PHI.

Key takeaways

Covered entities determine why PHI is used; business associates help perform those functions and must safeguard PHI under their own compliance obligations. Clear scoping, robust BAAs, and disciplined security and breach response practices keep both parties aligned and compliant.

FAQs

What is the difference between a covered entity and a business associate?

A covered entity is a health plan, health care clearinghouse, or a provider that conducts standard electronic transactions; it is directly responsible for the full HIPAA Privacy Rule, Security Rule, and Breach Notification requirements. A business associate is a vendor or subcontractor that creates, receives, maintains, or transmits PHI for a covered entity and is directly liable for specific HIPAA obligations, including safeguarding ePHI and reporting breaches.

What are the responsibilities of a covered entity under HIPAA?

Covered entities must implement Privacy Rule policies, deliver a Notice of Privacy Practices, honor individual rights, and apply the minimum necessary standard. They must also perform risk analysis, implement Security Rule safeguards for ePHI, manage Business Associate Agreements, and provide timely Breach Notification with documentation of mitigation and corrective actions.

When is a business associate agreement required?

A Business Associate Agreement is required before a vendor or subcontractor will create, receive, maintain, or transmit PHI on behalf of a covered entity (or another business associate). The BAA sets permitted uses and disclosures, mandates HIPAA-level safeguards, requires Breach Notification, and flows these obligations down to any subcontractors that handle PHI.