Covered Entity vs. Business Associate: How to Tell Under the Privacy Rule

Understanding whether you are a covered entity or a business associate is the first step to handling protected health information responsibly. This guide shows you exactly how to tell the difference under the HIPAA Privacy Rule, when written assurance contracts are required, and what privacy safeguard compliance looks like in practice.

Define Covered Entities Under HIPAA Privacy Rule

What counts as a covered entity

Under the Privacy Rule, covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with HIPAA-covered transactions. If you pay for care, provide care, or standardize data between entities, you likely fit here.

Core categories and examples

• Health plans: insurers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans.
• Health care providers: hospitals, physicians, clinics, pharmacies, laboratories, and telehealth providers that conduct HIPAA-covered transactions.
• Health care clearinghouses: entities that transform nonstandard health data into standard transaction formats, or vice versa.

HIPAA-covered transactions

These include electronic claims, eligibility inquiries, referral authorizations, enrollment/disenrollment, claim status, and remittance advice. If your organization conducts any of these electronically, you are within HIPAA’s regulated space.

Protected health information (PHI)

PHI is individually identifiable health information created or received by a covered entity or business associate, in any form. It covers past, present, or future health status, care provided, and payment details tied to an individual.

Identify Business Associates and Their Functions

Definition you can apply

A business associate is any person or entity (not in your workforce) that creates, receives, maintains, or transmits PHI for or on behalf of a covered entity to perform a function or service. Subcontractors that handle PHI for a business associate are also business associates.

Typical functions

• Claims processing, billing, revenue cycle, utilization review, and data analysis.
• IT services involving PHI: cloud hosting, EHR vendors, data backup, managed security, and HIEs.
• Professional services using PHI: legal, actuarial, accounting, accreditation, and consulting.
• Shredding, disposal, and records storage vendors that maintain PHI.

Practical signal

If you need access to PHI to deliver your contracted service, you are likely a business associate and must meet Privacy, Security, and breach notification requirements set by HIPAA and your agreement.

Distinguish Between Covered Entities and Business Associates

Quick decision test

• Are you delivering health care, paying for care, or converting data formats for others? You are likely a covered entity.
• Are you providing services to a covered entity and need PHI to do so? You are likely a business associate.
• Do you independently provide treatment to patients as a provider? You are a covered entity for that role, even if you also serve other entities.

Illustrative scenarios

• A hospital (covered entity) hires a cloud vendor to host ePHI. The cloud vendor is a business associate.
• An independent lab that treats patients directly is a covered entity. If the lab also analyzes data for a plan’s quality program, it becomes a business associate for that service.
• A health plan (covered entity) contracts with a third-party administrator that handles PHI. The administrator is a business associate.

Explain Business Associate Agreements and Requirements

When BAAs are required

You must execute a Business Associate Agreement whenever a vendor or subcontractor will create, receive, maintain, or transmit PHI for your organization. Covered entities must have BAAs with each business associate, and business associates must have BAAs with their PHI-handling subcontractors.

Core elements of the agreement

• Permitted and required PHI uses and disclosures, aligned to the minimum necessary standard.
• Privacy safeguard compliance: implement administrative, physical, and technical safeguards for PHI and ePHI.
• Breach notification requirements: report breaches to the covered entity without unreasonable delay and within required timeframes.
• Downstream obligations: ensure subcontractors agree to the same restrictions and safeguards.
• Individual rights support: enable access, amendment, accounting of disclosures, and restrictions as applicable.
• Termination and PHI disposition: return or destroy PHI at contract end if feasible.

Written assurance contracts

BAAs function as written assurance contracts that document the responsibilities, safeguards, and reporting duties that attach when PHI is involved.

Outline Liability and Compliance Responsibilities

Covered entities

• Implement Privacy Rule policies, issue a Notice of Privacy Practices, train your workforce, and apply the minimum necessary standard.
• Safeguard ePHI under the Security Rule with a documented risk analysis, risk management plan, and ongoing monitoring.
• Fulfill breach notification requirements to affected individuals, the government, and the media when thresholds are met.

Business associates

• Comply directly with the Security Rule and relevant portions of the Privacy Rule specified in the BAA.
• Limit PHI use to contract-permitted purposes, maintain documentation, and flow down protections to subcontractors.
• Report incidents and breaches promptly and cooperate in investigations and mitigation.

Enforcement risk

Both covered entities and business associates face tiered civil penalties for noncompliance, with higher tiers for willful neglect. Knowingly misusing PHI can also trigger criminal exposure.

Describe Hybrid Entities and Health Care Components

What a hybrid entity is

A hybrid entity performs both HIPAA-covered and non-covered functions (for example, a university with a medical center, or a city with a public clinic). Only its designated health care components are subject to HIPAA.

Hybrid entity designation

• Formally identify and document the health care components that handle PHI.
• Establish firewalls so non-covered parts don’t impermissibly access PHI.
• Apply policies, safeguards, and BAAs to components as if they were standalone covered entities.

Compliance implications

Train the workforce assigned to health care components, restrict sharing across the firewall, and monitor vendors supporting those components as business associates where PHI is involved.

Clarify Exclusions from Business Associate Definition

Common exclusions you should know

• Workforce members of a covered entity are not business associates.
• Conduits that transmit PHI with only transient access (for example, postal services or certain telecom carriers) are not business associates; however, cloud storage providers that maintain PHI are business associates.
• Provider-to-provider or provider-to-plan disclosures for treatment, payment, or health care operations between covered entities do not create a business associate relationship.
• Financial institutions processing consumer-initiated payments (such as clearing checks or card transactions) are not business associates when acting in that limited role.
• Disclosures required by law to public agencies (for example, public health reporting) do not make the agency a business associate.
• A plan sponsor of a group health plan is not a business associate of its own plan when receiving PHI as permitted by plan documents and law.

Bottom line: ask whether the recipient is doing work on your behalf and needs access to PHI to perform it. If yes, you likely need a BAA; if not, another HIPAA permission may apply.

FAQs

What is the definition of a covered entity under HIPAA?

A covered entity is a health plan, a health care clearinghouse, or a health care provider who transmits health information electronically in connection with HIPAA-covered transactions. If you provide or pay for care or standardize health data, you fall into this category.

How do business associates differ from covered entities?

Covered entities deliver or pay for care or standardize health data. Business associates are outside vendors or partners who need PHI to perform services for those covered entities (or for other business associates). They must sign written assurance contracts and implement privacy safeguard compliance measures.

When are business associate agreements required?

You need a Business Associate Agreement whenever a vendor or subcontractor will create, receive, maintain, or transmit PHI on your behalf. The BAA sets permitted uses, required safeguards, and breach notification requirements, and it flows down to any subcontractors handling PHI.

What are the compliance responsibilities of hybrid entities?

Hybrid entities must complete a hybrid entity designation that identifies the health care components handling PHI, apply HIPAA policies and safeguards to those components, maintain internal firewalls, and manage vendors supporting those components as business associates where PHI is involved.