Covered Entity vs. Business Associate Under HIPAA: Key Differences and Risks

Definitions of Covered Entities and Business Associates

Covered entities

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. If you bill insurers electronically, run a health plan, or process claims, you are likely a covered entity.

Business associates

Business associates are persons or organizations that create, receive, maintain, or transmit Protected Health Information (PHI) for or on behalf of a covered entity, or for another business associate. Typical examples include EHR vendors, cloud and data-hosting providers, billing firms, claims processors, consultants, lawyers, and analytics firms.

Protected Health Information (PHI)

PHI is individually identifiable health information in any form—paper, electronic, or oral—related to health status, care, or payment. De-identified data falls outside HIPAA, but once data can identify an individual, HIPAA’s rules apply to both covered entities and business associates.

HIPAA Compliance Obligations for Covered Entities

Privacy Rule duties

Under the HIPAA Privacy Rule, you must define and follow permissible uses and disclosures of PHI, apply the minimum necessary standard, and provide required notices. Patients must have rights to access, obtain copies, request amendments, and receive an accounting of disclosures.

Security Rule safeguards

The HIPAA Security Rule requires a risk analysis and implementation of administrative, physical, and technical safeguards for ePHI. You need role-based access, authentication, audit controls, encryption where reasonable and appropriate, workforce training, and sanction policies.

Breach Notification Rule

When unsecured PHI is compromised, the Breach Notification Rule requires you to assess risk and notify affected individuals—and when applicable, HHS and the media—without unreasonable delay and within required timeframes. Your incident response plan should define investigation, documentation, and notification steps.

HITECH Act compliance

The HITECH Act strengthened enforcement, expanded individuals’ rights, and made business associates directly accountable for key HIPAA duties. You must align policies, vendor management, and breach response to satisfy HITECH Act Compliance as well as the HIPAA Privacy, Security, and Breach Notification Rules.

Business Associate Agreement Requirements

Core contractual terms

A Business Associate Agreement (BAA) must describe permitted and required uses and disclosures of PHI; require safeguards that satisfy the HIPAA Security Rule; and mandate reporting of breaches, security incidents, and Privacy Rule violations. It should also address minimum necessary practices and any restrictions requested by the covered entity.

Flow-down and lifecycle obligations

• Subcontractors: Require downstream BAAs with the same restrictions and conditions.
• Individual rights: Support access, amendment, and accounting requests when PHI is in your custody.
• Termination: Return or securely destroy PHI, or extend protections if return or destruction is infeasible.
• Regulatory access: Make internal practices, books, and records relating to PHI available to HHS upon request.
• Breach coordination: Specify timelines and content for reports so upstream entities can meet notification deadlines.

Risk allocation best practices

To operationalize your BAA, align it with a security exhibit that details encryption, logging, backup, and incident response; define audit rights; and set appropriate indemnity and insurance requirements. Clear, testable obligations reduce ambiguity and enforcement risk for both parties.

Direct Liability and Enforcement Actions

When covered entities are liable

Covered entities are directly liable for failing to implement required Privacy and Security Rule safeguards, mishandling patient rights, and inadequate breach response. Vendor failures often remain your responsibility if governance and oversight are deficient.

When business associates are liable

Business associates are directly liable for violating the HIPAA Security Rule, using or disclosing PHI contrary to the Privacy Rule or the BAA, failing to provide breach notices to the covered entity, and not executing required downstream BAAs. Liability attaches even if the covered entity is not at fault.

Enforcement pathways and penalties

HHS OCR investigates complaints and breaches, issues resolution agreements and corrective action plans, and can impose tiered civil monetary penalties that escalate with culpability. The Department of Justice may pursue criminal cases for intentional misconduct. State attorneys general can also bring actions, increasing exposure to Civil and Criminal Penalties.

Risks and Consequences of Non-Compliance

Financial, legal, and operational impacts

Non-compliance drives costs from regulatory penalties, breach notification and remediation, litigation, and contract termination. You may face monitoring obligations, mandated audits, and expensive corrective actions that divert resources from core operations.

Reputational damage and business loss

Trust erosion with patients, members, and partners can lead to churn, delayed sales, and higher due diligence hurdles. Cyber insurance premiums may increase, and partners may require stricter security attestations or refuse to exchange data.

Common failure points

• Incomplete risk analysis or missing Security Rule controls for ePHI.
• Weak vendor oversight and absent or outdated BAAs.
• Poor access governance, logging, and incident response readiness.
• Insufficient workforce training on Privacy Rule requirements and minimum necessary.

Overlapping Responsibilities and Safeguards

Shared obligations

Both covered entities and business associates must protect PHI under the HIPAA Security Rule, limit uses and disclosures under the Privacy Rule, and coordinate Breach Notification Rule duties. Each party should maintain policies, training, and sanctions tailored to its role and risk profile.

Security safeguards that matter most

• Risk analysis and risk management with documented remediation plans.
• Access controls, strong authentication, and least-privilege design.
• Encryption for data at rest and in transit, plus key management.
• Audit logging, monitoring, and tested incident response procedures.
• Business continuity, backups, and secure disposal of media.

Data governance and accountability

Define data flows, retention, and disposal schedules; map who is the system of record; and validate minimum necessary access. Coordinate change management and vendor assessments so new services or integrations keep PHI protections intact.

Role of Subcontractors and Dual Status Entities

Subcontractors are business associates

Any subcontractor that handles PHI on behalf of a business associate is itself a business associate. You must execute downstream BAAs, ensure equivalent safeguards, and monitor compliance, including timely incident escalation to meet upstream breach notification obligations.

Managing the downstream chain

• Due diligence: Evaluate security maturity, certifications, and prior incidents.
• Contract controls: Flow down Security Rule requirements and reporting timelines.
• Oversight: Use risk-based audits, attestations, and performance metrics.
• Exit planning: Ensure PHI return or destruction and revoke access promptly.

Dual status and hybrid considerations

Vendors can be both a covered entity and a business associate in different contexts (dual status). Hybrid entities may designate health care components to segregate functions. In both cases, maintain clear boundaries, access controls, and documentation to avoid improper PHI use or disclosure.

Conclusion

Covered Entity vs. Business Associate distinctions determine who must do what—and when—under the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Clarify roles, execute robust BAAs, implement risk-based safeguards, and coordinate breach response to achieve HITECH Act Compliance while reducing legal, financial, and reputational risk.

FAQs

What is the difference between a covered entity and a business associate?

A covered entity provides or pays for health care or processes standard transactions, while a business associate performs services involving PHI for a covered entity or another business associate. Covered entities are primary custodians of PHI; business associates handle PHI as part of delegated functions defined by a BAA.

What obligations do covered entities have under HIPAA?

Covered entities must follow the HIPAA Privacy Rule’s use and disclosure limits and patient rights, implement Security Rule safeguards for ePHI, and comply with the Breach Notification Rule after incidents. They must manage vendors via BAAs, train staff, apply minimum necessary, and maintain policies and documentation.

When is a business associate directly liable for HIPAA violations?

A business associate is directly liable when it fails to meet Security Rule requirements, uses or discloses PHI beyond the Privacy Rule or BAA, does not provide required breach notices to the covered entity, or fails to execute downstream BAAs with subcontractors that handle PHI.

What are the consequences of non-compliance with HIPAA requirements?

Consequences include tiered civil monetary penalties, potential criminal exposure for intentional misconduct, corrective action plans, audits, contract losses, breach response costs, and reputational harm. Both covered entities and business associates can face enforcement, and state attorneys general may bring additional actions.