Covered Entity vs. Business Associate: What’s the Difference Under HIPAA?

Definition of Covered Entities

Under the HIPAA Privacy Rule and HIPAA Security Rule, a covered entity is an organization that directly provides or pays for health care and handles Protected Health Information (PHI). Covered entities are the primary, regulated actors responsible for protecting PHI and honoring individual rights.

Specifically, covered entities include three categories: health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standardized transactions (such as billing). These entities must implement PHI safeguards, limit uses and disclosures, and maintain policies and procedures that ensure ongoing compliance.

Definition of Business Associates

A business associate is any person or organization, other than a covered entity’s workforce, that creates, receives, maintains, or transmits PHI on behalf of a covered entity for regulated functions—or provides services involving PHI to a covered entity. Subcontractors that handle PHI for a business associate are also business associates.

Vendors that merely act as “conduits” (for example, transmitting data without persistent storage) or that receive only de-identified data are not business associates. Once a vendor can access, store, or manipulate PHI, it becomes a business associate and assumes specific HIPAA responsibilities, including appropriate PHI safeguards and Data Breach Notification duties.

Examples of Covered Entities

• Health plans: commercial insurers, HMOs, employer-sponsored group health plans, Medicare and Medicaid plans.
• Health care providers: physicians, clinics, hospitals, dentists, pharmacies, laboratories, and telehealth practices that conduct electronic standard transactions.
• Health care clearinghouses: entities that translate or process nonstandard health information into standard formats (and vice versa) for billing and claims.

Examples of Business Associates

• Claims processing and medical billing vendors, third-party administrators, and payment processors handling PHI.
• Electronic health record (EHR) providers, cloud storage and backup services, hosting providers, and managed service providers that maintain ePHI.
• Health information exchanges, e-prescribing gateways, data analytics firms, and population health or quality reporting platforms using PHI.
• Professional service firms—legal, accounting, audit, and consulting—when their work involves access to PHI (for example, compliance reviews or Risk Analysis support).
• Transcription, scanning, and document destruction/shredding services that receive PHI.
• Messaging, faxing, and patient engagement tools that store or transmit PHI beyond a transient conduit role.

Business Associate Agreements

A Business Associate Agreement (BAA) is a written contract a covered entity must have in place before sharing PHI with a business associate. Business associates must also execute BAAs with any subcontractors that handle PHI. The BAA allocates HIPAA responsibilities and sets enforceable expectations for PHI safeguards and incident handling.

Core BAA elements typically include: permitted and required uses/disclosures of PHI; a commitment to implement administrative, physical, and technical safeguards aligned to the HIPAA Security Rule; application of the minimum necessary standard; prompt Data Breach Notification to the covered entity; downstream obligations for subcontractors; rights to audit or receive compliance assurances; termination provisions and return or destruction of PHI at contract end; and cooperation with the covered entity to support Privacy Rule rights and regulatory investigations.

BAAs are generally not required for disclosures between covered entities for treatment purposes or for services that involve no PHI access. When PHI access exists, a BAA is mandatory to ensure clear, documented accountability.

Direct Liability of Business Associates

Business associates are directly liable under HIPAA for their own compliance failures. This includes implementing Security Rule controls, restricting PHI uses and disclosures to what the BAA permits, and honoring the minimum necessary standard. They must conduct Risk Analysis and risk management, train their workforce, and maintain policies, procedures, and documentation that demonstrate ongoing compliance.

• Security Rule compliance: safeguard ePHI through administrative, physical, and technical measures, including access controls, audit controls, integrity protections, and transmission security.
• Privacy Rule duties: use or disclose PHI only as permitted, prevent impermissible disclosures, and support covered entities in fulfilling individual rights (such as access or amendments when applicable).
• Subcontractor management: execute BAAs with subcontractors that handle PHI and oversee their compliance.
• Breach response: assess incidents, mitigate harm, and provide timely Data Breach Notification to the covered entity.
• Regulatory cooperation: make records and practices available to regulators upon request.

Violations can trigger significant civil penalties, contractual liability under the BAA, and—in cases involving knowing misuse of PHI—potential criminal exposure.

Obligations of Covered Entities and Business Associates

Covered entities and business associates share core responsibilities to protect PHI. Under the HIPAA Security Rule, both must perform Risk Analysis, implement risk-based PHI safeguards, and continuously manage vulnerabilities. Under the HIPAA Privacy Rule, both must limit PHI to the minimum necessary, prevent impermissible uses and disclosures, and support individual rights through coordinated processes and documentation.

• Shared program essentials: written policies and procedures; workforce training and sanctions; access management and audit logging; contingency planning; vendor oversight; and routine reviews of safeguards.
• Data Breach Notification: business associates notify the covered entity without unreasonable delay; covered entities notify affected individuals (and regulators, and sometimes the media) within required timeframes and maintain breach documentation.
• Covered entity–specific duties: publish a Notice of Privacy Practices, manage patient requests (access, amendments, restrictions), maintain designated record sets, and ensure BAAs are executed and monitored.
• Business associate–specific duties: comply with BAA terms, limit PHI to contractually authorized purposes, bind subcontractors, and return or securely destroy PHI at contract termination when feasible.

Effective compliance aligns people, processes, and technology. When you map data flows, execute strong BAAs, and maintain ongoing safeguards and monitoring, you reduce risk, strengthen trust, and meet HIPAA’s Privacy and Security Rule standards.

FAQs

What distinguishes a covered entity from a business associate under HIPAA?

A covered entity directly delivers or pays for care and is primarily regulated by HIPAA. A business associate is a vendor or partner that creates, receives, maintains, or transmits PHI for the covered entity. If a vendor can access PHI, it becomes a business associate and must follow applicable HIPAA rules and the Business Associate Agreement.

What are the key obligations of business associates regarding PHI?

Business associates must implement HIPAA Security Rule controls, apply the minimum necessary standard, restrict uses and disclosures to what the BAA permits, perform Risk Analysis and risk management, oversee subcontractors, and provide timely Data Breach Notification to the covered entity following an incident.

When is a business associate agreement required?

A BAA is required before a covered entity shares PHI with a vendor that will access, store, or process it, and before a business associate allows a subcontractor to handle PHI. It is not required when no PHI access occurs or for certain treatment-related disclosures between covered entities.

What are the consequences of non-compliance for covered entities and business associates?

Both face regulatory enforcement, including civil monetary penalties, corrective action plans, and reputational harm. Contract breaches can lead to termination and damages, and willful misuse of PHI can trigger criminal exposure. Robust PHI safeguards, documented policies, and prompt breach response reduce these risks.