Covered Entity vs Business Associate: Who Is Regulated Under HIPAA and How

Understanding who HIPAA regulates—and how—is essential to managing Protected Health Information (PHI) lawfully. This guide clarifies the roles of covered entities and business associates, the scope of the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule, and how contracts and safeguards align to keep PHI protected.

Covered Entities Under HIPAA

Who covered entities are

Covered entities include three groups: health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions (such as claims or eligibility checks). If a provider never conducts such electronic transactions, that provider is not a covered entity under HIPAA.

Common examples

• Health plans: insurers, HMOs, Medicare, Medicaid, employer-sponsored group health plans.
• Clearinghouses: entities that translate nonstandard health data into HIPAA-standard formats.
• Providers: hospitals, physicians, dentists, pharmacies, labs—when they conduct HIPAA-standard electronic transactions.

Hybrid entities and healthcare components

Organizations that perform both covered and non-covered functions (for example, a university with a clinic) may designate themselves as hybrid entities. Only the designated health care components must comply as covered entities, but they must maintain appropriate firewalling of PHI and processes.

Business Associates and Their Roles

Definition and scope

A business associate is any person or organization that performs services or functions for a covered entity involving the use or disclosure of PHI, or that creates, receives, maintains, or transmits PHI on the covered entity’s behalf. Subcontractors of business associates that handle PHI are themselves business associates.

Typical business associate services

• Claims processing, billing, coding, revenue cycle and practice management.
• Electronic health record vendors, cloud hosting and storage providers, data backup and archiving.
• Data analytics, quality improvement, utilization review, and population health tools.
• Third-party administrators, legal and e-discovery vendors, transcription, call centers, and shredding companies.

Mere conduit versus business associate

Couriers and internet backbone providers that merely transport data without routine access are typically “mere conduits.” In contrast, a cloud service that stores PHI is a business associate even if the PHI is encrypted and the vendor does not actively view it.

Direct liability

Business associates are directly regulated under HIPAA. They must comply with the HIPAA Security Rule and specific provisions of the HIPAA Privacy Rule, and they face civil and criminal penalties for violations, independent of any covered entity liability.

HIPAA Privacy and Security Obligations

Privacy Rule duties

Covered entities must limit uses and disclosures to those permitted or required by the HIPAA Privacy Rule, follow the minimum necessary standard, provide a Notice of Privacy Practices, and uphold individual rights to access, amendment, restrictions, confidential communications, and an accounting of disclosures. They must designate privacy officials, train their workforce, and apply sanctions for violations.

Business associates may use and disclose PHI only as allowed by the Business Associate Agreement (BAA) or as required by law. They must support the covered entity in honoring individual rights (for example, by supplying PHI for access or amendment requests) and report improper uses, disclosures, and breaches.

Security Rule duties

Both covered entities and business associates must implement risk-based safeguards under the HIPAA Security Rule. This includes Administrative Safeguards (risk analysis and risk management, governance, workforce training, incident response, contingency planning), Physical Safeguards (facility access controls, workstation and device protections, media disposal), and Technical Safeguards (access controls, authentication, audit controls, integrity protections, and transmission security). Encryption is “addressable” but strongly recommended as a practical baseline.

Breach Notification Requirements

Determining whether an incident is a breach

An impermissible use or disclosure of unsecured PHI is presumed to be a breach unless a documented risk assessment shows a low probability that the PHI was compromised. Consider at least four factors: the nature and extent of PHI involved; the unauthorized person; whether PHI was actually acquired or viewed; and the extent to which risk has been mitigated. Limited exceptions apply for certain good-faith and inadvertent disclosures.

Notification timelines and recipients

• Individuals: Covered entities must notify without unreasonable delay and no later than 60 calendar days after discovery. Notices must describe what happened, the types of PHI involved, steps individuals should take, what is being done to mitigate harm, and contact information.
• HHS: For breaches affecting 500 or more individuals, report to HHS without unreasonable delay and no later than 60 days. For fewer than 500 individuals, log and report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.
• Media: If 500 or more residents of a single state or jurisdiction are affected, notify prominent media outlets in that area within 60 days.

Business associate duties

Business associates must notify the relevant covered entity without unreasonable delay and no later than 60 days after discovery, supplying information the covered entity needs to notify individuals, HHS, and, when required, the media. BAAs often require sooner internal deadlines and detailed incident reporting.

Contractual Requirements with Business Associates

Core elements of a Business Associate Agreement

• Permitted and required uses and disclosures of PHI by the business associate; prohibition on uses beyond those terms.
• Requirement to implement safeguards consistent with the HIPAA Security Rule and to comply with relevant Privacy Rule provisions.
• Obligation to report security incidents and breaches to the covered entity promptly.
• Assurance that subcontractors who handle PHI agree to the same restrictions and safeguards.
• Support for individual rights: access, amendment, and accounting of disclosures.
• Commitment to make practices, books, and records available to HHS for compliance review.
• Return or destruction of PHI at contract termination, if feasible, and termination rights for material breaches.

When a BAA is required—and when it is not

• Required whenever a vendor or partner will create, receive, maintain, or transmit PHI on behalf of a covered entity (or another business associate).
• Not required for a covered entity’s workforce members, for disclosures to another provider for treatment purposes, or when only de-identified data (not PHI) is shared.
• “Mere conduit” services generally do not require BAAs; storage or hosting services that maintain PHI do.

Implementing Security Safeguards

Administrative Safeguards

• Conduct and document an enterprise-wide risk analysis; implement a risk management plan with clear ownership and timelines.
• Establish policies for access management, minimum necessary, incident response, and sanctioning; train the workforce routinely and on role-specific risks.
• Develop contingency plans: data backup, disaster recovery, and emergency mode operations; test these plans periodically.
• Manage vendors: due diligence, BAAs, security questionnaires, and ongoing monitoring.

Technical Safeguards

• Enforce unique user IDs, least-privilege access, and multifactor authentication for systems containing PHI.
• Enable audit logging and regular log review; deploy endpoint protection and centralized monitoring.
• Encrypt PHI in transit and at rest; secure APIs; segment networks; patch systems promptly.
• Implement data loss prevention, secure configuration baselines, and secure disposal/wipe of retired media.

Physical Safeguards

• Control facility access; secure server rooms and networking closets; maintain visitor logs.
• Harden workstations, use privacy screens where appropriate, and lock devices when unattended.
• Manage device and media movement with tracking, storage protocols, and certified destruction.

Practical roadmap

• Inventory systems that create, receive, maintain, or transmit PHI; map data flows.
• Prioritize risks with measurable remediation milestones and executive oversight.
• Test incident response with tabletop exercises; refine playbooks for ransomware and lost devices.
• Continuously evaluate safeguards as business processes and technologies change.

Distinguishing Covered Entities from Business Associates

Quick decision guide

• If you deliver care, pay for care, or translate health data for transactions, you likely are a covered entity.
• If you provide services to a covered entity and handle PHI to deliver those services, you are a business associate.
• If you only transport data as a conduit without routine access, you are not a business associate.
• If you are a large organization performing both covered and non-covered functions, consider hybrid entity designation.

Illustrative scenarios

• A cloud storage provider hosting medical images for a hospital is a business associate and needs a BAA.
• An EHR company implementing and supporting software for clinics is a business associate.
• A physician billing a payer electronically is a covered entity; the outside billing firm is the business associate.
• A consumer-facing wellness app used solely at an individual’s direction, without acting on behalf of a covered entity, is generally not a business associate.

Summary

HIPAA regulates both covered entities and business associates. Covered entities drive care delivery and payment and must satisfy the HIPAA Privacy Rule and HIPAA Security Rule across their operations. Business associates are directly liable for safeguarding PHI and for using or disclosing it only as permitted by a Business Associate Agreement. Both must follow the Breach Notification Rule and maintain effective administrative and technical safeguards to protect PHI throughout its lifecycle.

FAQs

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers who conduct standard electronic transactions (such as claims, eligibility inquiries, or referral authorizations). Providers that do not engage in those transactions electronically are not covered entities for HIPAA purposes.

What are the key responsibilities of covered entities?

They must follow the HIPAA Privacy Rule and HIPAA Security Rule: limit uses and disclosures to what the rules permit, apply the minimum necessary standard, provide a Notice of Privacy Practices, honor individual rights (access, amendment, accounting, restrictions, confidential communications), train the workforce, implement risk-based safeguards, and comply with the Breach Notification Rule when incidents occur.

How do business associate obligations differ from those of covered entities?

Business associates are directly liable for Security Rule compliance and for specific Privacy Rule duties. They may use or disclose PHI only as allowed by their Business Associate Agreement or required by law, must implement safeguards, report incidents and breaches to the covered entity, ensure subcontractor compliance, and support individual rights processes handled by the covered entity.

When must a breach be reported to HHS?

Covered entities must report breaches affecting 500 or more individuals to HHS without unreasonable delay and no later than 60 days after discovery. Breaches affecting fewer than 500 individuals must be logged and reported to HHS no later than 60 days after the end of the calendar year in which they were discovered. Business associates report to the covered entity, which then reports to HHS as required.