Do Covered Entities and Business Associates Need HIPAA Compliance? Risks and How to Comply

Yes. If you create, receive, maintain, or transmit Protected Health Information (PHI), HIPAA compliance applies. This guide explains what the law expects of covered entities and business associates, the risks of getting it wrong, practical steps to comply, breach notification rules, and the proposed HIPAA Security Rule updates for 2025.

HIPAA Compliance Requirements for Covered Entities

Core rules and standards

The HIPAA Privacy Rule governs how you use and disclose PHI, including the “minimum necessary” standard and patient rights such as access and amendments. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). The Breach Notification Rule sets the duties to notify when unsecured PHI is compromised.

Programmatic expectations

Covered entities must designate privacy and security officials, conduct an enterprise-wide risk analysis, implement risk management, train the workforce, and adopt written policies and procedures. You must document decisions, apply role-based access, and monitor activity with audit logs. Vendor oversight is mandatory through Business Associate Agreements and ongoing due diligence.

Patient rights and disclosures

You must provide a Notice of Privacy Practices, honor requests for access, accounting of disclosures, and restrictions, and obtain valid authorizations when required. Disclosures without authorization are limited to defined purposes such as treatment, payment, and health care operations, or as otherwise permitted by the Privacy Rule.

Defining Covered Entities and Business Associates

Covered entities

Covered entities include health plans, health care clearinghouses, and health care providers who electronically transmit standard transactions (for example, claims or eligibility checks). This group spans hospitals, physician practices, dental and vision providers, pharmacies, labs, and telehealth providers when they handle PHI in regulated transactions.

Business associates

Business associates are service providers that create, receive, maintain, or transmit PHI on a covered entity’s behalf. Examples include cloud hosting, EHR vendors, billing companies, revenue cycle firms, analytics platforms, and external IT or cybersecurity teams. If you handle PHI for a covered entity or another business associate, HIPAA obligations apply to you.

Business Associate Agreements and Obligations

Required BAA clauses

• Permitted and required uses/disclosures of PHI.
• Safeguard commitments aligning with the Security Rule.
• Prompt breach and security incident reporting.
• Subcontractor Compliance through downstream Business Associate Agreements.
• Individual rights support (access, amendment) when applicable.
• HHS access to books and records for investigations.
• Return or destruction of PHI at termination and remedies for material breach.

Operational expectations for business associates

You must perform a risk analysis, implement risk management, enforce access controls and encryption, keep audit logs, train your workforce, and monitor subcontractors. Maintain incident response and disaster recovery capabilities, test them regularly, and document everything. Your BAA does not replace the need for a full compliance program.

Risks and Penalties for Non-Compliance

HHS enforcement and legal exposure

HHS Enforcement—primarily through the Office for Civil Rights (OCR)—can include investigations, corrective action plans, and tiered civil monetary penalties that escalate with culpability. The Department of Justice may pursue criminal cases for certain wrongful disclosures. State attorneys general can also bring actions under HIPAA and state privacy laws.

Operational and business risks

Non-compliance drives costly remediation, breach response, contract loss, and reputational damage. Downtime from security incidents disrupts care and revenue. Cyber insurance costs may rise, and partners may require proof of compliance before doing business with you. Investing in prevention is almost always cheaper than responding to a breach.

Steps to Achieve and Maintain HIPAA Compliance

Build your foundation

• Appoint privacy and security officials and define governance.
• Inventory systems, data flows, vendors, and PHI locations.
• Conduct an enterprise-wide risk analysis and document results.
• Develop risk management plans with owners, timelines, and metrics.

Administrative safeguards

• Write, approve, and maintain policies and procedures mapped to the Privacy Rule and Security Rule.
• Train your workforce initially and at least annually; track completion and comprehension.
• Apply sanctions for violations and maintain documentation and retention schedules.

Technical and physical safeguards

• Enforce unique user IDs, least-privilege access, and multi-factor authentication.
• Encrypt ePHI in transit and at rest; manage keys securely.
• Enable audit logging, alerting, and periodic reviews; segment networks and harden endpoints.
• Control physical access, secure facilities and devices, and manage device lifecycles.

Third-party risk and Business Associate Agreements

• Vet vendors handling PHI, execute Business Associate Agreements, and monitor performance.
• Flow down requirements to subcontractors and verify Subcontractor Compliance.

Response readiness and continuous improvement

• Maintain incident response, breach notification, and disaster recovery plans; test them.
• Perform periodic technical testing (vulnerability scans, phishing tests) and evaluations.
• Measure progress with KPIs, remediate gaps, and update your program as risks change.

Breach Notification Procedures

What triggers notification

A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. You must conduct a documented risk assessment considering the nature of PHI, the unauthorized person, whether the PHI was actually acquired or viewed, and the extent to which risk was mitigated.

Whom to notify and when

• Individuals: Without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: For breaches affecting 500 or more individuals, within 60 days of discovery; for fewer than 500, report no later than 60 days after the end of the calendar year.
• Media: If 500 or more residents of a state or jurisdiction are affected, notify a prominent media outlet.
• Business associates: Must notify the covered entity without unreasonable delay and within 60 days; earlier if required by contract.

Notification content and documentation

Notices must include a description of what happened, types of PHI involved, steps individuals should take, actions you are taking, and contact information. Keep incident logs, investigation records, risk assessments, and copies of notifications. If law enforcement determines notice would impede an investigation, you must delay notification as directed.

Proposed HIPAA Security Rule Updates for 2025

Key themes organizations should expect

Regulators have signaled stronger baseline expectations for cybersecurity under the Security Rule. Anticipated themes include clearer requirements for multi-factor authentication, encryption, asset inventory, vulnerability management and patching, and enhanced audit logging and monitoring. Third-party risk management and clearer cloud and data-sharing responsibilities are also likely focal points.

What you can do now

• Adopt phishing-resistant MFA and encrypt ePHI everywhere practical.
• Maintain an up-to-date asset inventory and apply timely patches.
• Implement centralized logging with alerting and regular reviews.
• Strengthen Business Associate Agreements and oversight, emphasizing incident reporting and security controls.
• Run tabletop exercises for incident response and test backups and recovery.

Conclusion

HIPAA compliance is a continuous program, not a one-time project. By aligning with the Privacy Rule, Security Rule, and Breach Notification Rule, managing vendors through sound Business Associate Agreements, and preparing for tighter expectations, you can protect patients, meet regulatory duties, and reduce risk from incidents and HHS Enforcement.

FAQs

What entities qualify as covered entities under HIPAA?

Covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions involving PHI, such as submitting claims or eligibility inquiries. If you fit one of these categories and handle PHI in regulated transactions, HIPAA applies to you.

How do business associates ensure HIPAA compliance?

Business associates must execute Business Associate Agreements, perform a risk analysis, implement administrative, physical, and technical safeguards, train staff, monitor subcontractors, and report incidents promptly. Treat HIPAA as a full security and privacy program, not just a contract obligation.

What are the consequences of HIPAA non-compliance?

Consequences include OCR investigations, corrective action plans, tiered civil penalties, and potential criminal exposure for certain wrongful disclosures. You may also face state actions, lawsuits under other laws, reputational harm, contract loss, downtime, and higher insurance costs.

When must a breach notification be issued?

You must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI. Breaches involving 500 or more individuals require notice to HHS within 60 days and to the media when 500 or more residents of a state are affected; smaller breaches are logged and reported to HHS annually.