Does My Business Need HIPAA Compliance? How to Tell If You’re a Covered Entity or Business Associate

If your work touches patient data in any way, you need to know whether HIPAA applies. This guide shows you how to classify your organization as a HIPAA Covered Entity or a Business Associate, what counts as Protected Health Information (PHI) and Electronic Protected Health Information (ePHI), and the obligations that follow.

Use the sections below to quickly determine your status, understand your HIPAA Privacy Rule and HIPAA Security Rule responsibilities, and take practical next steps to reduce HIPAA Compliance Liability.

Identify Covered Entities

Who qualifies as a HIPAA Covered Entity

You are a covered entity if you are one of the following and you transmit health information electronically in connection with standard transactions (such as claims or eligibility checks):

• Health care providers (for example, hospitals, clinics, physicians, dentists, pharmacies, labs).
• Health plans (for example, insurers, HMOs, employer group health plans, government plans).
• Health care clearinghouses (for example, organizations that reformat or translate transactions between providers and payers).

Key qualifiers and edge cases

• “Provider” status depends on activities, not titles. If you furnish, bill for, or are paid for health care and use standard electronic transactions, you are likely covered.
• Employers, workers’ compensation carriers, life insurers, and schools are not covered entities in their role as such, though a group health plan they sponsor may be.
• If you never conduct standard electronic transactions, you may not be a covered entity, but you could still become a business associate through services you provide.

Recognize Business Associates

Definition and the core test

You are a business associate if you perform services for or on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting PHI or ePHI. Subcontractors of business associates who handle PHI are also business associates.

Common business associate scenarios

• Billing, coding, revenue cycle, and claims management vendors.
• IT service providers, EHR and practice management vendors, cloud storage and backup providers, data analytics firms.
• Legal, accounting, consulting, and auditing firms that access PHI.
• Call centers, mail houses, transcription, scanning, and document destruction services handling PHI.

Mere conduit vs. business associate

A service that only transports information transiently (a “mere conduit,” such as a postal carrier) is not a business associate. However, a cloud or hosting provider that stores ePHI—even if encrypted and not routinely accessed—maintains PHI and is a business associate.

Business Associate Agreement (BAA)

If you are a business associate, you must sign a Business Associate Agreement with each covered entity client (and with relevant subcontractors). A BAA sets permitted uses/disclosures, requires safeguards under the HIPAA Security Rule, mandates breach reporting, and flows down obligations to subcontractors.

Assess Access to Protected Health Information

What is PHI and ePHI?

Protected Health Information is individually identifiable health information related to a person’s health, care, or payment for care, created or received by a covered entity or business associate. Electronic Protected Health Information is the same information in electronic form, such as in EHRs, cloud storage, email, or backups.

Practical inventory and data flow mapping

• List where PHI/ePHI is created, received, maintained, or transmitted (systems, devices, paper, voice).
• Identify people and vendors who can access it and the purposes for that access.
• Note the pathways PHI takes: intake, treatment, billing, reporting, analytics, archiving, and disposal.
• Apply the “minimum necessary” principle to each step and remove unnecessary data elements.

What is not PHI

• De-identified data that cannot identify an individual.
• Employment records a covered entity holds in its role as an employer.
• Education records covered by FERPA.

Understand HIPAA Compliance Obligations

Obligations for covered entities

• HIPAA Privacy Rule: Provide a Notice of Privacy Practices; limit uses/disclosures to what is permitted or authorized; honor patient rights (access, amendments, accounting, restrictions, confidential communications).
• HIPAA Security Rule: Implement administrative, physical, and technical safeguards for ePHI, including risk analysis, access controls, authentication, audit controls, integrity, and transmission security.
• Breach Notification Rule: Assess security incidents; notify affected individuals, regulators, and sometimes media; document decisions and timelines.
• Governance: Appoint privacy and security officers; adopt policies and procedures; train workforce; manage Business Associate Agreements.

Obligations for business associates

• Comply directly with the HIPAA Security Rule for ePHI and with applicable Privacy Rule provisions specified in BAAs.
• Report breaches and certain incidents to covered entity clients promptly and support investigations.
• Flow down BAA requirements to subcontractors that handle PHI.
• Document safeguards, workforce training, and risk management activities.

HIPAA Compliance Liability and enforcement

Both covered entities and business associates face HIPAA Compliance Liability. Civil penalties are tiered by culpability and can be substantial, with corrective action plans and external monitoring common. Willful neglect and wrongful disclosures can trigger criminal exposure, and contracts may impose additional remedies.

Use Classification Decision Tools

Quick decision path

1. Do you furnish or bill for health care and transmit standard transactions electronically? If yes, you are likely a HIPAA Covered Entity.
2. Do you provide services to a covered entity that require creating, receiving, maintaining, or transmitting PHI/ePHI? If yes, you are a Business Associate.
3. Do your subcontractors handle PHI on your behalf? If yes, they are business associates and need BAAs.
4. Do you only transport data transiently without storage or routine access? If yes, you may be a mere conduit, not a business associate.
5. If none of the above apply, HIPAA may not regulate you directly—but reassess if your services or data flows change.

Scenario checkpoints

• Cloud-based scheduling or billing platform storing patient details for clinics: business associate; BAAs required.
• Marketing firm building a clinic’s website without accessing PHI: typically not a business associate; becomes one if it handles appointment or medical intake data.
• Direct-pay wellness app serving consumers without acting for a covered entity: not a covered entity or business associate; still safeguard user data and watch state privacy laws.

Documentation to support your classification

• Service descriptions and statements of work specifying whether PHI is involved.
• Data flow diagrams identifying ePHI systems and access points.
• Executed Business Associate Agreements (or documented determinations that a BAA is unnecessary).

Implement Privacy and Security Measures

Right-size your security program

• Perform an enterprise-wide risk analysis and maintain a risk management plan with prioritized remediation.
• Adopt written policies and procedures; train all workforce members on the HIPAA Privacy Rule and HIPAA Security Rule.
• Establish access controls, role-based permissions, and unique user IDs; require multi-factor authentication for ePHI systems.

Technical safeguards for ePHI

• Encrypt ePHI in transit and at rest; secure mobile devices with MDM and remote wipe.
• Enable audit logging, alerting, and regular log review; conduct vulnerability management and timely patching.
• Segment networks, back up data securely, and test restoration; implement data loss prevention for outbound channels.

Physical and administrative safeguards

• Control facility access; secure workstations and media; use clean desk and secure disposal practices.
• Designate privacy and security officers; maintain incident response and breach notification playbooks; run tabletop exercises.
• Vet vendors, execute BAAs, and monitor their compliance; manage subcontractor flow-downs.

Key takeaways

• Classify first: covered entity or business associate determines your obligations.
• Map PHI/ePHI flows and minimize exposure with the “minimum necessary” standard.
• Execute and manage Business Associate Agreements wherever PHI is shared.
• Build a sustainable program aligned to the HIPAA Privacy Rule and HIPAA Security Rule to reduce risk and liability.

FAQs

What defines a covered entity under HIPAA?

A covered entity is a health care provider, health plan, or health care clearinghouse that transmits health information electronically in connection with standard transactions. Examples include hospitals, physician practices, pharmacies, insurers, and claims clearinghouses.

How can a business determine if it is a business associate?

If you perform services for or on behalf of a covered entity and your work involves creating, receiving, maintaining, or transmitting PHI or ePHI, you are a business associate. You must sign a Business Associate Agreement and implement safeguards required by the HIPAA Security Rule.

What are the consequences of non-compliance with HIPAA?

Enforcement can include corrective action plans, civil monetary penalties tiered by culpability, and, in cases of willful neglect or wrongful disclosure, potential criminal penalties. Contractual damages and reputational harm can compound HIPAA Compliance Liability.

How does HIPAA regulate the use and disclosure of PHI?

The HIPAA Privacy Rule permits uses and disclosures for treatment, payment, and health care operations, and otherwise requires an authorization or another specific permission. It enforces the minimum necessary standard and grants individuals rights such as access and amendments to their PHI.