HIPAA Applicability to Covered Entities and Business Associates: Definitions, Scope, Examples

Define Covered Entities

Covered Entity Definition

Under the HIPAA Privacy Rule, a covered entity is one of three types: a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions. If you meet this Covered Entity Definition, HIPAA applies to your creation, receipt, maintenance, and transmission of Protected Health Information (PHI).

Who is included

• Health plans: group health plans, insurers, HMOs, Medicare, Medicaid, and certain employer-sponsored plans.
• Health care clearinghouses: entities that translate nonstandard health information into standard formats and vice versa.
• Health care providers: hospitals, physicians, dentists, pharmacists, labs, telehealth providers, and others that conduct HIPAA standard electronic transactions.

Hybrid entities—organizations with health and non-health components—can designate health care components as covered, but must still safeguard PHI across shared systems and personnel.

Identify Business Associates

A business associate is any person or organization performing functions or providing services for a covered entity that involve the use or disclosure of PHI. A business associate can also work for another business associate, creating a vendor chain that still handles PHI.

If you create, receive, maintain, or transmit PHI on behalf of a covered entity (or another business associate), you are likely a business associate and directly responsible for HIPAA compliance obligations tied to PHI Safeguarding and permitted uses under the Privacy Rule.

Provide Examples of Business Associates

• Electronic Health Records Management and EHR vendors, health information exchanges, e-prescribing and patient portal providers.
• Cloud hosting, data backup, and managed service providers that store or manage ePHI, even if encrypted and access is limited.
• Revenue cycle partners: medical billing, coding, claims processing, clearing, and payment posting services.
• Analytics, data aggregation, quality reporting, utilization review, and population health services handling PHI.
• Legal, accounting, actuarial, and consulting firms that need PHI to advise covered entities.
• Call centers, transcription services, device maintenance vendors, and repair technicians with PHI access.
• Mailing houses, printing vendors, scanning/imaging, and secure disposal/shredding companies managing PHI materials.

Explain Business Associate Agreements

A Business Associate Agreement (BAA) is a contract that must be executed before a covered entity shares PHI with a vendor or partner that qualifies as a business associate. The BAA defines permitted and required uses/disclosures, sets safeguard expectations, and allocates compliance responsibilities.

Core elements to include

• Permitted uses and disclosures aligned with the HIPAA Privacy Rule and the minimum necessary standard.
• Administrative, physical, and technical safeguards to protect PHI, including security incident and breach reporting duties.
• Subcontractor Compliance: a requirement that subcontractors who handle PHI sign equivalent BAAs and implement comparable safeguards.
• Support for individual rights (access, amendment, accounting of disclosures) when the covered entity asks for assistance.
• Return or destruction of PHI at contract end, or continued protections if return/destruction is infeasible.
• Audit, cooperation, and termination provisions for material breach related to PHI Safeguarding.

Discuss Subcontractors of Business Associates

Subcontractor Compliance

Subcontractors engaged by a business associate are also business associates when they create, receive, maintain, or transmit PHI. They are directly liable for HIPAA violations and must sign BAAs with the business associate before handling PHI.

To manage this chain, you should map PHI data flows, vet vendors’ security programs, require encryption in transit and at rest, maintain role-based access controls and logs, and verify incident response and continuity plans.

Clarify Entities Not Considered Business Associates

• Workforce members of a covered entity or business associate (employees and those under direct control).
• “Mere conduits” that transmit PHI without persistent storage (e.g., certain postal or courier services); note that routine storage or access disqualifies the mere conduit status.
• Banks and financial institutions processing payments without accessing PHI beyond what is necessary for funds transfers.
• Personal health record or consumer health app providers when they offer services directly to individuals and not on behalf of a covered entity.
• Vendors handling de-identified data that meets HIPAA de-identification standards.

The practical test is whether the entity performs work on behalf of a covered entity (or a business associate) that involves PHI beyond transient transmission. If yes, a Business Associate Agreement is typically required.

Outline HIPAA Compliance Requirements

For covered entities

• Implement the HIPAA Privacy Rule: publish a Notice of Privacy Practices, honor individual rights, and enforce minimum necessary access.
• Implement the Security Rule: conduct risk analysis and risk management; apply administrative, physical, and technical safeguards for ePHI.
• Vendor management: identify business associates, execute BAAs, and monitor performance and PHI Safeguarding.
• Incident response and breach notification: investigate, mitigate, document, and notify as required.
• Training and governance: maintain policies, workforce training, sanctions, and documentation.

For business associates

• Comply with the Security Rule and BAA terms; use or disclose PHI only as permitted by the agreement and the Privacy Rule.
• Ensure Subcontractor Compliance by executing BAAs with downstream vendors that touch PHI.
• Maintain audit controls, access management, encryption, integrity protections, and secure software development practices.
• Support covered entities with accounting, access, amendments, and timely breach reporting.
• Retain required documentation and routinely reassess risks tied to Electronic Health Records Management and other PHI systems.

Electronic Health Records Management

EHR environments concentrate PHI, so you should align governance, change control, role-based access, audit logging, and data lifecycle practices to limit exposure. Interoperability activities must still respect minimum necessary use and strong identity and access management.

PHI Safeguarding

Adopt layered controls: least-privilege access, multi-factor authentication, endpoint hardening, network segmentation, encryption, monitoring, secure disposal, and tested recovery. Effective PHI Safeguarding reduces breach risk and demonstrates due diligence across the vendor chain.

Conclusion

HIPAA applicability turns on your role and your touchpoints with PHI. Covered entities set the obligations; business associates and their subcontractors inherit them through BAAs and direct liability. Clear scopes, strong safeguards, and disciplined vendor management keep PHI protected and your organization compliant.

FAQs

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions (such as claims and eligibility checks). If you fall into one of these groups, HIPAA governs your handling of PHI.

What obligations do business associates have under HIPAA?

Business associates must implement Security Rule safeguards, follow the Privacy Rule limits in their BAA, use or disclose PHI only as permitted, ensure Subcontractor Compliance, report incidents and breaches to the covered entity, and maintain required policies, training, and documentation.

When is a business associate agreement required?

A Business Associate Agreement is required before a covered entity shares PHI with a vendor or partner that will create, receive, maintain, or transmit PHI on its behalf. It is not required for mere conduits or for services involving only de-identified data.

Are subcontractors of business associates subject to HIPAA?

Yes. Subcontractors that handle PHI on behalf of a business associate are themselves business associates. They must sign BAAs and are directly liable for complying with HIPAA and the PHI safeguards that flow down from the primary agreement.