HIPAA Applies to Covered Entities and Business Associates: Requirements Explained

Defining Covered Entities

Under HIPAA, covered entities are the organizations primarily responsible for safeguarding Protected Health Information (PHI). They include health plans (such as insurers, employer group health plans, and government programs), health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions.

HIPAA protects PHI in all forms and adds specific obligations for Electronic PHI handled by covered entities. If a provider does not conduct standard electronic transactions, they are not a covered entity for HIPAA purposes, though other laws may still apply. Some organizations are “hybrid entities,” designating health care components that must comply with HIPAA.

• Health plans: insurers, HMOs, employer-sponsored plans, Medicare/Medicaid programs.
• Clearinghouses: entities that translate health information between nonstandard and standard formats.
• Providers: hospitals, clinics, physicians, pharmacies, labs—when transmitting standard electronic transactions.

Identifying Business Associates

A business associate is any person or company that performs activities or services for or on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting PHI. Common examples include billing and revenue cycle firms, claims processors, data analytics vendors, IT service providers, cloud and backup services, EHR vendors, consultants, legal counsel, and accounting firms.

Business associates can also engage other vendors; those subcontractors become business associates too if they handle PHI. Workforce members of a covered entity are not business associates, and a “mere conduit” that only transports data without persistent storage typically is not a business associate. However, most modern hosting or managed services that store or process PHI qualify.

Establishing Business Associate Agreements

Before sharing PHI, you must execute a Business Associate Agreement (BAA). The BAA defines permitted uses and disclosures of PHI, requires safeguards consistent with HIPAA, and sets expectations for breach and security incident reporting. It should also address minimum necessary use, access rights, and termination procedures.

• Permitted uses/disclosures: specify how the business associate may use PHI and prohibit Unauthorized Disclosure beyond those purposes.
• Safeguards: require administrative, physical, and technical protections suitable for Electronic PHI and alignment with the HIPAA Security Rule.
• Reporting: obligate prompt notice of breaches and security incidents, with timelines and incident details.
• Flow-down: require subcontractors to agree in writing to the same restrictions and safeguards.
• Individual rights and data handling: support access, amendment, and accounting, and require return or destruction of PHI at termination if feasible.
• Enforcement: reserve the right to terminate the BAA for material breach and document all compliance activities.

While HIPAA does not mandate indemnification or cyber insurance, many BAAs include risk allocation terms to address residual risk and costs.

Ensuring Security Rule Compliance

The HIPAA Security Rule applies to covered entities and business associates for Electronic PHI. Compliance is risk-based and centers on Administrative Safeguards, physical controls, and technical measures that together protect confidentiality, integrity, and availability.

• Administrative Safeguards: enterprise-wide risk analysis, risk management, assigned security responsibility, workforce training and sanctions, information access management, security incident procedures, contingency planning, and regular evaluations.
• Physical safeguards: facility access controls, workstation and device protections, and media controls for secure disposal and reuse.
• Technical safeguards: unique user identification and access control, audit controls and monitoring, integrity protections, authentication, and transmission security (encryption based on risk).

Document policies and procedures, test contingency plans, and review controls periodically. Encryption is an addressable control, but for most environments it is the practical standard for Electronic PHI at rest and in transit given current threats.

Managing Subcontractor Compliance

Business associates must ensure subcontractors that create, receive, maintain, or transmit PHI comply with HIPAA. This “flow-down” obligation means you need written agreements equivalent to your BAA and ongoing oversight.

• Perform due diligence: evaluate security programs, risk assessments, certifications, and incident history.
• Flow down requirements: replicate privacy, security, and breach-notification terms and the minimum necessary standard.
• Monitor and verify: use audits, questionnaires, and performance metrics; require timely notification of incidents.
• Control data lifecycle: define data locations, retention, secure destruction, and return of PHI upon termination.

Understanding Direct Liability

Business associates have direct liability under HIPAA. They must implement the HIPAA Security Rule, comply with applicable Privacy Rule provisions, use or disclose PHI only as permitted, provide breach notification to covered entities, make records available to HHS upon request, and ensure subcontractor compliance. Unauthorized Disclosure or failure to safeguard Electronic PHI can trigger enforcement even without a covered entity’s involvement.

Covered entities remain directly liable for their own violations, including the absence of required BAAs, inadequate safeguards, failure to limit uses and disclosures, or failure to honor individual rights such as access and amendment.

Enforcing HIPAA Penalties

HIPAA is enforced primarily by the HHS Office for Civil Rights (OCR). Investigations may result in technical assistance, corrective action plans, or monetary settlements under a tiered structure that considers the level of culpability and corrective efforts. Patterns of noncompliance, delayed breach notification, or systemic control failures elevate risk.

Civil and Criminal Penalties are possible. Civil penalties follow tiers from “lack of knowledge” through “willful neglect,” with per-violation amounts and annual caps adjusted periodically. The Department of Justice may pursue criminal cases for knowingly obtaining or disclosing PHI in violation of HIPAA, with potential fines and imprisonment. Contractual consequences—such as BAA termination—and reputational harm often accompany regulatory outcomes.

In practice, your best defense is a living compliance program: current risk analysis, prioritized remediation, documented policies, workforce training, vendor oversight, and tested incident response. These steps reduce the likelihood and impact of violations while strengthening trust with patients and partners.

FAQs

What entities qualify as covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with HIPAA standard transactions. Examples include insurers and HMOs; billing and repricing intermediaries; and providers like hospitals, physicians, pharmacies, and labs that submit electronic claims or related transactions.

What are the key requirements for business associate agreements?

A Business Associate Agreement must define permitted uses and disclosures, require safeguards aligned to the HIPAA Security Rule, mandate prompt breach and incident reporting, flow down equivalent obligations to subcontractors, support individual rights (access, amendment, accounting), address return or destruction of PHI at termination, and allow termination for material breach. Many organizations also include minimum necessary requirements and risk allocation terms.

How must business associates comply with the HIPAA Security Rule?

Business associates must implement administrative, physical, and technical safeguards for Electronic PHI. Core actions include conducting a risk analysis, managing identified risks, controlling access, monitoring activity with audit logs, training the workforce, encrypting data based on risk, maintaining contingency plans, and documenting policies with periodic evaluations.

What penalties can covered entities and business associates face for violations?

OCR can impose civil monetary penalties under a tiered framework that varies by culpability and corrective action, and may require corrective action plans. The Department of Justice can pursue criminal cases for intentional misuse or Unauthorized Disclosure of PHI. Consequences can include fines, settlement obligations, monitoring, reputational harm, and in criminal cases, potential imprisonment.