HIPAA Business Associate vs Covered Entity: Key Differences, Roles, and Requirements

Understanding HIPAA Business Associate vs Covered Entity distinctions helps you protect Protected Health Information (PHI) and comply with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. This guide clarifies the roles, required contracts, and safeguards that keep PHI secure.

Overview of Covered Entities

Covered entities are health plans, health care clearinghouses, and health care providers that transmit electronic PHI (ePHI) in standard transactions. They create, receive, maintain, and disclose PHI as part of routine care and operations.

Common examples

• Hospitals, physician and dental practices, pharmacies, and telehealth providers.
• Health plans, HMOs, and employer-sponsored group health plans.
• Health care clearinghouses that translate data to standard formats.

Core responsibilities

Covered entities may use and disclose PHI for treatment, payment, and health care operations, subject to the minimum necessary standard. They must safeguard PHI, provide a Notice of Privacy Practices, honor individual rights, and ensure vendors handling PHI sign a Business Associate Agreement.

Definition and Role of Business Associates

A business associate performs services for or on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting PHI. Business associates support operations rather than deliver care directly.

Typical business associates

• Billing and revenue cycle firms, claims processors, and collections services.
• IT vendors, EHR support, cloud hosting, and managed service providers.
• Consultants, analytics firms, legal services, and marketing vendors handling PHI.

Business associates may use or disclose PHI only as permitted by the Business Associate Agreement and HIPAA. They are directly liable for compliance and must flow down the same restrictions to any subcontractor that accesses PHI.

Obligations under HIPAA

Covered entities

Under the HIPAA Privacy Rule, covered entities define permissible uses and disclosures, implement policies, and honor rights such as access, amendment, and accounting of disclosures. When handling ePHI, they must comply with the HIPAA Security Rule’s safeguards.

Business associates

Business associates must implement the HIPAA Security Rule and comply with relevant provisions of the Privacy Rule, including minimum necessary limits on use and disclosure. They must document policies, train workforce members, and make records available to HHS upon request.

Shared duties

Both parties must safeguard PHI, limit access to authorized purposes, and cooperate on individual rights requests when PHI resides with a business associate. Each must follow the Breach Notification Rule and the terms of the Business Associate Agreement.

Business Associate Agreements

A Business Associate Agreement (BAA) is a required contract that defines how a business associate may use and disclose PHI and what safeguards it must maintain. It aligns practices with the HIPAA Privacy Rule and HIPAA Security Rule.

Essential elements

• Permitted and required uses/disclosures of PHI, including minimum necessary.
• Required safeguards, incident reporting, and breach notification duties.
• Obligations to support access, amendment, and accounting of disclosures.
• Subcontractor Compliance: flow-down terms requiring subcontractors to sign equivalent agreements.
• Return or destruction of PHI at termination and remedies for material breach.

The BAA should complement the service agreement. Clear roles, defined timelines, and audit rights help both parties monitor performance and maintain compliance.

Security Safeguards and Compliance

The HIPAA Security Rule requires a risk-based program that protects ePHI through Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Your controls must be reasonable and appropriate for your size, complexity, and risk profile.

Administrative Safeguards

• Enterprise-wide risk analysis, risk management, and assigned security responsibility.
• Workforce training, sanction policies, and contingency planning with backups and disaster recovery.
• Vendor management, including BAA oversight and periodic assessments.

Physical and technical safeguards

• Facility access controls, device/media controls, and secure disposal.
• Unique user IDs, role-based access, and multi-factor authentication where feasible.
• Encryption at rest and in transit, audit logging, integrity monitoring, and transmission security.

Maintain compliance through documentation, routine audits, and management review. Keep required documentation for at least six years and update controls as systems, vendors, and risks change.

Breach Notification Requirements

The Breach Notification Rule applies to impermissible uses or disclosures of unsecured PHI unless a documented risk assessment shows a low probability of compromise. Assess the data’s nature, who received it, whether it was acquired or viewed, and mitigation steps.

Timelines and process

• Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery.
• Notices should describe what happened, PHI types involved, affected individuals, mitigation taken, and steps people can take to protect themselves.
• Covered entities then handle individual notifications and any required notices to regulators and, for large breaches, the media.

Subcontractor Responsibilities

When a business associate uses a subcontractor to create, receive, maintain, or transmit PHI, that subcontractor is itself a business associate. The primary business associate must ensure Subcontractor Compliance through a written agreement with the same restrictions and safeguards.

Oversight in practice

• Perform due diligence, assess security controls, and limit PHI to the minimum necessary.
• Require breach reporting, right-to-audit clauses, and prompt termination for material violations.
• Track data flows, maintain an up-to-date vendor inventory, and review BAAs at renewal.

Conclusion

Covered entities focus on care and plan operations, while business associates support those activities and must protect PHI under contract and law. Strong Business Associate Agreements, risk-based safeguards, and vigilant vendor oversight align responsibilities and keep PHI secure.

FAQs.

What distinguishes a covered entity from a business associate?

A covered entity delivers care or administers a health plan and is the original steward of PHI. A business associate supports those functions and handles PHI on the entity’s behalf, bound by the BAA and applicable HIPAA rules.

What are the main compliance requirements for business associates?

Business associates must implement the HIPAA Security Rule, follow relevant Privacy Rule provisions, apply minimum necessary, train their workforce, document policies, oversee subcontractors, and meet breach notification and reporting obligations.

When must business associates notify about a data breach?

They must notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI, providing details needed for downstream notifications and mitigation.

How do business associate agreements protect PHI?

BAAs define permitted uses and disclosures, require specific safeguards, mandate breach reporting, extend terms to subcontractors, and set enforcement and termination rights—creating a contractual framework that protects PHI end to end.