HIPAA Business Associate vs Covered Entity: Roles, Requirements, and Examples

Covered Entities Overview

Under HIPAA, covered entities are organizations that handle Protected Health Information (PHI) in delivering or paying for care. They include health care providers who conduct standard electronic transactions, health plans, and health care clearinghouses. If you diagnose, treat, pay for, or translate health information for these purposes, you likely fall into this group.

Covered entity types

• Health care providers: hospitals, physician practices, clinics, dentists, pharmacies, labs, and telehealth providers that transmit PHI electronically.
• Health plans: commercial insurers, HMOs, employer-sponsored group health plans, Medicare, and Medicaid.
• Health care clearinghouses: entities that convert nonstandard data into standard transaction formats and vice versa.

Covered entities must implement PHI safeguarding measures aligned to the HIPAA Privacy Rule, HIPAA Security Rule (for ePHI), and the Breach Notification Rule. They also oversee Vendor Management to ensure downstream partners meet Compliance Assurance expectations before PHI is shared.

Business Associates Definition

A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity—or on behalf of another business associate—to perform regulated functions or services. Workforce members are not business associates; these are outside vendors or partners.

Common business associate roles

• Claims processing, billing, coding, and revenue cycle services.
• Cloud hosting, data centers, backup, and disaster recovery providers.
• EHR and practice management vendors, eFax and secure messaging services.
• IT managed service providers, cybersecurity services, and device support.
• Shredding, scanning, printing, mailing, and records management providers.
• Legal, actuarial, audit, consulting, translation, and collection agencies that access PHI.

If a vendor could reasonably access PHI—even if access is infrequent or incidental—it is typically a business associate and must meet HIPAA obligations through a Business Associate Agreement and appropriate safeguards.

Business Associate Agreements

A Business Associate Agreement (BAA) is a contract that defines how a vendor may use or disclose PHI, sets required safeguards, and allocates responsibilities for incident response and Compliance Assurance. You must execute a BAA before sharing PHI with a business associate.

Core elements to include

• Permitted and required uses and disclosures of PHI, including minimum necessary standards.
• Commitment to implement administrative, physical, and technical controls consistent with the HIPAA Security Rule.
• Obligation to report incidents and potential breaches to the covered entity pursuant to the Breach Notification Rule and contract timelines.
• Individual rights support (access, amendments, accounting of disclosures) as directed by the covered entity.
• Subcontractor flow-down: require subcontractors to sign BAAs and adopt equivalent safeguards.
• Data return or secure destruction at termination and continued protections if retention is required by law.
• Right to audit and ongoing Vendor Management cooperation, such as providing risk assessment results or attestations.

Cloud and IT service providers that store or process ePHI must sign BAAs even if PHI is encrypted and the vendor claims “no view” access. The key trigger is the ability to create, receive, maintain, or transmit PHI.

Compliance Requirements for Business Associates

Business associates have direct HIPAA obligations. You may use or disclose PHI only as permitted by your BAA or as required by law, apply the minimum necessary standard, and maintain documented policies and procedures that reflect your services and risk profile.

Security Rule expectations

• Risk analysis and risk management tailored to systems handling ePHI.
• Administrative safeguards: workforce training, sanctions, vendor oversight, incident response plans.
• Physical safeguards: facility and device security, media controls, secure disposal.
• Technical safeguards: unique user IDs, access controls, encryption in transit and at rest, audit logging, integrity monitoring.
• Contingency planning: backups, disaster recovery, and emergency operations.

Breach Notification Rule duties

• Identify, investigate, and document security incidents and suspected breaches.
• Notify the covered entity without unreasonable delay and within rule/contract timeframes, supplying details for downstream notifications.

To demonstrate Compliance Assurance, maintain evidence such as risk assessments, remediation plans, penetration test summaries, training records, subcontractor BAAs, and routine reports that support ongoing PHI safeguarding.

Responsibilities of Covered Entities

Covered entities own the patient relationship and the primary Privacy Rule obligations. You must define lawful uses and disclosures, issue a Notice of Privacy Practices, honor individual rights, and apply minimum necessary standards across your operations.

Program duties

• Designate privacy and security officials, train the workforce, and enforce sanctions for noncompliance.
• Perform enterprise risk analysis and implement administrative, physical, and technical safeguards for ePHI under the HIPAA Security Rule.
• Establish breach response procedures and meet Breach Notification Rule timelines to individuals, HHS, and, when applicable, the media.
• Vendor Management: conduct due diligence, execute BAAs before sharing PHI, and monitor business associates through reviews, attestations, and corrective actions.

Effective oversight balances service delivery with PHI Safeguarding, ensuring that each vendor’s role, access, and controls are clearly documented and periodically reassessed.

Examples of Covered Entities and Business Associates

Covered entities

• Hospitals, surgical centers, physician groups, clinics, urgent care, and telehealth practices.
• Pharmacies, labs, imaging centers, dental and vision providers.
• Commercial health insurers, HMOs, employer group health plans, Medicare Advantage plans.
• Health care clearinghouses that standardize claim and eligibility transactions.

Business associates

• EHR vendors, cloud hosting and storage providers, data backup and recovery services.
• Billing, coding, and revenue cycle companies; TPAs for self-funded plans functioning on behalf of the plan.
• Cybersecurity firms, managed IT service providers, device maintenance providers with PHI access.
• Printing, mailing, scanning, shredding, and records disposition vendors.
• Legal counsel, auditors, actuaries, consultants, translation services, and debt collectors that handle PHI.

Remember: the determining factor is PHI involvement. If a vendor can create, receive, maintain, or transmit PHI for your purposes, it is a business associate and requires a BAA and appropriate controls.

Subcontractors and Dual Roles

Subcontractors of a business associate that handle PHI are themselves business associates. You must flow down BAA terms and verify equivalent safeguards, creating a secure chain of custody for PHI across all service layers.

Subcontractor scenarios

• An EHR vendor uses a cloud infrastructure provider for data hosting and backup.
• A billing company engages a transcription or translation service to process PHI.
• An IT provider relies on a managed email or secure messaging relay that transmits ePHI.
• A records firm subcontracts shredding or offsite storage to another vendor.

Dual-role organizations

• A hospital (covered entity) provides analytics services to an affiliated clinic, acting as a business associate for that engagement.
• A health tech company treats patients via a clinic (covered entity) and separately hosts PHI for other providers (business associate).
• Hybrid entities designate “health care components” subject to HIPAA, while non-health operations remain outside that designation.

The “conduit” exception is narrow and applies to true transmission-only services with no persistent storage or access. Most modern service models maintain PHI and therefore require BAAs and full safeguards.

Conclusion and Key Takeaways

Covered entities deliver or pay for care and carry primary Privacy, Security, and Breach Notification obligations. Business associates perform services involving PHI and must sign a Business Associate Agreement and implement robust safeguards. Map each vendor relationship to the correct role, execute BAAs, and verify controls to maintain PHI Safeguarding and end-to-end Compliance Assurance.

FAQs

What is the key difference between a business associate and a covered entity?

A covered entity provides or pays for health care and directly manages patient-facing Privacy Rule duties. A business associate is a vendor that creates, receives, maintains, or transmits PHI on the covered entity’s behalf and must follow the HIPAA Security Rule, use/disclosure limits, and breach reporting as defined by its BAA.

When is a business associate agreement required?

You need a Business Associate Agreement before sharing PHI—or when a vendor could reasonably access PHI—to perform services for a covered entity or another business associate. This includes cloud hosting, IT support, billing, and any subcontractor that handles PHI.

How do HIPAA compliance requirements differ for covered entities and business associates?

Both must safeguard PHI and follow the HIPAA Security Rule and Breach Notification Rule. Covered entities additionally manage patient rights and broader Privacy Rule obligations. Business associates are limited to uses and disclosures permitted by the BAA and must support the covered entity’s compliance activities.

What are examples of subcontractors considered business associates?

Cloud infrastructure providers used by EHR vendors, translation services engaged by billing companies, secure email relays used by IT providers, and shredding or offsite storage firms contracted by records management vendors are all subcontractors that become business associates when they handle PHI.