HIPAA Compliance Guide for Covered Entities and Business Associates: Duties and Risks

Covered Entities' Responsibilities

As a covered entity, you are responsible for protecting Protected Health Information (PHI) in any form and Electronic Protected Health Information (ePHI) specifically. Your HIPAA compliance program must address privacy, security, and breach notification requirements end to end.

Core privacy obligations

• Use and disclose PHI only for permitted purposes, applying the minimum necessary standard to each request or workflow.
• Provide a clear Notice of Privacy Practices and honor individual rights, including timely access, amendments, restrictions, and confidential communications.
• Maintain policies and procedures that reflect how PHI flows across your operations and limit workforce access appropriately.

Security expectations for ePHI

• Perform a comprehensive Security Risk Assessment (risk analysis) and implement risk management plans that are living, documented, and prioritized.
• Implement Administrative Safeguards (governance, training, contingency planning), Physical Safeguards (facility controls, device/media handling), and Technical Safeguards (access control, audit logging, integrity and transmission security).
• Harden systems handling ePHI with encryption, strong authentication, secure configurations, and continuous monitoring.

Program governance and response

• Designate privacy and security officials, train your workforce, and enforce sanctions for violations.
• Execute a Business Associate Agreement (BAA) before sharing PHI with vendors and track all third-party access.
• Investigate incidents promptly and deliver breach notifications within required timeframes; retain documentation for at least six years.

Business Associates' Responsibilities

Business associates must safeguard PHI they receive, create, maintain, or transmit on behalf of covered entities. Obligations arise by law and contract and apply equally to ePHI.

Contractual and legal duties

• Enter into a BAA that limits uses/disclosures, requires minimum necessary handling, and defines breach reporting timelines.
• Use or disclose PHI only as permitted by the BAA or as required by law, and support individual rights when acting for the covered entity.
• Maintain records, logs, and controls sufficient to demonstrate compliance and support audits or investigations.

Security and operational controls

• Complete a Security Risk Assessment and implement Administrative, Physical, and Technical Safeguards aligned to identified risks.
• Protect ePHI with role-based access, encryption in transit and at rest, vulnerability management, and incident response testing.
• Train workforce members, manage privileged access, and document security incidents even when they do not rise to breaches.

Risks of Non-Compliance for Covered Entities

Non-compliance can quickly become costly. Beyond fines, you face corrective action plans, monitoring, and downstream operational and reputational impacts.

• Regulatory exposure: investigations, civil monetary penalties under a tiered framework, and mandated corrective measures.
• Breach costs: forensics, notifications, call centers, credit monitoring, remediation, and potential contractual penalties.
• Litigation and enforcement: state attorneys general actions and state-law claims often follow major incidents.
• Business disruption: partner audits, payer scrutiny, and delayed projects while corrective actions are implemented.
• Criminal risk in egregious cases, such as knowingly misusing PHI for personal gain.

Risks of Non-Compliance for Business Associates

Business associates face direct liability under HIPAA and significant commercial consequences when controls fall short.

• Regulatory penalties and corrective action plans that require substantial investments and ongoing reporting.
• Contract terminations, lost revenue, and reputational harm that impede new customer acquisition.
• Indemnification obligations to covered entities, plus costs to fulfill breach notification duties and provide remedies to affected individuals.
• Increased insurance premiums, difficulty qualifying for security assessments, and potential exclusion from competitive procurements.

Covered Entities' Liability for Business Associates

Covered entities are not automatically liable for every business associate action. However, you can be liable when a business associate acts as your agent within the scope of agency, or when you fail to act after learning of a material breach of the BAA.

• Obtain “satisfactory assurances” via a BAA that the business associate will appropriately safeguard PHI.
• When you discover a violation, take reasonable steps to cure it; if unsuccessful, terminate the relationship or, if termination is infeasible, document why and consider reporting.
• Define agency carefully: operational control, direction of tasks, and approval rights can affect whether the associate is your agent for HIPAA purposes.

Business Associates' Liability for Subcontractors

Business associates must flow down HIPAA obligations to any subcontractor that handles PHI on their behalf and are responsible for ensuring those obligations are met.

• Execute subcontractor BAAs that mirror restrictions on use/disclosure, Security Rule safeguards for ePHI, and breach reporting duties.
• Conduct due diligence and ongoing oversight: assess security posture, review Security Risk Assessments, and monitor remediation.
• Establish incident-to-breach escalation paths so covered entities receive timely, accurate information.
• Apply least-privilege access, data minimization, and secure data transfer to reduce subcontractor risk.

Covered Entities' Oversight of Business Associates

Effective oversight balances trust with verification. Build vendor risk management into procurement, contracting, and operations to keep PHI safe throughout the lifecycle.

Before engagement

• Risk-tier vendors based on PHI volume, sensitivity, integration points, and criticality to care or operations.
• Request and evaluate Security Risk Assessments, security questionnaires, and independent assurance reports when available.
• Confirm capabilities for encryption, access control, logging, incident response, and data destruction.

Contracting

• Use a BAA that defines permitted uses/disclosures, minimum necessary rules, and breach notification timelines and content.
• Flow down requirements to subcontractors, reserve audit and assessment rights, and specify Administrative, Physical, and Technical Safeguards.
• Address data return/destruction at termination, cyber insurance expectations, and cooperation during investigations.

Ongoing monitoring

• Collect periodic attestations, track remediation of findings, and re-evaluate risk when services or systems change.
• Integrate the associate into incident response plans and run joint tabletop exercises on PHI and ePHI scenarios.
• Review access logs, reconcile minimum necessary access, and deprovision promptly when roles change.

Incident response with business associates

• Activate coordinated containment, preserve evidence, and assess whether there is a low probability of compromise.
• Meet notification deadlines to individuals, regulators, and, when applicable, media; ensure accuracy and consistency across parties.
• Document lessons learned and feed them into updated safeguards and training.

Conclusion

HIPAA compliance is a continuous program, not a checklist. By aligning privacy practices, Security Rule safeguards, and disciplined vendor oversight, you reduce risk, protect patients, and fulfill your duties as a covered entity or business associate.

FAQs

What are the main responsibilities of covered entities under HIPAA?

Covered entities must protect PHI and ePHI, limit uses/disclosures to permitted purposes, provide individuals with privacy rights, complete a Security Risk Assessment, implement Administrative, Physical, and Technical Safeguards, execute BAAs before sharing PHI, train the workforce, and deliver required breach notifications with proper documentation.

How must business associates handle PHI according to HIPAA?

Business associates may use or disclose PHI only as allowed by the BAA or law, must safeguard ePHI through risk-based controls, train staff, log and investigate security incidents, report breaches promptly to the covered entity, and require subcontractors to follow the same HIPAA standards via downline BAAs.

What penalties apply for HIPAA non-compliance?

HIPAA uses a tiered civil penalty structure that scales with culpability and can include substantial per-violation and annual caps, plus corrective action plans and monitoring. Serious misconduct can also bring criminal penalties. Beyond regulation, organizations face remediation costs, contract losses, and reputational damage.

How should covered entities respond to breaches by business associates?

Activate joint incident response, assess the incident, and ensure timely, accurate notifications. Review the BAA’s timelines and required details, document containment and remediation, and determine whether to require corrective actions, suspend data exchange, terminate the relationship, or report when termination is infeasible. Continuous improvements should follow.