HIPAA Covered Entities vs. Business Associates: Boundaries, Obligations, and Examples

Identification of Covered Entities

Core categories

Under HIPAA, covered entities fall into three groups: health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses. If your organization transmits claims, eligibility checks, referrals, or remittance advice electronically, you are likely a covered entity.

• Health care providers: physicians, clinics, hospitals, telehealth practices, pharmacies, dentists, therapists, and laboratories that submit transactions electronically.
• Health plans: private insurers, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and certain government programs that pay for health care.
• Health care clearinghouses: entities that translate nonstandard information into HIPAA standard transaction formats and vice versa.

Protected Health Information in scope

Covered entities handle Protected Health Information (PHI): individually identifiable health information in any form—paper, electronic, or oral. When PHI is created, received, maintained, or transmitted electronically (ePHI), it triggers additional HIPAA Security Rule safeguards.

Common edge cases

• Employers and schools are generally not covered entities, though their group health plans can be.
• Life insurers, workers’ compensation carriers, and many public health authorities are not covered entities but may receive PHI through other legal pathways.
• Pharmacy benefit managers typically act as business associates of health plans rather than as covered entities.

Roles and Responsibilities

Covered entities

Covered entities are directly responsible for complying with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification requirements. You must limit uses and disclosures to what the rules permit, follow the minimum necessary standard, issue a Notice of Privacy Practices, and honor individuals’ rights (access, amendment, accounting of disclosures, restrictions, and confidential communications).

For ePHI, you must implement administrative, physical, and technical Electronic PHI Safeguards: risk analysis, workforce training, access controls, authentication, audit logging, transmission security, facility protections, and device/media controls.

If a breach occurs, you must provide Breach Notification to affected individuals without unreasonable delay and no later than 60 days from discovery, and notify regulators as required.

Business associates

Business associates perform functions or services for a covered entity that involve PHI—such as claims processing, data storage, analytics, or IT support. They must comply with applicable Security Rule provisions and certain Privacy Rule requirements specified in a Business Associate Agreement.

Business associates have Direct Liability under HIPAA for impermissible uses/disclosures, failure to provide breach notifications, and failure to implement required security measures. They must also flow down safeguards to subcontractors who handle PHI.

Examples of Covered Entities

Health care providers

• Hospitals, ambulatory surgery centers, skilled nursing facilities, and home health agencies.
• Physician practices, behavioral health and substance use treatment providers, dental and orthodontic clinics.
• Clinical laboratories, imaging centers, pharmacies, and telehealth-only practices.

Health plans

• Commercial insurers and HMOs offering medical, dental, or vision coverage.
• Employer-sponsored group health plans, including self-insured arrangements.
• Government programs such as Medicare Advantage and Medicaid managed care plans.

Health care clearinghouses

• Billing and repricing services that convert data between nonstandard and HIPAA standard transaction formats.
• Switches and intermediaries that route and translate claims, eligibility, and remittance transactions.

Distinction from Business Associates

What makes an entity a business associate

A business associate is a person or organization, other than a workforce member, that creates, receives, maintains, or transmits PHI on behalf of a covered entity (or another business associate) to perform a covered function. Examples include EHR vendors, cloud service providers, data analytics firms, practice management and billing vendors, transcription services, consultants, and many law or accounting firms handling PHI.

Key differences in role

• Covered entities deliver or pay for health care; business associates support those activities.
• Covered entities determine how PHI is used for treatment, payment, and operations; business associates may use or disclose PHI only as permitted by the Business Associate Agreement or as required by law.
• “Conduit” exception is narrow: routine transport of PHI without storage or access (e.g., certain postal services) may avoid business associate status, but long-term hosted storage or cloud services typically create business associate obligations.

Compliance Obligations

HIPAA Privacy Rule

You must define permissible uses and disclosures, apply the minimum necessary standard for non-treatment purposes, publish a Notice of Privacy Practices, and manage authorizations and restrictions. Covered entities must also enable patient rights, including timely access to records and amendment requests.

HIPAA Security Rule

For ePHI, implement risk-based Electronic PHI Safeguards across administrative (risk analysis, policies, workforce training), physical (facility access, device/media controls), and technical (access control, audit controls, integrity, authentication, transmission security) categories. Business associates have Direct Liability under HIPAA for these safeguards.

Breach Notification

When unsecured PHI is compromised, conduct a risk assessment and, if a breach occurred, provide Breach Notification to individuals without unreasonable delay and within 60 days of discovery. Covered entities report to regulators as required; business associates must notify the covered entity so timely notices can be issued. Document all incidents and decisions.

Governance, training, and documentation

Designate privacy and security officials, train your workforce, manage sanctions, conduct periodic risk analyses, maintain policies and procedures, and retain required documentation for at least six years. Monitor business associates and subcontractors for adherence to agreed safeguards.

Business Associate Agreements

Required provisions

• Permitted and required uses/disclosures of PHI by the business associate.
• Obligation to implement HIPAA Security Rule safeguards and other reasonable and appropriate controls.
• Duty to report breaches and security incidents to the covered entity, including timelines and content of notices.
• Flow-down: require subcontractors to agree to the same protections for PHI.
• Support for Privacy Rule duties, such as access, amendment, accounting of disclosures, and restrictions, when the PHI is held by the business associate.
• Return or destruction of PHI at termination when feasible, and limitations on further use.
• Right of the covered entity to terminate for material breach and the obligation to make records available to regulators upon request.

Practical tips

• Align the Business Associate Agreement with your actual services, data flows, and retention plans.
• Specify breach reporting triggers and contact points to avoid delays.
• Ensure encryption, access control, and monitoring expectations are explicit, especially for cloud and managed IT services.

Overlap Scenarios

When roles intersect

• One covered entity acts as a business associate to another (e.g., a hospital provides centralized billing for independent clinics), requiring a Business Associate Agreement for that function.
• Hybrid entities (such as universities with health clinics) designate health care components that must follow HIPAA while other units do not.
• Organized Health Care Arrangements (OHCAs) allow multiple covered entities to share PHI for joint operations; participants still manage their own vendor BA relationships.
• Data aggregation and de-identification services are business associate functions when performed for a covered entity; properly de-identified data is no longer PHI.
• Cloud hosting, backup, and email platforms that store ePHI are business associates even if they cannot or do not actually view the data.

Conclusion

Covered entities deliver or finance care and control primary uses of PHI; business associates support those activities under contract. Clear identification of your role, robust implementation of HIPAA Privacy Rule and HIPAA Security Rule requirements, prompt Breach Notification, and well-crafted Business Associate Agreements create defensible compliance and protect individuals’ privacy.

FAQs

What entities are classified as HIPAA covered entities?

Covered entities are health care providers that conduct standard electronic transactions, health plans that pay for health care, and health care clearinghouses that translate data between nonstandard and HIPAA standard formats. If you transmit claims or similar transactions electronically, you likely fall into one of these categories.

How do business associates differ from covered entities?

Business associates do not deliver or pay for care; they support covered entities by handling PHI for services like billing, IT, analytics, cloud storage, or consulting. They may use or disclose PHI only as allowed by a Business Associate Agreement or required by law and have Direct Liability under HIPAA for certain violations.

What are the compliance requirements for covered entities?

Covered entities must comply with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification requirements. This includes patient rights, minimum necessary use, risk-based Electronic PHI Safeguards, incident response, timely breach notices, workforce training, and policy documentation and retention.

When is a covered entity considered a business associate?

A covered entity becomes a business associate when it performs a function or service for another covered entity that involves PHI outside its own treatment, payment, or operations. For example, a hospital that provides centralized billing for independent practices acts as a business associate for that service and needs a Business Associate Agreement.