HIPAA Covered Entities vs. Business Associates: Meaning, Requirements, and Best Practices

Covered Entities Definition and Examples

Under HIPAA, a covered entity is a health care provider that conducts standard electronic transactions, a health plan, or a health care clearinghouse. These organizations create, receive, maintain, or transmit Protected Health Information (PHI) as part of routine operations.

Definition

Covered entities include: (1) health plans such as insurers, HMOs, Medicare, and employer group health plans; (2) health care providers like hospitals, physicians, clinics, pharmacies, and dentists when they bill electronically; and (3) health care clearinghouses that translate nonstandard data into standard formats.

Examples

• Health plans: commercial insurers, Medicaid managed care, Medicare Advantage, third-party administrators for group health plans.
• Providers: multi-specialty practices, urgent care centers, telehealth providers, labs, imaging centers, and long-term care facilities.
• Clearinghouses: billing services and repricers that standardize claims and eligibility data.

PHI spans any individually identifiable health information—paper, verbal, or electronic (ePHI)—including diagnoses, treatment details, and payment data linked to an individual.

Business Associates Role and Examples

A business associate is any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity to perform services or functions. Business associates may also include subcontractors that handle PHI.

Typical Roles

• Claims processing, utilization review, case management, data analysis, quality improvement, and risk adjustment.
• Technology vendors: EHR platforms, cloud storage/backup providers, hosted email, data centers, and managed service providers.
• Professional services: legal, actuarial, accounting, consulting, and accreditation bodies needing PHI to deliver services.
• Patient engagement tools: secure messaging, appointment reminders, and contact centers handling ePHI.

The conduit exception is narrow; entities with persistent custody or routine access to PHI (for example, cloud providers) are business associates and must sign a Business Associate Agreement.

Covered Entity Compliance Obligations

Privacy Rule

Covered entities must limit uses and disclosures to permitted purposes, apply the minimum necessary standard, and provide a Notice of Privacy Practices. You must designate a privacy official, train your workforce, manage sanctions, and honor patient rights to access, amend, and receive an accounting of disclosures.

Policies and procedures must document authorizations, permissible disclosures, complaint handling, and retention. You must also oversee vendors by executing a Business Associate Agreement before sharing PHI.

HIPAA Security Rule

You must protect ePHI through Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Required actions include conducting a risk analysis, implementing risk management plans, assigning security responsibility, and reviewing information system activity.

• Administrative Safeguards: risk analysis, workforce training, incident response, contingency planning, and vendor oversight.
• Physical Safeguards: facility access controls, workstation security, and device/media controls for secure disposal and reuse.
• Technical Safeguards: access controls, unique user IDs, audit controls, integrity protections, encryption, and transmission security.

Breach Notification and Unauthorized Disclosure Reporting

Covered entities must assess incidents for compromise of PHI and perform Unauthorized Disclosure Reporting. If a breach occurs, notify affected individuals and the regulator without unreasonable delay and within required timelines, and notify the media when large breaches affect a jurisdiction.

Maintain documentation of risk assessments, mitigation steps, and notifications. For breaches involving a business associate, the associate must alert the covered entity, which remains responsible for fulfilling public-facing notices unless your Business Associate Agreement assigns otherwise.

Business Associate Compliance Obligations

Business associates are directly subject to the HIPAA Security Rule and to specific Privacy Rule provisions. You may use or disclose PHI only as permitted by HIPAA or the Business Associate Agreement and must enforce the minimum necessary standard.

• Implement Administrative, Physical, and Technical Safeguards for ePHI, including risk analysis, workforce training, and audit logging.
• Flow down equivalent obligations to subcontractors that handle PHI and verify performance through due diligence.
• Enable access, amendment, and accounting support for the covered entity, and make records available to the regulator upon request.
• Report security incidents and suspected or confirmed breaches to the covered entity without unreasonable delay, with details sufficient for notifications.

Business Associate Agreements (BAAs) Requirements

A Business Associate Agreement is required before PHI is shared. It defines how PHI may be used or disclosed and embeds the HIPAA Security Rule and privacy commitments into the vendor relationship.

• Permitted and required uses/disclosures; prohibition of uses outside the agreement or HIPAA.
• Safeguard obligations spanning Administrative Safeguards, Physical Safeguards, and Technical Safeguards, including risk analysis and encryption standards.
• Unauthorized Disclosure Reporting and breach notification duties, timelines, contents, and cooperation requirements.
• Subcontractor flow-down clauses binding all downstream entities to the same restrictions and safeguards.
• Access, amendment, and accounting support; right to audit; incident and investigation cooperation.
• Return or destruction of PHI at termination, or protections for retained PHI when destruction is infeasible.
• Material breach remedies, including suspension or termination, and allocation of liability and indemnification.

Direct Liability and Penalties

Covered entities and business associates face civil monetary penalties for violations, with tiered ranges based on culpability and annual caps that are adjusted for inflation. Willful neglect triggers higher penalties and corrective action plans, and multiple violations can compound exposure.

Business associates are directly liable for Security Rule noncompliance and certain Privacy Rule failures, including impermissible uses/disclosures, lack of breach reporting, failure to provide records to the regulator, and not executing required flow-down terms with subcontractors.

Serious offenses may also carry criminal penalties for knowingly obtaining or disclosing PHI under false pretenses or for malicious gain. Contractual liability under a Business Associate Agreement and reputational harm often exceed regulatory penalties.

Best Practices for HIPAA Compliance

Program Design and Governance

• Maintain a living data map of PHI and ePHI, owners, systems, flows, and vendors; update it with system or vendor changes.
• Perform an enterprise risk analysis annually and upon major changes, track risks in a register, and implement risk management plans.
• Define roles for privacy and security officers, escalation paths, sanction policies, and board-level reporting.

Controls and Technology

• Apply zero-trust principles: least privilege, multifactor authentication, network segmentation, and continuous monitoring.
• Encrypt ePHI at rest and in transit, enable detailed audit logs, and review alerts through a SIEM with playbooks.
• Harden endpoints and mobile devices with MDM, implement secure messaging, and enforce device/media controls for disposal.

Vendor and Contract Management

• Conduct due diligence on business associates, including security questionnaires, evidence reviews, and right-to-audit clauses.
• Execute a robust Business Associate Agreement before sharing PHI and verify subcontractor flow-down compliance.
• Track vendor risk, findings, and remediation to closure; reassess at least annually.

People and Processes

• Train your workforce on minimum necessary, acceptable use, phishing awareness, and incident escalation.
• Run tabletop exercises for breach response, including Unauthorized Disclosure Reporting, media strategy, and law enforcement coordination.
• Maintain clear procedures for patient rights, identity verification, and timely fulfillment of access requests.

Bottom line: define who you are (covered entity or business associate), document how you handle PHI, implement safeguards proportionate to risk, and operationalize vendor oversight. Doing so aligns meaning, requirements, and best practices into a defensible HIPAA program.

FAQs

What is a HIPAA covered entity?

A HIPAA covered entity is a health plan, health care clearinghouse, or health care provider that transmits health information electronically in connection with standard transactions. These organizations hold primary responsibility for safeguarding Protected Health Information and for honoring patient privacy rights.

What are the responsibilities of a business associate?

A business associate must protect PHI per the HIPAA Security Rule, use or disclose PHI only as permitted by HIPAA or the Business Associate Agreement, flow down obligations to subcontractors, support patient rights through the covered entity, and report security incidents and breaches without unreasonable delay.

How do covered entities and business associates differ under HIPAA?

Covered entities are the original stewards of PHI and must comply with the full Privacy, Security, and Breach Notification Rules. Business associates handle PHI on their behalf, are bound by the Security Rule and specific Privacy Rule duties, and may use or disclose PHI only as allowed by the Business Associate Agreement.

What is required in a Business Associate Agreement?

A Business Associate Agreement must define permitted uses/disclosures, require safeguards across administrative, physical, and technical controls, mandate Unauthorized Disclosure Reporting and breach cooperation, bind subcontractors to equivalent terms, ensure access and record support, and specify termination, return/destruction of PHI, and remedies for material breach.