HIPAA Covered Entity or Business Associate? Practical Guide with Risk Scenarios

Defined Covered Entities

Under HIPAA, you are a covered entity if you are a health plan, a health care clearinghouse, or a health care provider who transmits health information electronically in standard HIPAA transactions. If you fit any of these categories, HIPAA’s Privacy, Security, and Breach Notification Rules apply directly to you.

Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate. PHI exists in paper, verbal, and digital forms; Electronic Protected Health Information (ePHI) refers specifically to the electronic form.

Common covered entity examples

• Health plans: group health plans, HMOs, Medicare, Medicaid, and certain employer-sponsored plans.
• Health care providers: physicians, clinics, dentists, therapists, pharmacies, labs, hospitals, telehealth practices that conduct HIPAA-standard transactions.
• Health care clearinghouses: entities that translate or reformat data between providers and payers.

Edge cases and risk scenarios

• Hybrid entities: A university with a student health clinic designates that clinic as its HIPAA-covered component; other university functions remain outside HIPAA.
• Employer vs. plan: Your company as an employer is not the covered entity; the group health plan is. Keep HR employment records separate from plan PHI.
• Direct-to-consumer apps: A wellness app serving consumers directly is typically not a covered entity. If it contracts with a clinic to handle PHI, that role changes (see business associates).

Identifying Business Associates

A business associate is any person or organization that performs functions or services for a covered entity (or for another business associate) that involve creating, receiving, maintaining, or transmitting PHI. Business associates are directly subject to HIPAA for Security Rule compliance and relevant Privacy Rule provisions.

Typical business associate examples

• Cloud EHR, data hosting, backup, or email providers storing ePHI.
• Billing companies, coding services, revenue cycle management, and collection agencies.
• IT managed service providers with system admin access to ePHI environments.
• Analytics, quality improvement, population health, or patient engagement vendors handling PHI.
• Medical transcriptionists, scribes, call centers, and telemedicine platforms handling PHI.
• Shredding, scanning, and records storage companies managing PHI.

Who is not a business associate?

• Conduits: Couriers and internet service providers that only transport information without routine access to PHI.
• Consumer services: Tools a patient uses on their own initiative that never receive PHI from a covered entity.

Risk scenarios to watch

• Marketing agency receives appointment lists to run campaigns—this is PHI access, making the agency a business associate.
• IT vendor “only” maintains servers but can view ePHI during support—still a business associate.
• Research partner receives a limited data set—still PHI; special agreements apply (see BAAs).

Establishing Business Associate Agreements

A Business Associate Agreement is required before a business associate creates, receives, maintains, or transmits PHI on your behalf. The BAA defines permitted uses/disclosures, mandates safeguards, sets Breach Notification Requirements, and flows obligations down to subcontractors.

Essential BAA elements

• Permitted and required uses/disclosures of PHI, including minimum necessary standards.
• Obligation to implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards for ePHI.
• Subcontractor flow-down: business associates must have BAAs with their subcontractors who handle PHI.
• Incident reporting timelines and content; prompt notification is best practice (contractually shorter than the 60-day HIPAA maximum).
• Right to audit, security attestations, and cooperation during investigations.
• Termination, return/destruction of PHI, and breach/indemnification terms.

When a BAA is not required

• De-identified data: If PHI is de-identified under HIPAA’s standard before sharing, a BAA is not needed.
• Conduit services: Pure transmission without access to PHI beyond random, transitory exposure.
• Financial transactions: Merchant banks processing payments are not business associates solely for that activity.

Risk scenarios and tips

• Vendor refuses a BAA but touches PHI—do not proceed. Choose an alternative vendor or adjust scope to remove PHI.
• Limited Data Set sharing requires a Data Use Agreement; if the recipient performs services for you, you likely still need a BAA.
• Set notification timeframes in the BAA (for example, 3–5 business days) to accelerate your Incident Response Plan.

Implementing Security Rule Compliance

The Security Rule applies to covered entities and business associates handling ePHI. Your program must be risk-based and documented, spanning Administrative Safeguards, Physical Safeguards, and Technical Safeguards.

Administrative Safeguards

• Enterprise-wide risk analysis and risk management plan with clear ownership and timelines.
• Policies and procedures for access, acceptable use, incident response, contingency planning, and sanction policies.
• Workforce training and role-based access; vendor management and due diligence controls.

Physical Safeguards

• Facility access controls, visitor logs, and device/media controls for storage and disposal.
• Asset inventory for servers, endpoints, and removable media containing ePHI.
• Environmental protections for on-prem equipment and secure workstation placement.

Technical Safeguards

• Unique user IDs, least-privilege access, and multi-factor authentication for all ePHI systems.
• Encryption in transit and at rest for ePHI; key management and backups with tested restores.
• Audit logging, centralized log retention, and monitoring for anomalous activity.
• Patch and vulnerability management, EDR/AV tooling, and secure configuration baselines.

Security rule risk scenarios

• Ransomware hits an unpatched server hosting ePHI—lack of patching and poor backups amplify impact.
• Lost laptop without full-disk encryption—reportable breach; encryption could have avoided notification.
• Compromised API token to a patient portal—rotate credentials, review logs, and conduct a risk assessment.

Managing Incident Response and Breach Notification

Your Incident Response Plan should define how you detect, contain, investigate, and recover from security incidents involving PHI. You must also meet HIPAA’s Breach Notification Requirements when unsecured PHI is compromised.

From incident to breach

• Security incident: attempted or successful unauthorized access, use, disclosure, modification, or destruction of information.
• Breach: acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy, unless a documented risk assessment shows a low probability of compromise.

Required notifications and timelines

• Individuals: notify without unreasonable delay and no later than 60 days after discovery; include what happened, what data was involved, steps you’re taking, and how individuals can protect themselves.
• HHS: for 500+ individuals in a state/jurisdiction, notify within 60 days; for fewer than 500, log and report to HHS within 60 days after the calendar year.
• Media: for breaches affecting 500+ individuals in a state/jurisdiction, notify prominent media within 60 days.
• Business Associates: must notify the covered entity without unreasonable delay and not later than 60 days after discovery; BAAs should set shorter contractual deadlines.

Risk assessment for breach determination

• Nature and extent of PHI (e.g., diagnoses, SSNs, financial data).
• Unauthorized person who used/received the PHI.
• Whether the PHI was actually acquired or viewed.
• Extent to which the risk has been mitigated (e.g., confirmed deletion, robust encryption).

Incident scenarios

• Misdirected email with visit summaries—quick containment, recipient attestation of deletion, and risk assessment may support low probability of compromise.
• Ransomware that encrypted an EHR and exfiltrated data—treat as a presumptive breach, notify as required, and involve forensics.
• Stolen unencrypted USB drive with ePHI—reportable breach; move to encrypted, access-controlled storage going forward.

Understanding Liability and Oversight

Both covered entities and business associates have direct HIPAA obligations. Business associates are independently liable for Security Rule compliance and specified Privacy Rule violations. Covered entities remain responsible for choosing, contracting with, and overseeing vendors appropriately.

Oversight expectations

• Reasonable due diligence: evaluate vendor security practices before sharing PHI and periodically thereafter.
• BAA enforcement: respond to known noncompliance; cure, terminate, or report when necessary.
• Documentation: maintain BAAs, risk assessments, training records, and incident response evidence.

Liability scenarios

• You learn a billing vendor lacks encryption but continue without remediation—regulators may view this as failure to act on known risk.
• A business associate’s subcontractor causes a breach—the business associate remains responsible and must have BAAs with subcontractors.
• Shared fault: weak access controls at the covered entity and inadequate monitoring at the business associate can both contribute to harm.

Conducting Risk Assessments and Cybersecurity Evaluations

A comprehensive risk assessment is the backbone of Security Rule compliance. Map where ePHI lives and flows, identify threats and vulnerabilities, estimate likelihood and impact, and prioritize controls. Update the assessment at least annually and whenever your environment or vendors change.

Practical steps

• Inventory systems, apps, APIs, devices, and vendors that create, receive, maintain, or transmit ePHI.
• Diagram data flows for patient intake, care delivery, billing, and patient engagement.
• Assess gaps against Administrative Safeguards, Physical Safeguards, and Technical Safeguards; assign owners and remediation dates.
• Test backups and disaster recovery; perform tabletop exercises for ransomware and misdirected disclosures.
• Measure progress with metrics (patch SLAs, MFA coverage, log review cadence, vendor assessment completion).

Cybersecurity evaluations that add value

• Vulnerability scanning and periodic penetration testing focused on ePHI systems.
• Phishing simulations and targeted training to reduce credential theft risk.
• Third-party risk reviews for business associates, including security questionnaires and evidence checks.
• Continuous monitoring for anomalous access and data exfiltration.

Conclusion

Start by determining whether you are a covered entity, a business associate, or both. Put Business Associate Agreements in place before sharing PHI, and implement a risk-based security program across administrative, physical, and technical controls. Prepare your Incident Response Plan now so you can meet breach notification timelines, and maintain vendor oversight to manage shared liability.

FAQs.

What distinguishes a covered entity from a business associate?

A covered entity directly delivers or pays for health care and conducts HIPAA-standard transactions (health plans, clearinghouses, and providers). A business associate performs services for a covered entity (or another business associate) that involve PHI. The business associate does not provide care or pay for care as its HIPAA role; it supports those functions while handling PHI.

When is a Business Associate Agreement required?

A Business Associate Agreement is required whenever a vendor or partner will create, receive, maintain, or transmit PHI on your behalf. This includes access to ePHI for hosting, billing, analytics, support, or disposal. It is not required for de-identified data, true conduits, or consumer services that never receive PHI from you.

How must business associates comply with HIPAA security rules?

Business associates must implement the Security Rule’s Administrative Safeguards, Physical Safeguards, and Technical Safeguards for ePHI, perform ongoing risk analysis and risk management, train their workforce, manage subcontractors with BAAs, maintain audit logs and access controls, encrypt data where feasible, and follow an Incident Response Plan with timely breach notification.

Who is liable for breaches caused by business associates?

Business associates are directly liable for their HIPAA violations and for breaches they cause, including those of their subcontractors. Covered entities may also face liability if they failed to conduct reasonable vendor due diligence, lacked required BAAs, or ignored known patterns of noncompliance. Effective oversight and strong BAAs help reduce shared risk.