HIPAA Covered Entity vs. Business Associate: Examples, Risks, and Next Steps

Understanding HIPAA Covered Entity vs. Business Associate roles is critical to protecting Protected Health Information (PHI) and avoiding costly mistakes. This guide clarifies the difference, provides real-world examples, outlines compliance duties under the HIPAA Privacy Rule and HIPAA Security Rule, and gives practical next steps for getting agreements, risk assessments, breach notification, and compliance monitoring right.

Defining Covered Entities

Covered entities are organizations whose core activities involve delivering care, paying for care, or translating health data for standardized transactions. They create, receive, maintain, and transmit PHI as part of these primary functions.

Primary categories

• Healthcare providers: Any provider who transmits health information electronically in a standard transaction (e.g., claims, eligibility). Examples include hospitals, clinics, physicians, dentists, pharmacies, labs, and durable medical equipment suppliers.
• Health plans: Health insurers, HMOs, company self-funded health plans, government programs such as Medicare, Medicaid, and certain military and tribal health programs.
• Healthcare clearinghouses: Entities that process nonstandard health information from one format into a standard format (and vice versa), enabling claims, payments, and other transactions.

Coverage depends on what the organization does, not its tax status or size. If you perform covered transactions electronically, you are likely a covered entity.

Identifying Business Associates

Business associates are persons or companies that perform services or functions for, or on behalf of, a covered entity that involve creating, receiving, maintaining, or transmitting PHI. Subcontractors that handle PHI for a business associate are also business associates.

How to tell if a vendor is a business associate

• They host, store, analyze, code, bill, or otherwise handle PHI for your operations.
• They can access PHI in the clear, even if access is infrequent or only for support.
• They are not a mere conduit (e.g., standard postal mail or basic telecom) with no routine access to PHI content.
• You need a Business Associate Agreement (BAA) to define permitted uses/disclosures and security responsibilities.

Business associates are directly liable for certain HIPAA violations, must comply with the HIPAA Security Rule, and have specific duties under the HIPAA Privacy Rule as set by the BAA.

Examples of Covered Entities

• Hospitals, urgent care centers, specialty clinics, and primary care practices that submit electronic claims.
• Dentists, orthodontists, chiropractors, physical therapists, and behavioral health providers who conduct HIPAA-standard transactions.
• Pharmacies and clinical laboratories processing e-prescriptions and orders.
• Health insurers, HMOs, employer self-insured health plans, third-party plan sponsors, and government health programs.
• Healthcare clearinghouses that standardize claims, remittances, and eligibility data.
• Telehealth providers that diagnose or treat patients and bill electronically.

If a provider never conducts electronic standard transactions, HIPAA may not apply as a covered entity—but many modern practices do, making CE status the norm.

Examples of Business Associates

• Electronic health record (EHR) vendors, cloud service providers, data centers, and backup/storage providers that maintain PHI.
• Billing, coding, and revenue cycle management firms; claims processing and utilization review services.
• Practice management, patient engagement, telehealth platforms, and appointment reminder services that access PHI.
• IT managed service providers, cybersecurity firms, and help desks with potential PHI access.
• Medical transcriptionists, scanning/imaging vendors, printing and mail fulfillment houses handling PHI.
• Attorneys, accountants, consultants, and analytics companies performing services involving PHI.
• Shredding and secure disposal vendors for paper and media containing PHI.
• Subcontractors of any business associate that receive or can access PHI (e.g., downstream cloud or analytics partners).

Some vendors seem “support-only,” but if they can view or restore PHI during maintenance or troubleshooting, they are business associates and require a BAA.

Compliance Obligations for Business Associates

Business Associate Agreement (BAA)

Before handling PHI, a business associate must sign a BAA that: limits permitted uses/disclosures; requires safeguards aligned to the HIPAA Security Rule; mandates reporting of security incidents and Breach Notification; flows down obligations to subcontractors; and ensures return or destruction of PHI upon contract termination when feasible.

HIPAA Security Rule: Safeguards and Risk Management

• Conduct a formal Risk Assessment (security risk analysis) to identify threats, vulnerabilities, and likelihood/impact to ePHI.
• Implement administrative, physical, and technical safeguards: access controls, authentication, encryption/key management, audit logging, integrity controls, secure disposal, and contingency planning.
• Document policies, procedures, and an ongoing risk management plan; review at least annually or upon major changes.

HIPAA Privacy Rule: Use/Disclosure and Individual Rights

Business associates must follow “minimum necessary,” use/disclose PHI only as permitted by the BAA, and support covered entities with Privacy Rule obligations such as access, amendment, and accounting of disclosures when contractually required.

Subcontractors and Downstream Vendors

Business associates must execute BAAs with subcontractors that create, receive, maintain, or transmit PHI, ensure equivalent protections, and verify controls during onboarding and periodically thereafter.

Breach Notification and Incident Response

Suspected incidents must be investigated promptly. If a breach of unsecured PHI is confirmed, the business associate must notify the covered entity without unreasonable delay per BAA terms so patient and regulator notifications can occur on time.

Compliance Monitoring and Assurance

Establish continuous compliance monitoring: security metrics, log review, vulnerability management, penetration testing, workforce training, and periodic internal audits. Be ready to provide documentation to the covered entity or regulators upon request.

Risks of Non-Compliance

HIPAA penalties are tiered based on culpability, ranging from lower fines for reasonable-cause violations to higher amounts for willful neglect. Violations can trigger corrective action plans, multi-year monitoring, and independent assessments. Intentional misuse or disclosures may carry criminal penalties, including fines and potential imprisonment.

Beyond regulatory fines, consequences include breach remediation costs, contract termination, litigation exposure, reputational damage, and operational disruption. Weak BAAs, incomplete Risk Assessments, and inadequate Breach Notification procedures are common root causes.

Next Steps for Covered Entities and Business Associates

For Covered Entities

• Map PHI: inventory systems, data flows, and vendors that create, receive, maintain, or transmit PHI.
• Classify vendors: determine which are business associates versus mere conduits or non-PHI suppliers.
• Execute BAAs: use standardized templates; include permitted uses, Security Rule expectations, Breach Notification timelines, audit rights, and termination/return-of-PHI terms.
• Perform vendor due diligence: review security controls, Risk Assessment results, and compliance documentation before and after contracting.
• Embed compliance monitoring: track incidents, review logs/reports, and conduct periodic assessments of high-risk vendors.
• Strengthen your own program: complete your Risk Assessment, update policies, train staff, and test incident response.

For Business Associates

• Assign ownership: designate privacy and security leads with authority to act.
• Complete a HIPAA Risk Assessment and implement a living risk management plan.
• Harden controls: role-based access, MFA, encryption at rest/in transit, endpoint protection, patching, and disaster recovery testing.
• Operationalize the BAA: document permitted uses, subcontractor flow-downs, workforce training, and change management.
• Prepare for incidents: maintain an incident response plan and practice Breach Notification procedures.
• Demonstrate assurance: continuous compliance monitoring, internal audits, and readiness to furnish evidence to clients or regulators.

Conclusion

Start by correctly classifying your role, formalize Business Associate Agreements, and operationalize controls under the HIPAA Privacy Rule and HIPAA Security Rule. With disciplined Risk Assessment, incident readiness, and ongoing compliance monitoring, you reduce exposure while protecting patients and your organization.

FAQs.

What is a HIPAA covered entity?

A HIPAA covered entity is a healthcare provider, health plan, or healthcare clearinghouse that conducts standard electronic transactions (such as claims or eligibility checks). These organizations handle PHI as part of their core healthcare or payment functions and must comply with HIPAA.

What distinguishes a business associate from a covered entity?

A covered entity delivers or pays for care; a business associate supports those functions and handles PHI on the covered entity’s behalf. If a vendor can create, receive, maintain, or transmit PHI for your operations, it is a business associate and must sign a Business Associate Agreement.

What are the penalties for HIPAA non-compliance?

Penalties follow a four-tier civil structure based on the level of culpability, with per-violation fines and annual caps, plus potential corrective action plans and monitoring. Egregious, intentional misuse of PHI can lead to criminal fines and possible imprisonment, alongside reputational harm and contractual losses.

How should covered entities manage business associates?

Identify which vendors are business associates, execute BAAs with clear security and Breach Notification terms, review their Risk Assessment and controls, monitor performance through audits and reporting, enforce minimum necessary access, and terminate or remediate relationships that do not meet HIPAA requirements.