HIPAA Covered Entity vs. Business Associate for Health Care Providers: Explained

Defining HIPAA Covered Entities

Under HIPAA, a covered entity includes health plans, health care clearinghouses, and any health care provider that transmits health information electronically in connection with standard transactions (such as claims or eligibility checks). If you are a provider who bills or conducts administrative transactions electronically, you are a covered entity.

Covered entities handle Protected Health Information (PHI) and electronic PHI (ePHI) in delivering care and managing operations. As a provider, you may use and disclose PHI for treatment, payment, and health care operations, while applying the minimum necessary standard where required and honoring patients’ privacy rights.

Understanding HIPAA Business Associates

A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity to perform regulated functions or services. Common examples include IT vendors, cloud hosts, billing companies, and consultants whose work requires access to PHI.

Business associates must sign a Business Associate Agreement (BAA) that limits uses and disclosures, mandates safeguards, and requires reporting of incidents. They have Direct Liability under HIPAA for compliance failures, not just contractual liability to the covered entity.

Examples of Covered Entities and Business Associates

Covered entities (provider-focused)

• Hospitals, physician practices, community health centers, ambulatory surgery centers
• Dental, vision, chiropractic, behavioral health, physical therapy, and pharmacy providers
• Laboratories, imaging centers, telehealth clinics that conduct electronic transactions

Business associates

• Electronic health record vendors, practice management and revenue cycle firms
• Cloud hosting, data backup, email and secure messaging providers handling PHI
• IT managed service providers, cybersecurity firms, and device support vendors
• Transcription, medical scribing, call centers, appointment reminder services
• Law firms, accountants, and consultants accessing PHI to deliver contracted services

Borderline scenarios to evaluate

• Mere conduits that only transmit data without persistent storage typically are not business associates.
• Vendors with potential or routine access to PHI (even if encrypted) generally are business associates and need a BAA.

HIPAA Compliance Requirements for Covered Entities

Privacy Rule Compliance

You must adopt policies that govern permitted uses and disclosures, apply the minimum necessary standard when appropriate, and provide individuals with required rights (access, amendments, and accounting of disclosures). Issue a Notice of Privacy Practices, verify identities, and obtain authorizations where the Privacy Rule requires them.

Security Rule Implementation

Implement Administrative Safeguards, physical safeguards, and technical safeguards to protect ePHI. Core tasks include risk analysis and risk management, assigned security responsibility, access controls, audit controls, authentication, transmission security, workforce training, and contingency planning.

Breach Notification Requirements

Maintain an incident response process, conduct a documented risk assessment of any impermissible use or disclosure, and provide timely notifications to affected individuals, the federal regulator, and when applicable the media. Encryption and other controls can reduce risk and may provide safe harbor when properly applied.

HIPAA Compliance Requirements for Business Associates

Business associates must execute a Business Associate Agreement before receiving PHI and adhere to its terms. They are directly responsible for Security Rule Implementation, and for certain Privacy Rule Compliance obligations that relate to their contracted functions and limits on use and disclosure.

They must implement Administrative Safeguards, physical and technical protections, maintain documentation, and report security incidents and breaches to the covered entity without unreasonable delay. Business associates must also make PHI available to support individual rights when the contract requires it.

Roles and Responsibilities of Subcontractors

Subcontractors of a business associate that create, receive, maintain, or transmit PHI are themselves business associates. They must sign downstream BAAs, mirror applicable restrictions, and implement Security Rule safeguards. The duty to “flow down” HIPAA requirements is explicit and enforceable.

In a breach, subcontractors notify the upstream business associate, which then meets Breach Notification Requirements to the covered entity. Due diligence, vendor risk management, and clear contractual terms help you maintain visibility and compliance across the chain.

Regulatory and Enforcement Considerations

The Office for Civil Rights enforces HIPAA through investigations, audits, corrective action plans, and civil monetary penalties. The Department of Justice may pursue criminal cases for intentional misconduct. State attorneys general can also bring actions under HIPAA’s enforcement framework.

Both covered entities and business associates face Direct Liability under HIPAA for violations such as impermissible disclosures, lack of safeguards, failure to execute BAAs, or not providing timely breach notifications. Strong governance, documentation, and recognized security practices can significantly mitigate enforcement risk.

Conclusion

For health care providers, the distinction is straightforward: as a covered entity you drive compliance for your operations, while business associates and their subcontractors carry parallel, contractually bound obligations with direct regulatory exposure. Clear BAAs, risk-based safeguards, and disciplined incident response keep PHI protected and your organization compliant.

FAQs

What distinguishes a covered entity from a business associate under HIPAA?

A covered entity delivers or pays for care and conducts standard electronic transactions; a business associate performs functions or services for the covered entity that involve PHI. Business associates are vendors or partners, not part of the covered entity’s workforce, and must sign a Business Associate Agreement.

What are the compliance obligations of health care providers as covered entities?

Providers must meet Privacy Rule Compliance (permitted uses/disclosures, minimum necessary, patient rights), implement Security Rule safeguards (administrative, physical, and technical controls), execute and manage BAAs, train the workforce, and satisfy Breach Notification Requirements when incidents occur.

When must a business associate agreement be established?

Before a vendor or partner creates, receives, maintains, or transmits PHI on your behalf. The BAA defines permitted uses and disclosures, required safeguards, reporting duties, subcontractor flow-down, and termination provisions tied to HIPAA obligations.

How are subcontractors regulated under HIPAA?

Subcontractors that handle PHI for a business associate are business associates themselves. They must sign downstream BAAs, implement Security Rule safeguards, comply with relevant Privacy Rule limits, and report incidents to the upstream business associate, which then fulfills required notifications to the covered entity.