HIPAA Privacy Rule Applicability: Covered Entities, Business Associates, and Examples

Covered Entities Under HIPAA

Core categories

Under the HIPAA Privacy Rule, a covered entity is the organization primarily responsible for safeguarding Protected Health Information (PHI). Covered entities fall into three groups: health plans, health care providers, and a Health Care Clearinghouse.

• Health plans: Group health plans, health insurance issuers, and HMOs that pay for medical care.
• Health care providers: Any provider (such as a physician, clinic, or hospital) that electronically transmits health information for standard transactions like claims, eligibility checks, or referrals.
• Health Care Clearinghouse: An entity that converts nonstandard health information into a standard format (or vice versa) for billing or other administrative transactions.

Covered Entity Designation

Covered Entity Designation focuses on the legal entity, not individual departments. If your organization fits one of the three categories—and you transmit the relevant transactions electronically—you are a covered entity and must meet HIPAA Compliance Requirements across your applicable operations.

Some organizations conduct both regulated and non-regulated activities. In those cases, you may consider the hybrid model described below to confine HIPAA responsibilities to designated components.

Defining Business Associates

What is a business associate?

A business associate is a person or organization that performs services or functions for a covered entity (or for another business associate) involving the creation, receipt, maintenance, or transmission of PHI. Business associates are not part of the covered entity’s workforce, but they must follow HIPAA Compliance Requirements relevant to their contracted duties.

Common functions that trigger BA status

• Claims processing, billing, collections, or revenue cycle support.
• Data analysis, quality reporting, or health information exchange.
• IT hosting, cloud storage, backup, or managed services with routine PHI access.
• EHR implementation, application support, or analytics platforms handling PHI.

Examples of Business Associates

Technology and data services

• Cloud infrastructure or data backup vendors that store PHI.
• Email, messaging, telehealth, or patient engagement platforms handling PHI.
• Data warehouses, analytics firms, and population health tools.

Revenue cycle and administrative support

• Medical billing services, coding vendors, and claims repricers.
• Scheduling, call center, and statement printing/mailing vendors with PHI access.
• Transcription services and document scanning or shredding vendors.

Professional and other services

• Legal counsel, accountants, and consultants who need PHI to deliver services.
• Health information exchanges and, in some relationships, a Health Care Clearinghouse acting for another entity.
• Third-party administrators supporting self-funded health plans.

Requirements for Business Associate Agreements

Core elements of a Business Associate Agreement

• Permitted uses and disclosures: Define how the business associate may use or disclose PHI and prohibit unauthorized uses.
• Safeguards and compliance: Require administrative, physical, and technical controls aligned with HIPAA Compliance Requirements.
• Breach and incident reporting: Specify prompt notice of breaches, security incidents, and suspected impermissible disclosures.
• Subcontractor flow-down: Mandate that any subcontractor with PHI assumes the same duties via a written agreement.
• Individual rights support: Assist with access, amendments, and accounting of disclosures when requested by the covered entity.
• Return or destruction of PHI: Direct the return or secure destruction of PHI at termination, if feasible.
• Termination and remedies: Allow termination for material breach and set post-termination obligations.

Operational expectations

Ensure the Business Associate Agreement aligns with actual services, data flows, and risk management practices. Document minimum necessary standards, encryption expectations, and audit or monitoring rights so both parties can verify ongoing compliance.

Compliance of Business Associate Subcontractors

Subcontractor Obligations

When a business associate engages a subcontractor to create, receive, maintain, or transmit PHI, that subcontractor becomes a downstream business associate. The prime business associate must impose equivalent Subcontractor Obligations through a written agreement mirroring the Business Associate Agreement terms.

Practical oversight steps

• Perform due diligence on security controls, workforce training, and incident response.
• Use written flow-down terms that define permitted uses, safeguards, and breach reporting timelines.
• Monitor performance with risk assessments, attestations, and corrective action plans.

Understanding Hybrid Entities

Hybrid Entity Definition

A hybrid entity is a single legal entity that performs both HIPAA-covered and non-covered functions and formally designates its “health care components.” Only those components—and their relevant support units—must comply with the Privacy Rule, Security Rule, and breach notification requirements.

Designating and operating healthcare components

• Document the Covered Entity Designation and identify healthcare components in writing.
• Establish role-based access, policies, and workforce training to prevent unauthorized sharing of PHI across components.
• Review designations periodically as services, systems, or organizational lines change.

Practical guardrails

Use clear data-sharing protocols, separate systems or access controls where feasible, and vendor lists that map which components interact with each business associate. This keeps obligations scoped correctly and supports audits.

Safeguarding Protected Health Information

Administrative safeguards

• Conduct risk analysis and implement risk management plans tailored to PHI flows.
• Adopt policies for minimum necessary, access authorization, training, and sanctions.
• Maintain incident response, breach notification procedures, and contingency plans.

Technical safeguards

• Enforce unique user IDs, multi-factor authentication, and role-based access.
• Encrypt PHI in transit and at rest; log, monitor, and audit system activity.
• Harden endpoints, patch routinely, and segment networks that store PHI.

Physical safeguards

• Control facility and device access; secure workstations and media.
• Use clean-desk practices, badge access, and secure disposal for media containing PHI.

Data lifecycle and minimum necessary

Map where PHI is created, received, maintained, and transmitted. Limit data collection, retention, and disclosure to the minimum necessary to accomplish the task, and regularly purge or archive PHI consistent with policy and legal requirements.

Conclusion

HIPAA Privacy Rule applicability centers on who you are (covered entity, business associate, or hybrid entity component) and what you do with PHI. With the right Covered Entity Designation, a precise Business Associate Agreement, and disciplined safeguards—even for subcontractors—you can meet HIPAA Compliance Requirements confidently and consistently.

FAQs

Which entities qualify as covered entities under HIPAA?

Covered entities include health plans, health care providers that conduct standard electronic transactions (such as claims or eligibility checks), and a Health Care Clearinghouse that converts data between standard and nonstandard formats. If your legal entity fits one of these categories, HIPAA applies to your relevant operations.

What roles do business associates play under the HIPAA Privacy Rule?

Business associates perform services for covered entities (or other business associates) that require creating, receiving, maintaining, or transmitting PHI. They must implement safeguards, limit uses and disclosures to what the contract permits, report incidents, and flow down equivalent protections to subcontractors.

Are subcontractors required to comply with HIPAA?

Yes. If a subcontractor handles PHI for a business associate, it becomes a downstream business associate with the same HIPAA obligations. The prime business associate must execute a written agreement imposing equivalent Subcontractor Obligations and verify the subcontractor’s safeguards.

How do hybrid entities manage HIPAA compliance?

Hybrid entities formally identify their health care components and apply HIPAA rules to those components (and relevant support units). They separate access and processes to prevent inappropriate PHI sharing, maintain policies and training, and periodically reassess designations as services evolve.