Is a Business Associate a Covered Entity Under HIPAA? Key Differences Explained

No. Under HIPAA, a business associate is not a covered entity. Each plays a distinct role in handling Protected Health Information (PHI), including Electronic Protected Health Information (ePHI). Both are subject to HIPAA requirements, but their duties, liabilities, and day-to-day responsibilities differ, especially under the HIPAA Privacy Rule, HIPAA Security Rule, and HITECH Act Enforcement.

Definition of Covered Entity

A covered entity is an organization directly involved in the delivery or payment of health care that handles PHI. HIPAA recognizes three types of covered entities that engage in standard electronic transactions involving ePHI.

Health plans

Insurers, HMOs, employer-sponsored group health plans, and government programs that pay for health care are covered entities. They use PHI to determine eligibility, authorize care, and process claims.

Health care providers

Any provider (for example, physicians, hospitals, pharmacies, labs, and clinics) that transmits health information electronically in standard transactions is a covered entity. These organizations generate and maintain PHI in treatment and operations.

Health care clearinghouses

Clearinghouses convert nonstandard health data into standard formats (and vice versa) for billing and other transactions. Their core business is data translation that involves PHI.

Definition of Business Associate

A business associate is a person or organization that performs functions, activities, or services for—or on behalf of—a covered entity (or another business associate) that involve the use or disclosure of PHI. Typical work includes claims processing, data hosting, analytics, IT support, or consulting that requires access to ePHI.

Business Associate Agreement

Before a business associate may receive PHI, the parties must execute a Business Associate Agreement (BAA). The BAA defines permitted uses and disclosures, mandates safeguards aligned to the HIPAA Security Rule, requires minimum necessary practices, and sets breach reporting and subcontractor “flow-down” obligations for regulatory compliance.

When one entity has both roles

An organization can be a covered entity for one line of business (for example, a clinic) and a business associate for another (for example, a separate billing services arm). Responsibilities follow the role being performed at the time PHI is handled.

Key Differences Between Covered Entities and Business Associates

• Primary role: Covered entities deliver or pay for care; business associates support those activities by providing services that require PHI access.
• Patient relationship: Covered entities typically have a direct relationship with individuals; business associates usually do not and act under a covered entity’s direction or contract.
• Legal obligations: Covered entities must meet all HIPAA Privacy Rule requirements. Business associates are directly regulated for the HIPAA Security Rule and specific Privacy Rule provisions through HITECH Act Enforcement.
• Use and disclosure of PHI: Covered entities use and disclose PHI as permitted by HIPAA (for example, treatment, payment, health care operations). Business associates may use or disclose PHI only as allowed by the BAA and HIPAA, applying the minimum necessary standard.
• Individual rights: Covered entities must provide a Notice of Privacy Practices and fulfill requests for access, amendments, and accountings. Business associates support these rights as required by the BAA and must furnish information the covered entity needs to respond.
• Breach notification path: Business associates must notify the covered entity of breaches of unsecured PHI; covered entities then notify affected individuals, and when required, regulators and media.
• Contracting and oversight: Covered entities must execute and manage BAAs; business associates must also have BAAs with their subcontractors that handle PHI.

Compliance Obligations for Covered Entities

HIPAA Privacy Rule

• Publish and distribute a Notice of Privacy Practices that explains uses and disclosures of PHI and individual rights.
• Adopt policies, procedures, and workforce training to safeguard PHI and enforce the minimum necessary standard.
• Respond to requests for access, amendments, restrictions, and accounting of disclosures within required timeframes.

HIPAA Security Rule

• Conduct an enterprise-wide risk analysis for ePHI and implement administrative, physical, and technical safeguards (for example, access controls, audit controls, and transmission security).
• Maintain ongoing risk management, security monitoring, and documentation to demonstrate regulatory compliance.

Breach Notification and Enforcement

• Investigate incidents and, when a breach of unsecured PHI occurs, notify affected individuals and regulators within HIPAA timelines.
• Understand that HITECH Act Enforcement increased penalties and audit scrutiny for noncompliance.

Compliance Obligations for Business Associates

Security and privacy requirements

• Comply directly with the HIPAA Security Rule for ePHI, including risk analysis, safeguards, and ongoing monitoring.
• Use and disclose PHI only as permitted by the BAA and HIPAA, applying the minimum necessary standard in daily operations.

Contractual duties and subcontractors

• Execute a Business Associate Agreement before receiving PHI and impose equivalent obligations on subcontractors that handle PHI.
• Maintain documentation, training, and sanctions to meet regulatory compliance expectations.

Incident response and breach notification

• Detect, investigate, and document security incidents and breaches, then notify the covered entity without unreasonable delay as required by the BAA and HIPAA.

Examples of Covered Entities

• Hospitals, physician practices, clinics, urgent care centers, and ambulatory surgery centers.
• Pharmacies, clinical laboratories, imaging centers, and dental or vision providers that bill electronically.
• Health plans and HMOs, Medicare and Medicaid plans, and employer-sponsored group health plans.
• Health care clearinghouses that translate data between nonstandard and standard transaction formats.

Examples of Business Associates

• Cloud service providers, data centers, backup and archiving vendors, and email or messaging platforms that store ePHI.
• EHR and practice management vendors, IT managed service providers, and cybersecurity firms with PHI access.
• Legal counsel, accountants, consultants, transcriptionists, and medical device support teams handling PHI.
• Shredding/document disposal companies and records management firms.

In short, a business associate is not a covered entity, but both must protect PHI. Covered entities set the purposes for PHI use and interact with patients; business associates enable those activities under a BAA and are directly accountable for security and specific privacy requirements. Strong contracts, risk management, and clear roles are essential to HIPAA-aligned operations.

FAQs

What defines a covered entity under HIPAA?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in standard transactions. These organizations create, receive, maintain, or transmit PHI as part of delivering or paying for care and must comply with the HIPAA Privacy Rule and Security Rule.

How does a business associate differ from a covered entity?

A business associate performs services for a covered entity (or another business associate) that require PHI access. It does not provide or pay for care as its primary role. Instead, it uses or discloses PHI only as permitted by a Business Associate Agreement and applicable HIPAA rules.

Are business associates directly regulated under HIPAA?

Yes. Through HITECH Act Enforcement, business associates are directly liable for complying with the HIPAA Security Rule and specific provisions of the Privacy Rule, including breach notification and the minimum necessary standard, and they face civil and, in some cases, criminal penalties for violations.

What are common examples of business associates?

Common examples include medical billing companies, cloud hosting providers, EHR or practice management vendors, IT and cybersecurity firms, legal and accounting advisors with PHI access, data destruction companies, and third-party administrators that process claims for health plans.