The 4 HIPAA-Regulated Entities Explained: Covered Entities and Business Associates

Understanding who HIPAA regulates helps you assign responsibilities, manage vendors, and safeguard Protected Health Information (PHI). The four HIPAA-regulated entities are health plans, healthcare clearinghouses, healthcare providers that conduct standard electronic transactions, and business associates. This guide clarifies each role, shows how Electronic Health Information (EHI) is protected, and explains Business Associate Agreements, breach duties, and compliance expectations.

Covered Entities Overview

Health Plans

Health plans pay for or provide the cost of medical care and include private insurers, HMOs, government programs, and employer group health plans. Because they create, receive, maintain, and transmit PHI to enroll members, adjudicate claims, and manage benefits, they must apply HIPAA’s Privacy and Security Rules to paper, verbal, and electronic records alike.

Healthcare Providers

Any provider—such as a hospital, physician, clinic, or pharmacy—is a covered entity when it transmits health information electronically in connection with a HIPAA standard transaction (for example, claims or eligibility checks). Providers must follow minimum necessary practices, protect Electronic Health Information within EHRs and patient portals, and honor individual rights like access and amendments.

Healthcare Clearinghouses

Healthcare clearinghouses convert nonstandard health information they receive from another entity into a standard format (and vice versa). By normalizing billing and claims data across systems, clearinghouses routinely handle PHI and EHI, making them fully subject to HIPAA safeguards and documentation requirements.

Hybrid Entities (when applicable)

Organizations with both healthcare and non-healthcare functions can designate specific healthcare components as “hybrid entities.” The designated components must comply with HIPAA, while non-health components remain outside scope—provided there are firewalls to prevent inappropriate PHI sharing.

Business Associates Roles

Business associates (BAs) are persons or organizations that perform functions or provide services for a covered entity involving PHI. Typical examples include cloud hosting providers, EHR vendors, billing services, claims processors, data centers, eDiscovery firms, consultants, and entities providing Data Aggregation Services to support health care operations. When BAs create, receive, maintain, or transmit PHI or other Electronic Health Information on behalf of covered entities, they must implement HIPAA-grade safeguards and follow the terms of a Business Associate Agreement.

Permitted Uses and Disclosures

Under a valid agreement, BAs may use or disclose PHI only as necessary to perform contracted services, to meet legal obligations, or for limited management and administration tasks. They must apply the minimum necessary standard, maintain auditability, and avoid secondary uses (like marketing) unless expressly permitted or de-identified.

Business Associate Agreements

A Business Associate Agreement (BAA) is the contract that binds covered entities and BAs (and BAs with their subcontractors) to HIPAA’s Privacy, Security, and Breach Notification Rules. A well-constructed BAA should:

• Define permitted and required uses/disclosures of PHI, including any Data Aggregation Services performed for health care operations.
• Require appropriate administrative, physical, and technical safeguards for PHI and EHI, with risk analysis and ongoing risk management.
• Mandate timely HIPAA Breach Notification from the BA to the covered entity and cooperation during incident response.
• Flow down identical privacy and security obligations to subcontractors that handle PHI.
• Support individuals’ rights (such as access, amendment, and accounting of disclosures) when the BA holds relevant records.
• Require returning or securely destroying PHI at contract termination, where feasible.
• Allow oversight, including inquiries, documentation requests, and Compliance Audits by or on behalf of the covered entity.

Direct Liability of Business Associates

Business associates are not merely contractually obligated—they are directly liable under HIPAA. Direct liability includes impermissible uses or disclosures of PHI, failing to provide breach notifications, not maintaining required Security Rule safeguards for Electronic Health Information, and failing to ensure downstream subcontractors agree to equivalent protections. BAs must also cooperate with government investigations and keep required documentation that demonstrates ongoing compliance.

Subcontractors Compliance Obligations

Subcontractors that create, receive, maintain, or transmit PHI for a BA are themselves business associates. They must sign BAAs that mirror upstream restrictions, implement Security Rule controls for EHI, follow the minimum necessary standard, and report incidents to the BA without delay. Prime contractors should vet and monitor subcontractors, verify training and safeguards, and reserve rights to review controls or conduct targeted Compliance Audits where risk is high.

Safeguarding Protected Health Information

Administrative Safeguards

• Perform a documented risk analysis covering PHI workflows, applications, APIs, and integrations that store or process EHI.
• Adopt policies for access, sanctions, vendor oversight, contingency planning, and HIPAA Breach Notification procedures.
• Train your workforce routinely and validate understanding with role-based education and phishing/incident drills.

Technical Safeguards

• Enforce least-privilege access, multifactor authentication, and unique user IDs across EHRs, data lakes, and admin tools.
• Encrypt PHI in transit and at rest; implement network segmentation, endpoint protection, patching, and vulnerability management.
• Maintain audit controls and logs, monitor anomalies, and retain evidence for investigations and Compliance Audits.

Physical and Data Lifecycle Safeguards

• Control facility access, secure server rooms, and protect mobile devices and media.
• Use secure disposal methods for paper and electronic media; validate destruction certificates from vendors.
• Limit data collection, apply the minimum necessary, and prefer de-identified or aggregated data where appropriate.

Incident Response and Breach Notification

Prepare playbooks that define detection, containment, forensics, individual notification, and regulatory reporting steps. Coordinate closely with business associates and subcontractors so notifications, remediation, and communications occur quickly and consistently with the HIPAA Breach Notification Rule.

HIPAA Regulatory Requirements

Privacy Rule

The Privacy Rule governs how PHI may be used and disclosed and grants individuals rights to access and obtain copies of their records, request amendments, and receive an accounting of disclosures. Covered entities must apply the minimum necessary standard and maintain a current notice of privacy practices.

Security Rule

The Security Rule requires administrative, physical, and technical safeguards for Electronic Health Information. You must implement a risk-based program that ensures confidentiality, integrity, and availability of ePHI, with documented controls, monitoring, and continuous improvement.

Breach Notification Rule

When a breach of unsecured PHI occurs, covered entities and business associates must notify affected parties without unreasonable delay and follow required reporting channels. Larger incidents trigger additional transparency obligations. Thorough documentation and timely coordination are essential.

Enforcement and Compliance Audits

The Office for Civil Rights (OCR) enforces HIPAA through investigations, resolution agreements, civil monetary penalties, and periodic Compliance Audits. Strong governance, complete records, vendor oversight, and tested incident response plans are the best preparation for scrutiny and for day-to-day protection of PHI.

Conclusion

HIPAA regulates four entities: health plans, healthcare clearinghouses, covered healthcare providers, and business associates. Clear BAAs, strong safeguards for EHI and PHI, diligent subcontractor management, and readiness for breach notification and audits form the core of a resilient compliance program.

FAQs

What are the four entities covered by HIPAA?

The four are health plans, healthcare clearinghouses, healthcare providers that conduct standard electronic transactions, and business associates that handle PHI for those covered entities. Subcontractors that work for a business associate and touch PHI are also treated as business associates.

How do business associates differ from covered entities?

Covered entities deliver care, pay for care, or standardize transactions, while business associates perform services involving PHI on their behalf (for example, hosting, billing, analytics, or Data Aggregation Services). BAs must comply with HIPAA and a Business Associate Agreement but typically do not provide treatment or pay claims directly.

What is required in a business associate agreement?

A BAA must specify permitted uses and disclosures of PHI, require HIPAA-grade safeguards for Electronic Health Information, mandate breach reporting, flow down obligations to subcontractors, enable individual rights support when applicable, address return or destruction of PHI at termination, and allow oversight and Compliance Audits.

Are subcontractors of business associates also regulated by HIPAA?

Yes. A subcontractor that creates, receives, maintains, or transmits PHI for a business associate is itself a business associate. It must sign a BAA with upstream partners, implement required safeguards, and is directly liable for HIPAA violations.