Understanding the Relationship Between HIPAA Covered Entities and Business Associates

Understanding how HIPAA covered entities and business associates work together is essential to protecting Protected Health Information (PHI) and maintaining HIPAA compliance. The relationship is defined by roles, contracts, and obligations that govern who may use or disclose PHI and under what conditions.

This guide clarifies each party’s responsibilities, the need for a Business Associate Agreement (BAA), required data safeguards, and how liability flows to subcontractors. With clear boundaries and strong agreements, you reduce risk of unauthorized disclosure and avoid costly civil penalties.

Definition of Covered Entities

Covered entities are the core organizations directly regulated by HIPAA. They include:

• Health care providers who transmit health information electronically in standard transactions (for example, claims or eligibility checks).
• Health plans, such as insurers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans.
• Health care clearinghouses that process nonstandard data into standard formats.

As a covered entity, you are responsible for safeguarding PHI across your workforce and systems. If another organization performs services involving PHI for you and is not part of your workforce, that organization is typically a business associate.

Definition of Business Associates

A business associate is any person or organization that creates, receives, maintains, or transmits PHI for or on behalf of a covered entity to perform functions or services. Common examples include billing companies, EHR and cloud vendors, IT support, data analytics firms, consultants, legal counsel, and auditors.

Entities that merely transport information as a true “conduit” (for example, a postal carrier) are not business associates. However, if a service provider stores or can routinely access PHI—even if encrypted—they are generally a business associate and must meet HIPAA compliance obligations.

Requirement for Business Associate Agreements

Before you share PHI for a service, you must have a written Business Associate Agreement in place. The BAA defines how the business associate may use and disclose PHI, mandates security controls, and assigns responsibilities for incident and breach response.

A BAA is also required between a business associate and any subcontractor that handles PHI on its behalf. Without a valid BAA, disclosures of PHI are typically impermissible and can trigger enforcement actions.

Contents of Business Associate Agreements

Effective BAAs clearly translate HIPAA’s rules into contract terms. Key elements include:

• Permitted and required uses and disclosures of PHI, applying the minimum necessary standard.
• Data safeguards: administrative, physical, and technical measures to protect ePHI and reduce risk of unauthorized disclosure.
• Security incident and breach notification duties, including reporting timelines and cooperation requirements.
• Obligation to mitigate harmful effects of any improper use or disclosure.
• Flow-down terms requiring subcontractors to agree to the same restrictions and safeguards.
• Support for individual rights (access, amendment, and accounting of disclosures) when your covered entity must respond.
• Availability of records to regulators for compliance reviews.
• Return or destruction of PHI at contract end, if feasible, and limits on retained data.
• Right to terminate the agreement for material breach and requirements for corrective action.

Many organizations also include operational terms such as audit rights, cyber insurance, indemnification, and detailed incident response procedures to strengthen real-world compliance.

Liability of Business Associates

Business associates are directly liable for complying with applicable HIPAA provisions. Failures to implement safeguards, impermissible uses or disclosures of PHI, or delays in breach notification can result in civil penalties, corrective action plans, and reputational harm.

Liability can be contractual (under the BAA) and regulatory. Willful neglect or patterns of noncompliance increase exposure. Covered entities may also face risk if they lack a BAA or ignore signs that a business associate is violating HIPAA.

Role of Subcontractors

Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are themselves business associates. They must sign a BAA with the upstream business associate, and subcontractor liability mirrors the obligations in that agreement.

To manage risk down the chain, require due diligence, documented security practices, risk assessments, and audit or verification rights. Clear flow-down requirements help ensure consistent safeguards and reduce the chance of cascading breaches.

Covered Entity as Business Associate

A covered entity can act as a business associate when it performs services for another covered entity (or for a business associate) that involve PHI and are outside its own treatment, payment, or health care operations. In that role, the covered entity must sign a BAA and meet business associate duties for that arrangement.

This dual status does not change the organization’s obligations as a covered entity in its own right; rather, it adds specific, contract-defined responsibilities for the services it provides. Clarity on scope, permitted uses, and data segregation helps prevent conflicts and support compliance.

In practice, well-crafted BAAs, robust data safeguards, and disciplined vendor oversight create a clear chain of trust—protecting PHI, enabling lawful data flows, and minimizing exposure to civil penalties for all parties.

FAQs

What is a HIPAA covered entity?

A HIPAA covered entity is a health plan, health care clearinghouse, or a health care provider that electronically transmits health information in standard transactions. Covered entities must protect PHI and ensure any outside party handling PHI does so under appropriate safeguards.

What activities qualify an entity as a business associate?

Any function or service for a covered entity that involves creating, receiving, maintaining, or transmitting PHI qualifies, such as billing, claims processing, IT hosting, data analytics, legal or consulting services. If a vendor can routinely access stored PHI, it is generally a business associate.

What must be included in a business associate agreement?

The BAA must define permitted uses/disclosures, require administrative, physical, and technical safeguards, set incident and breach notification duties, flow down obligations to subcontractors, support individual rights, allow regulatory access, and address PHI return or destruction and termination for breach.

Can a covered entity be a business associate?

Yes. When a covered entity performs services for another covered entity or a business associate that involve PHI and fall outside its own treatment, payment, or operations, it acts as a business associate and must sign a BAA for that arrangement.

What liabilities do business associates face under HIPAA?

Business associates face direct HIPAA enforcement, including civil penalties, corrective action plans, and contractual damages under the BAA for failures such as inadequate safeguards or unauthorized disclosure. Subcontractor liability can also apply if downstream vendors mishandle PHI.