Which Group Is Not One of the Three HIPAA Covered Entities? Answer: Business Associates

The short answer is right in the title: business associates are not one of the three HIPAA covered entities. Under the HIPAA Privacy Rule and related HIPAA compliance requirements, only health care providers, health plans, and health care clearinghouses qualify as covered entities.

Understanding that boundary helps you manage risk, draft the right Business Associate Agreements, and support secure health information portability across your organization’s data flows.

HIPAA Covered Entities Overview

HIPAA—the Health Insurance Portability and Accountability Act—defines a covered entity as an organization that directly handles protected health information (PHI) in specific, standardized electronic transactions. This covered entity definition includes three, and only three, categories.

• Health care providers that conduct standard electronic transactions (for example, claims or eligibility checks).
• Health plans, such as insurers and employer group health plans.
• Health care clearinghouses that convert nonstandard data to standard formats (and vice versa).

Each covered entity must meet HIPAA compliance requirements: limit uses and disclosures, safeguard PHI under the Security Rule, and uphold individual rights under the Privacy Rule. Business associates support these entities but are not themselves one of the three categories.

Health Care Providers as Covered Entities

A provider becomes a HIPAA covered entity when it transmits PHI electronically in a HIPAA-standard transaction. That threshold—not professional license or practice size—triggers the obligations.

Examples

• Physicians, clinics, and urgent care centers submitting electronic claims.
• Dentists, chiropractors, psychologists, and therapists using electronic eligibility or referral transactions.
• Pharmacies processing electronic prescriptions and claims.

Once in scope, providers must implement administrative, physical, and technical safeguards, apply the minimum necessary standard, issue a Notice of Privacy Practices, and manage Business Associate Agreements with vendors that access PHI.

Role of Health Plans

Health plans finance or pay the cost of medical care and are covered entities regardless of whether they outsource operations. This includes commercial insurers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans.

Plans must protect enrollee PHI, restrict uses to treatment, payment, and health care operations (or authorized purposes), honor member rights (access, amendment, accounting), and maintain BAAs with administrators and service providers that handle PHI on the plan’s behalf.

Health Care Clearinghouses Explained

Clearinghouses are intermediaries that transform health information between nonstandard and HIPAA-standard formats. Think of them as translators for claim files, eligibility inquiries, remittance advice, and related EDI transactions.

Because they systematically receive, process, and transmit PHI to and from providers and plans, clearinghouses are covered entities and must secure data at every conversion point.

Definition of Business Associates

A business associate is a person or organization that performs functions or services for—or provides certain services to—a covered entity and, in doing so, creates, receives, maintains, or transmits PHI. Typical examples include IT and cloud vendors, claims processors, billing services, e-discovery firms, consultants, and analytics providers.

Business associates are not covered entities by category. Instead, they become contractually and directly responsible for safeguarding PHI through a Business Associate Agreement and by complying with applicable HIPAA Privacy and Security Rule provisions that govern their work.

Common Business Associate Activities

• Data hosting, backup, and cybersecurity monitoring that stores PHI.
• Revenue cycle management, utilization review, and quality analytics.
• Legal, actuarial, or consulting services that access PHI to deliver advice.

Distinction Between Covered Entities and Business Associates

The key difference is categorical: covered entities are the three HIPAA-defined groups; business associates are external partners that help those groups perform functions involving PHI. A company can be a covered entity for one line of business and a business associate in another, depending on its role and data flows.

How the Differences Play Out

• Regulatory status: Providers, plans, and clearinghouses are covered entities; business associates are not one of the three, but they are directly liable for safeguarding PHI relevant to their services.
• Contracts: Covered entities must execute a Business Associate Agreement before a vendor accesses PHI; the BAA binds the vendor to HIPAA terms.
• Individual rights: Covered entities interface with patients or members to process access, amendment, and accounting requests; business associates typically act through the covered entity.
• Compliance operations: Both must implement risk analysis, safeguards, workforce training, and breach reporting, but covered entities also issue Notices of Privacy Practices and manage overall HIPAA program governance.

Bottom line: Business associates are critical partners in secure health information portability, yet they are not one of the three HIPAA covered entities. Recognizing that distinction helps you assign responsibilities, structure contracts, and maintain compliance without gaps.

FAQs.

What are the three HIPAA covered entities?

The three covered entities are health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses. No other group— including business associates—belongs on that list.

How do business associates differ from covered entities?

Covered entities are defined by HIPAA as providers, plans, and clearinghouses. Business associates are outside organizations that perform services involving PHI for those entities. They must sign a Business Associate Agreement and comply with applicable HIPAA requirements but are not a fourth covered-entity category.

Are business associates subject to HIPAA regulations?

Yes. Business associates are directly liable for meeting HIPAA Security Rule requirements and select Privacy Rule obligations tied to their contracted services, including limiting uses/disclosures, implementing safeguards, and reporting breaches to the covered entity.

What responsibilities do covered entities have under HIPAA?

Covered entities must protect PHI through risk analysis and safeguards, apply the minimum necessary standard, provide a Notice of Privacy Practices, honor individual rights (access, amendment, accounting), execute and oversee Business Associate Agreements, train their workforce, and follow breach notification procedures.