Who Are HIPAA Covered Entities and Business Associates? Definitions and Examples

HIPAA Covered Entities Overview

Definition and scope

HIPAA covered entities are organizations directly regulated by the HIPAA Privacy, Security, and Breach Notification Rules. They include health plans, health care clearinghouses, and health care providers who conduct standard electronic administrative transactions. These entities create, receive, maintain, or transmit Protected Health Information (PHI), including Electronic Protected Health Information (ePHI), and must meet HIPAA Compliance obligations.

PHI and ePHI at a glance

PHI is individually identifiable health information in any form. ePHI is PHI stored or transmitted electronically. Covered entities must implement PHI Safeguarding across policies, processes, and technology to protect confidentiality, integrity, and availability.

Business Associates Explained

Definition

A business associate is a person or organization that performs services or functions for a covered entity—and sometimes for another business associate—that involve creating, receiving, maintaining, or transmitting PHI. Employees are not business associates; vendors and subcontractors are when their work involves PHI or Electronic Protected Health Information (ePHI).

Common examples

• Claims processing, billing, coding, and revenue cycle firms
• Cloud hosting, data backup, and managed IT or cybersecurity providers handling ePHI
• Electronic health record (EHR) platforms and patient portal vendors
• Data analytics, quality improvement, care management, and utilization review services
• Legal, actuarial, consulting, accreditation, and auditing firms with PHI access
• Transcription, medical scribe, mailing, and shredding/document destruction services

Criteria for Covered Entities

Covered Entity Criteria

• Health plans: insurers, HMOs, government programs (e.g., certain public payer plans), and employer-sponsored group health plans
• Health care providers: any provider who transmits health information electronically in connection with HIPAA Transactions (e.g., claims, eligibility, referrals, authorizations, remittance)
• Health care clearinghouses: entities that translate nonstandard health information into standard transaction formats and vice versa

When providers are covered

Providers become covered entities when they use standard HIPAA Transactions electronically—directly or through a vendor. A clinician who only handles paper and never conducts a standard transaction electronically may not be covered, but most modern practices use electronic claims or eligibility checks.

Hybrid entities and employers

Organizations with mixed operations (for example, a university with a clinic) may designate health care components as “hybrid entities.” Employers themselves are not covered entities simply by employing people; however, their sponsored group health plans are covered entities.

Roles of Business Associates

Key responsibilities

• Use and disclose PHI only as permitted by a Business Associate Agreement and applicable law
• Implement administrative, physical, and technical safeguards to protect ePHI
• Limit PHI to the minimum necessary to perform contracted services
• Flow down HIPAA obligations to subcontractors that handle PHI

Breach notification duties

Business associates must promptly report security incidents and any breach of unsecured PHI to the covered entity, enabling timely notifications required by the Breach Notification Rule.

Business Associate Agreements

Purpose of a Business Associate Agreement

A Business Associate Agreement (BAA) is the contract that authorizes a vendor to handle PHI and binds it to HIPAA’s requirements. No PHI should be shared with a vendor until a signed BAA is in place.

Core elements required

• Permitted and required uses and disclosures of PHI
• Commitment to PHI Safeguarding and compliance with the Security Rule for ePHI
• Obligation to report breaches and security incidents without unreasonable delay
• Requirement to ensure subcontractors agree to the same protections
• Support for access, amendment, and accounting of disclosures as applicable
• Availability of records to regulators for compliance review
• Return or secure destruction of PHI upon contract termination when feasible
• Right to terminate for material breach of HIPAA obligations

Compliance Requirements

Program fundamentals

• Enterprise-wide risk analysis and risk management tailored to ePHI
• Written policies and procedures aligned to the Privacy, Security, and Breach Notification Rules
• Workforce training, role-based access, and sanctions for noncompliance
• Vendor risk management, including executing and managing Business Associate Agreements

PHI Safeguarding in practice

• Technical: encryption in transit and at rest, multifactor authentication, least privilege, audit logs, endpoint/device security
• Administrative: contingency planning, incident response, change management, ongoing risk assessments
• Physical: facility access controls, device/media controls, secure disposal and destruction

Privacy and breach response

Apply the minimum necessary standard and restrict disclosures to permitted purposes. For breaches of unsecured PHI, notify affected individuals and, when applicable, regulators without unreasonable delay and no later than 60 days after discovery.

HIPAA Transactions and standardization

Covered entities that conduct HIPAA Transactions must use standard formats and code sets. Compliance reduces friction in claims, eligibility, referrals, and remittance processes and is a key trigger for covered status among providers.

Examples of Covered Entities and Business Associates

Covered entities

• Hospitals, physician practices, clinics, urgent care centers, dentists, and pharmacies
• Health plans such as commercial insurers, HMOs, and employer-sponsored group health plans
• Health care clearinghouses that convert health data to or from standard formats

Business associates

• EHR and practice management vendors; telehealth and e-prescribing platforms
• Cloud infrastructure, secure email/messaging, data backup, and disaster recovery providers handling ePHI
• Billing, coding, revenue cycle, and claims adjudication services
• Analytics, population health, utilization management, and quality improvement firms
• Law firms, auditors, accreditors, consultants, and actuaries with PHI access
• Transcription, call center, mailing/printing, and shredding companies

Not typically covered

• Banks or couriers processing general payments or shipments without PHI content
• Consumer apps used independently by patients and not on behalf of a covered entity

Conclusion

In short, covered entities are the health plans, providers, and clearinghouses directly regulated by HIPAA, while business associates are the vendors that handle PHI on their behalf. Understanding Covered Entity Criteria, defining roles via a Business Associate Agreement, and implementing robust PHI Safeguarding are central to effective HIPAA Compliance.

FAQs

What is a HIPAA covered entity?

A HIPAA covered entity is a health plan, health care clearinghouse, or a health care provider that conducts standard HIPAA Transactions electronically. These organizations are directly subject to HIPAA’s Privacy, Security, and Breach Notification Rules when they create, receive, maintain, or transmit PHI.

How is a business associate defined under HIPAA?

A business associate is any non-workforce person or organization that performs functions or services for a covered entity—or another business associate—that involve creating, receiving, maintaining, or transmitting PHI. The business associate must safeguard PHI and comply with applicable HIPAA requirements through a Business Associate Agreement.

What types of services do business associates provide?

Typical services include billing and revenue cycle, claims processing, data hosting and backup, EHR and telehealth platforms, analytics and quality improvement, legal and auditing support, transcription, mailing, and secure document destruction—so long as those services involve PHI.

What is required in a business associate agreement?

A Business Associate Agreement must specify permitted uses and disclosures, require PHI Safeguarding with appropriate administrative, physical, and technical controls, mandate breach reporting, bind subcontractors to the same protections, support individual rights where applicable, allow regulatory access, and address PHI return or destruction and termination for cause.