Who HIPAA Covers: Covered Entities and Business Associates Responsibilities Checklist

Use this guide to quickly determine who HIPAA covers and how responsibilities break down. You’ll find a practical checklist for covered entities and business associates, grounded in the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule.

The goal: help you protect Protected Health Information (PHI), execute a solid Business Associate Agreement (BAA), and run effective compliance monitoring without guesswork.

Covered Entities Definition

Who is a covered entity

• Health plans: group health plans, insurers, HMOs, Medicare, Medicaid, and certain employer-sponsored health plans.
• Health care clearinghouses: entities that translate or standardize health information between providers and payers.
• Health care providers: any provider who transmits health information electronically in connection with standard transactions (claims, eligibility, referrals).

Scope of PHI

Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associate, in any form (electronic, paper, or oral). De-identified data that meets HIPAA de-identification standards is not PHI.

Responsibilities checklist

• Apply the HIPAA Privacy Rule: use/disclose PHI only as permitted; follow minimum necessary; issue a Notice of Privacy Practices.
• Apply the HIPAA Security Rule to ePHI: administrative, physical, and technical safeguards based on a documented risk analysis.
• Execute BAAs before sharing PHI with a vendor; verify downstream protections via subcontractor assurance.
• Honor individual rights: access, amendments, restrictions, confidential communications, and accounting of disclosures.
• Train workforce, enforce sanctions, retain required documentation for at least six years.

Business Associates Role and Functions

Definition and examples

A business associate performs services or functions for a covered entity (or another BA) that involve creating, receiving, maintaining, or transmitting PHI. Common examples include claims processing, billing, data hosting and backup, EHR and practice management vendors, analytics firms, e-prescribing, telehealth platforms, and e-mail or cloud services that store PHI.

What is not a business associate

• Mere conduits that only transmit data without persistent storage (e.g., certain postal or telecom carriers).
• Vendors that receive properly de-identified data only.

Responsibilities checklist

• Sign and comply with a Business Associate Agreement (BAA) before handling PHI.
• Follow the HIPAA Security Rule for ePHI and applicable parts of the Privacy Rule.
• Report security incidents and potential breaches to the covered entity promptly.
• Flow down obligations to subcontractors that handle PHI; obtain subcontractor assurance through BAAs.

Business Associate Agreement Requirements

Core clauses every BAA must include

• Permitted and required uses/disclosures of PHI, with minimum necessary standards.
• Safeguards: implement administrative, physical, and technical measures meeting the HIPAA Security Rule.
• Incident and breach reporting: notify the covered entity without unreasonable delay and within required timelines under the Breach Notification Rule.
• Subcontractor assurance: require downstream BAAs with the same restrictions and conditions.
• Access, amendment, and accounting support: assist the covered entity in responding to individual requests.
• HHS access: make practices, books, and records relating to PHI available to the Secretary for compliance review.
• Return or destroy PHI at termination if feasible; otherwise extend protections indefinitely.
• Term and termination rights: allow termination if the BA violates a material term.
• Documentation retention for at least six years from creation or last effective date.

BAA drafting checklist

• State specific permitted uses/disclosures; prohibit unauthorized marketing or sale of PHI.
• Define breach reporting content (description, data elements, mitigation) and timelines.
• Describe required encryption, key management, and logging practices proportionate to risk.
• Include audit and assessment rights and expectations for compliance monitoring.

Business Associate Compliance Obligations

Security Rule safeguards in practice

• Administrative: risk analysis and risk management, workforce training, assigned security responsibility, contingency planning, vendor management.
• Physical: facility access controls, workstation and device safeguards, secure disposal and media re-use procedures.
• Technical: unique user IDs, multi-factor authentication, role-based access, audit controls, integrity checks, and encryption in transit and at rest.

Privacy Rule responsibilities

• Use/disclose PHI only as permitted by the BAA or as required by law.
• Apply minimum necessary; refrain from impermissible uses like unapproved marketing or sale of PHI.
• Support covered entities with access, amendment, and accounting requests.

Operational checklist

• Complete and update security risk assessments; remediate gaps with tracked action plans.
• Maintain incident response, breach assessment, and escalation procedures aligned to the Breach Notification Rule.
• Log and monitor access; review high-risk events; test backups and disaster recovery.
• Train workforce annually and on role-specific duties; enforce sanctions consistently.
• Obtain and manage subcontractor assurance; review their controls and BAAs.

Covered Entities Oversight Responsibilities

Due diligence and onboarding

• Inventory all business associates and map PHI data flows.
• Evaluate vendor security and privacy posture before sharing PHI; verify BAA execution.

Ongoing compliance monitoring

• Risk-based reviews of BA controls, assessments, attestations, and incident history.
• Track contract obligations, renewal dates, and required reports; document follow-up.

Escalation and enforcement

• Take reasonable steps to cure known violations; if unsuccessful, terminate the relationship when feasible.
• If termination is not feasible, report the issue to appropriate authorities as required.

Oversight checklist

• Ensure current BAAs for all applicable vendors.
• Verify minimum necessary access and role-based permissions for BA accounts.
• Review breach notifications and corrective actions; retain evidence of oversight.

Breach Notification Procedures

What counts as a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises security or privacy. Apply the four-factor risk assessment: type and volume of PHI, unauthorized recipient, whether PHI was actually acquired or viewed, and the extent of risk mitigation. Encrypted PHI meeting safe-harbor standards is generally not “unsecured.”

Timelines and recipients

• Business associate to covered entity: without unreasonable delay and no later than 60 days after discovery.
• Covered entity to individuals: without unreasonable delay and no later than 60 days after discovery.
• Covered entity to HHS: for 500+ affected in a state/jurisdiction, within 60 days; for fewer than 500, no later than 60 days after year-end.
• Media notice: if 500+ residents of a state/jurisdiction are affected.

Notice content and method

• Describe what happened, what PHI was involved, steps individuals should take, actions taken to mitigate and prevent recurrence, and contact information.
• Use first-class mail or electronic notice if the individual agreed; provide substitute notice if addresses are insufficient (e.g., website posting and toll-free number).

Breach response checklist

• Activate incident response; contain and investigate immediately.
• Complete documented risk assessment; decide whether notification is required.
• Send timely notifications; track deadlines and retain proofs.
• Implement corrective action plans and monitor for recurrence.

Subcontractor Compliance Management

Subcontractor status

Any downstream vendor that creates, receives, maintains, or transmits PHI on behalf of a business associate is itself a business associate. The same HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule obligations apply.

Subcontractor assurance

• Execute BAAs with all PHI-handling subcontractors; mirror upstream restrictions and conditions.
• Perform risk-based due diligence, including security reviews and evidence of controls.
• Require timely incident reporting, right-to-audit, and termination for cause.

Management checklist

• Maintain an up-to-date vendor inventory and data flow diagrams.
• Set onboarding security requirements (encryption, access control, logging) and verify before go-live.
• Monitor performance and compliance; review attestations and remediation plans.
• Plan for continuity and exit: data return/destruction, key revocation, and access disablement.

Conclusion

Who HIPAA covers includes covered entities and all business associates—and their subcontractors that handle PHI. By using the checklists above, executing strong BAAs, and sustaining disciplined compliance monitoring, you can reduce risk, meet regulatory duties, and protect individuals’ privacy.

FAQs

What entities qualify as covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard HIPAA transactions. Each must follow the HIPAA Privacy Rule and HIPAA Security Rule when handling PHI.

What are the key responsibilities of business associates?

Business associates must sign a BAA, safeguard ePHI under the Security Rule, follow permitted uses/disclosures under the Privacy Rule, report incidents and breaches promptly, and flow down obligations to any subcontractors that handle PHI.

When is a business associate agreement required?

A BAA is required before a covered entity shares PHI with a vendor or partner that will create, receive, maintain, or transmit PHI on its behalf. Business associates must also execute BAAs with their PHI-handling subcontractors.

How must breaches be reported under HIPAA?

Business associates notify the covered entity without unreasonable delay and within 60 days of discovery. Covered entities notify affected individuals within 60 days, report to HHS (timing depends on breach size), and notify the media if 500 or more residents of a state or jurisdiction are impacted.