Who Must Comply With HIPAA? Covered Entities, Business Associates, and Examples

If you handle Protected Health Information (PHI) for healthcare operations, chances are you must comply with HIPAA. This guide explains who is covered, how Business Associates fit in, what Business Associate Agreements require, core compliance duties, and practical examples to help you determine your obligations with confidence.

Covered Entities Overview

Definition and scope

Covered entities include three groups: health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions (such as claims or eligibility checks). If you are in one of these groups and you touch PHI, HIPAA applies.

Covered provider test

Not every provider is automatically covered. You are a covered provider if you conduct standard electronic transactions—directly or through a vendor—using PHI. Physicians, hospitals, clinics, pharmacies, dentists, psychologists, and laboratories typically meet this test.

Covered Entity Obligations

Covered entities must protect PHI, limit uses and disclosures to the minimum necessary, honor patient rights, implement safeguards under the HIPAA Security Rule for electronic PHI (ePHI), follow the HIPAA Privacy Rule, and notify affected parties under the Breach Notification Rule when required.

Business Associates Roles

Who is a business associate

A business associate (BA) is any person or organization that performs services or functions for a covered entity and creates, receives, maintains, or transmits PHI on its behalf. Common roles include billing, claims processing, data hosting, EHR and telehealth platforms, legal or actuarial services, analytics, and IT support.

On behalf of and access tests

If your work is “on behalf of” a covered entity and requires access to PHI—even if incidental—you are likely a BA. If you merely act as a conduit (for example, transient data transmission without storage or routine access), you may fall outside BA status, but most modern cloud and messaging tools maintain PHI and therefore qualify.

Subcontractor Compliance

Business associate subcontractors that handle PHI must meet HIPAA requirements, too. BAs must ensure subcontractor compliance by executing downstream Business Associate Agreements and flowing down the same restrictions and safeguards.

Business Associate Agreements Requirements

What a BAA must include

• Permitted and required uses and disclosures of PHI by the BA; prohibition on uses not authorized by the agreement or law.
• Implementation of administrative, physical, and technical safeguards consistent with the HIPAA Security Rule; duty to mitigate and to report security incidents and breaches.
• Subcontractor Compliance: BAs must ensure any subcontractor that handles PHI agrees in writing to the same restrictions and safeguards.
• Support for Privacy Rule obligations: providing access, amendments, and an accounting of disclosures when the covered entity requests assistance.
• Prompt breach notifications under the Breach Notification Rule, with content and timing expectations defined.
• Return or secure destruction of PHI upon termination, if feasible, or continued protections if retention is required.
• Right of the covered entity to terminate the BAA for material breach and requirement to make records available to regulators when appropriate.

When a BAA is required

A BAA is required whenever a covered entity engages a vendor or partner to handle PHI, and when a BA hires a subcontractor to do the same. Two covered entities may also need reciprocal BAAs if one performs BA-type functions for the other.

Compliance Requirements

HIPAA Privacy Rule

• Use and disclose PHI only for permitted purposes (treatment, payment, health care operations) or with a valid authorization.
• Apply the minimum necessary standard to routine uses, disclosures, and requests.
• Provide a Notice of Privacy Practices and honor individual rights to access, amendment, and accounting of disclosures.
• Manage Business Associate Agreements and enforce Covered Entity Obligations through policies and workforce training.

HIPAA Security Rule

• Perform a risk analysis and implement risk management for ePHI.
• Establish administrative, physical, and technical safeguards, including access controls, authentication, audit logging, integrity protections, and transmission security.
• Adopt least-privilege access, device and media controls, secure configuration baselines, and contingency planning with tested backups.

Breach Notification Rule

• Assess incidents for compromise of unsecured PHI and document the risk assessment.
• Notify affected individuals, the regulator, and, when applicable, the media within required timeframes.
• BAs must notify the covered entity without unreasonable delay so notifications can be made on time.

Program essentials

• Documented policies, procedures, training, and sanctions.
• Vendor risk management, including BAA tracking and subcontractor oversight.
• Incident response playbooks, activity reviews, and periodic audits to validate ongoing compliance.

Examples of Covered Entities

• Health plans: commercial insurers, HMOs, employer-sponsored group health plans, Medicare, and Medicaid.
• Health care providers that conduct standard electronic transactions: hospitals, physician practices, clinics, pharmacies, dentists, psychologists, chiropractors, laboratories, imaging centers, and nursing facilities.
• Health care clearinghouses: organizations that translate or reformat nonstandard health data into standard transaction formats and vice versa.
• Hybrid entities: organizations with both covered and non-covered components (for example, a university with a student health clinic) that designate their health care component.

Examples of Business Associates

• Technology vendors: EHR and practice management systems, telehealth platforms, cloud hosting and backup providers, secure messaging and e-prescribing services, data centers, and IT help desks with PHI access.
• Operational services: medical billing and coding companies, claims processing and clearing services acting for providers or plans, transcription, scanning, and records storage vendors.
• Professional services: attorneys, accountants, actuaries, compliance consultants, utilization review and quality assessment firms when they handle PHI.
• Analytics and research support: population health analytics, data aggregation, de-identification services, and HIE or interoperability vendors operating on behalf of covered entities.
• Physical services: shredding and media disposal vendors, device maintenance firms, and couriers that store or routinely access PHI beyond transient transmission.
• Marketing and communication providers when using PHI for permitted health care operations or with authorizations arranged by the covered entity.

Direct-to-consumer apps acting solely for the individual may not be BAs; however, if the same vendor performs services on behalf of a covered entity and handles PHI, BA status applies.

Safeguarding Protected Health Information

Administrative safeguards

• Conduct regular risk analyses, maintain policies and procedures, train your workforce, and apply sanctions for violations.
• Use role-based access, minimum necessary workflows, and vendor due diligence with robust Business Associate Agreements.

Technical safeguards

• Implement unique user IDs, strong authentication, encryption in transit and at rest where feasible, and endpoint protections.
• Monitor with audit logs and alerts, segment networks, and manage vulnerabilities and patches on a defined cadence.

Physical safeguards

• Control facility and device access, secure workstation locations, and protect portable media with encryption and inventory tracking.
• Use secure disposal methods for paper and electronic media containing PHI.

Everyday best practices

• Verify identities before disclosure, avoid unsecured channels for PHI, and use approved templates to meet Privacy Rule requirements.
• Plan for incidents with tested backup, recovery, and breach response procedures that meet the Breach Notification Rule.

Conclusion

To comply with HIPAA, first decide whether you are a covered entity or a business associate, then implement the Privacy, Security, and Breach Notification Rules. Use strong BAAs, ensure subcontractor compliance, and operationalize safeguards so PHI remains protected across every system and vendor you use.

FAQs

What entities are classified as covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. If you are in one of these categories and use PHI for your operations, you must comply with HIPAA.

What is a business associate under HIPAA?

A business associate is a person or organization that performs functions or services for a covered entity involving PHI. Examples include billing companies, IT and cloud providers, EHR vendors, attorneys, and analytics firms that create, receive, maintain, or transmit PHI on behalf of a covered entity.

What are the requirements for business associate agreements?

Business Associate Agreements must define permitted uses and disclosures, require safeguards consistent with the HIPAA Security Rule, mandate incident and breach reporting, flow down the same obligations to subcontractors, support Privacy Rule duties (such as access and amendments), and address PHI return or destruction at termination.

How must business associates comply with HIPAA?

Business associates must implement Privacy Rule and Security Rule safeguards for PHI and ePHI, follow the minimum necessary standard, maintain policies, train staff, manage subcontractor compliance through BAAs, and provide prompt breach notifications as required by the Breach Notification Rule.