Who Must Comply with HIPAA? Covered Entities, Business Associates, and Third-Party Vendors

HIPAA applies to organizations and vendors that create, receive, maintain, or transmit Protected Health Information (PHI). If you handle PHI in any capacity—directly as a health care organization or indirectly as a service provider—you likely have obligations under the HIPAA Privacy Rule and the HIPAA Security Rule.

Covered Entities Under HIPAA

Covered entities are the core organizations directly regulated by HIPAA. They must comply with the HIPAA Privacy Rule for all PHI and the HIPAA Security Rule for electronic PHI (ePHI), and follow the Breach Notification requirements when incidents occur.

Health plans

These include health insurers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans. Employers themselves are not covered entities, but their group health plans are. If you administer a group health plan, HIPAA applies to the plan’s PHI.

Health care providers

Any provider—such as physicians, hospitals, clinics, dentists, pharmacies, or telehealth practices—that transmits health information electronically in standard transactions (for example, claims or eligibility checks) is a covered entity.

Health care clearinghouses

Clearinghouses process nonstandard health information into standard formats, or vice versa. If you translate or normalize claims data, you fall into this category.

Hybrid entities and limited scope

Organizations that perform both covered and non-covered functions can designate “health care components” to limit HIPAA’s scope. PHI excludes certain records (like FERPA education records and employment records held in an employer role).

Roles of Business Associates

A business associate is any person or organization performing services for a covered entity that involve PHI—directly or indirectly. Many third-party vendors become business associates when their work touches PHI in any way.

Examples include claims processors, EHR and cloud providers, IT support, data analytics firms, billing services, legal and accounting firms, e-fax/email gateways, and patient engagement platforms. Business associates are directly responsible for Security Rule safeguards, must observe relevant Privacy Rule provisions, and face Subcontractor Liability if they delegate PHI work.

Business Associate Subcontractors

Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are themselves business associates. If you are a downstream vendor handling PHI, HIPAA applies to you directly—not just by contract.

Business associates must bind subcontractors in writing to the same HIPAA restrictions and controls, creating a chain of trust. Failure to manage subcontractors can trigger Subcontractor Liability for both the upstream business associate and, in some cases, the covered entity.

Business Associate Agreements

A Business Associate Agreement (BAA) is a required contract before sharing PHI with a vendor. If you are a covered entity or business associate, you must execute a BAA that clearly defines allowable PHI uses, disclosures, and safeguards.

Essential BAA elements

• Permitted and required uses/disclosures of PHI and the minimum necessary standard.
• Obligation to implement HIPAA Security Rule controls for ePHI and appropriate Privacy Rule safeguards.
• Prompt incident and breach reporting, including cooperation with investigations and notifications.
• Flow-down requirements ensuring subcontractors agree to the same restrictions and safeguards.
• Individual rights support (access, amendments, accounting of disclosures) and HHS access to records.
• Return or destruction of PHI at termination, or continued protections if destruction is infeasible.
• Termination for cause and any indemnification or remediation expectations.

HIPAA Compliance Obligations

Whether you are a covered entity or a business associate, your program should align with the Privacy Rule, Security Rule, and Breach Notification Rule. Documentation must be retained for at least six years from the date of creation or last effective date.

Program foundations

• Risk analysis and risk management addressing threats to confidentiality, integrity, and availability of ePHI.
• Administrative safeguards: policies, workforce training, sanctions, vendor due diligence, and contingency planning.
• Physical safeguards: facility and device controls, secure workstations, and media handling.
• Technical safeguards: access controls, authentication, audit logs, integrity protections, and encryption.

Operational practices

• Apply the minimum necessary standard and role-based access to PHI.
• Manage BAAs and subcontractor oversight to reduce Subcontractor Liability.
• Prepare for Compliance Audits with current policies, logs, risk assessments, and training records.
• Coordinate breach readiness: detection, investigation, harm assessment, and timely notifications.

Safeguarding Protected Health Information

Technical and procedural controls reduce risk across endpoints, networks, applications, and vendors. Your safeguards should be proportionate to your environment and regularly validated.

Data Transmission Safeguards

• Encrypt data in transit (for example, TLS for web traffic, secure email options, VPNs for remote access).
• Use secure messaging or APIs with strong authentication and session management.
• Verify recipient identity, limit routing to authorized endpoints, and monitor for anomalous transfers.

Additional protections

• Encrypt ePHI at rest, enforce multi-factor authentication, and patch systems promptly.
• Enable audit logging and regular review; implement DLP and intrusion monitoring where appropriate.
• Apply mobile and BYOD controls (device encryption, remote wipe) and secure disposal of media.
• Use de-identification or limited data sets with data use agreements when full identifiers are not needed.

Enforcement and Liability

The HHS Office for Civil Rights enforces HIPAA through investigations, resolution agreements, and civil monetary penalties. State attorneys general can also bring actions, and the Department of Justice may pursue criminal cases for knowing misuse of PHI.

Covered entities, business associates, and subcontractors are each directly liable for their own violations. A covered entity may also be responsible for acts of a business associate acting as its agent, while contracts address remedies and allocation of risk. Robust governance and vendor oversight help reduce Subcontractor Liability and enforcement exposure.

In practice, strong risk management, documented safeguards, well-structured BAAs, and disciplined incident response minimize operational disruption and legal risk while protecting patients’ trust.

FAQs

Who qualifies as a covered entity under HIPAA?

Health plans, health care providers that conduct standard electronic transactions, and health care clearinghouses are covered entities. Hybrid organizations can designate health care components, but HIPAA applies to those components’ PHI.

What is the role of a business associate in HIPAA compliance?

Business associates perform services involving PHI for covered entities or other business associates. They must sign a Business Associate Agreement, implement Security Rule and relevant Privacy Rule requirements, and manage any downstream subcontractors handling PHI.

Are subcontractors of business associates subject to HIPAA regulations?

Yes. Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are directly subject to HIPAA and must be bound by written agreements that mirror BAA requirements.

What are the consequences of violating HIPAA requirements?

Consequences range from corrective action plans and civil monetary penalties to, in egregious cases, criminal prosecution. Violations can also trigger contract termination, reputational damage, and increased scrutiny during Compliance Audits.