Who Must Follow the HIPAA Privacy Rule: Covered Entities and Business Associates

The HIPAA Privacy Rule governs how organizations use and disclose Protected Health Information (PHI). This guide explains exactly who must follow it—covered entities, business associates, and hybrid entities—and what HIPAA Compliance Requirements mean for day‑to‑day operations and vendor relationships.

You will learn how Business Associate Agreements work, how Hybrid Entity Designation limits HIPAA’s scope inside complex organizations, and which Data Privacy Safeguards are necessary for Electronic Health Information Transmission and storage.

Covered Entities Overview

Covered entities are the core organizations directly regulated by the HIPAA Privacy Rule. They include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions such as claims, eligibility checks, referrals, and authorizations.

Examples include hospitals, physician practices, dental offices, pharmacies, vision centers, third‑party administrators for group health plans, Medicare and Medicaid programs, and HMOs. Employers, schools, or life insurers are not covered entities unless they operate a regulated health plan function.

Coverage is activity‑based for providers: if you conduct the specified electronic transactions, you are a covered entity for the PHI you create, receive, maintain, or transmit. De‑identified information is not PHI and falls outside the Privacy Rule.

Definition of Business Associates

A business associate is a person or organization that performs functions or services for a covered entity—and that activity involves creating, receiving, maintaining, or transmitting PHI. Subcontractors of business associates that handle PHI are also business associates.

Common business associates include billing and coding firms, claims processors, cloud service providers that store ePHI, EHR and patient portal vendors, data analytics firms, e‑prescribing gateways, health information exchanges, transcription and call center services, legal and consulting firms handling PHI, and secure messaging or backup providers.

Workforce members of a covered entity are not business associates. True “conduits” that merely transport data without persistent storage (for example, the postal service) are generally not business associates, while most hosted or cloud services that maintain PHI are.

Business Associate Agreements Requirements

Before sharing PHI, covered entities must execute Business Associate Agreements (BAAs) that contractually bind business associates to the Privacy and Security Rules. A compliant BAA should:

• Specify permitted and required uses and disclosures of PHI and apply the minimum necessary standard.
• Require administrative, physical, and technical safeguards aligned with the Security Rule, including risk analysis, access controls, audit logging, and incident response.
• Mandate reporting of security incidents and suspected or confirmed breaches to the covered entity without unreasonable delay and within a contract‑defined timeframe.
• Flow down the same restrictions to subcontractors that create, receive, maintain, or transmit PHI.
• Address individual rights support (access, amendments, accounting of disclosures) when the business associate assists the covered entity.
• Require return or secure destruction of PHI at contract termination when feasible, and provide for termination for material breach.
• Allow the covered entity appropriate oversight, such as assurances or audit‑related cooperation.

Hybrid Entities Designation

Organizations that perform both HIPAA‑regulated and non‑regulated functions can make a formal Hybrid Entity Designation. This allows the organization to designate specific Covered Health Care Components—such as a campus clinic, health plan unit, or occupational health service—while keeping unrelated business units outside HIPAA’s scope.

To implement this designation, you must document which components are covered, identify and train the workforce assigned to those components, establish safeguards (“firewalls”) to prevent improper PHI sharing with non‑covered components, and ensure BAAs are executed by the applicable component. The Privacy Rule applies to the covered components and their business associates, not to the rest of the organization.

Safeguarding Protected Health Information

Safeguards protect PHI in any form, including ePHI. Your program should combine policy, technology, and monitoring to uphold confidentiality, integrity, and availability while supporting patient rights.

Administrative safeguards

• Conduct and regularly update a risk analysis; implement risk management plans and workforce training.
• Adopt role‑based access, sanction policies, and procedures for minimum necessary disclosures.
• Maintain incident response, contingency planning, and breach notification workflows.

Physical safeguards

• Control facility and workstation access; secure servers, networking closets, and records rooms.
• Use device and media controls for encryption, storage, transport, reuse, and disposal.

Technical safeguards

• Implement unique user IDs, authentication, and least‑privilege access.
• Use encryption at rest and in transit, audit logging, integrity controls, and automated log review.

Electronic Health Information Transmission

• Use secure channels (for example, TLS‑protected APIs, VPNs, or secure email with message encryption) and verify endpoints.
• Apply data loss prevention, anti‑malware, and mobile device management for endpoints that handle ePHI.
• Standardize secure texting and telehealth workflows; avoid unvetted consumer apps for PHI.

Consider de‑identification or limited data sets with data use agreements when full identifiers are not necessary, reducing risk while enabling analytics and quality improvement.

HIPAA Compliance Obligations

Covered entities and business associates must meet core HIPAA Compliance Requirements. You need documented policies and procedures, designated privacy and security officials, workforce training, appropriate sanctions for violations, and records retention for required documentation.

Covered entities must provide a Notice of Privacy Practices, honor individual rights to access and receive copies of PHI, request amendments, request restrictions, and obtain confidential communications. Business associates must support these rights where contracted to do so and must report breaches to the covered entity.

Both covered entities and business associates must perform periodic risk analyses, manage vendors through Business Associate Agreements, monitor safeguards, and remediate gaps. Where state privacy laws are more stringent, you must follow the stricter standard.

Roles and Responsibilities

Covered entities

• Define and enforce privacy and security policies; apply minimum necessary to uses and disclosures.
• Manage the lifecycle of PHI across clinical, billing, and support operations; monitor access and disclosures.
• Conduct risk analysis, train the workforce, and oversee business associates through BAAs and ongoing diligence.

Business associates

• Implement safeguards equivalent to those of covered entities and limit PHI uses to contract‑permitted purposes.
• Report incidents promptly, assist with individual rights, flow down terms to subcontractors, and return or destroy PHI at termination.

Conclusion

The HIPAA Privacy Rule applies directly to covered entities and, through contracts and regulation, to business associates that handle PHI for them. Hybrid Entity Designation narrows HIPAA’s reach to Covered Health Care Components, while Data Privacy Safeguards and secure Electronic Health Information Transmission keep PHI protected. Clear roles, robust BAAs, and a risk‑based compliance program are essential to sustained compliance.

FAQs

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions (such as claims, eligibility, and referrals). Providers include hospitals, clinics, pharmacies, dentists, and individual practitioners when they conduct the specified electronic transactions.

What functions require business associate agreements?

Any service for a covered entity that involves creating, receiving, maintaining, or transmitting PHI requires a Business Associate Agreement. Typical functions include billing and revenue cycle, cloud hosting or backups for ePHI, EHR or portal support, data analytics, transcription, legal and consulting services handling PHI, e‑prescribing and health information exchange, and secure messaging or call center services.

How do hybrid entities apply HIPAA rules?

Hybrid entities formally designate their Covered Health Care Components and apply the Privacy and Security Rules only to those components and their business associates. They maintain organizational safeguards to prevent inappropriate PHI sharing with non‑covered components and train workforce members assigned to the covered functions.

What safeguards must be in place for protected health information?

You need administrative, physical, and technical safeguards: risk analysis and training; facility, workstation, and device controls; and access controls, encryption, audit logging, and integrity protections. For Electronic Health Information Transmission, use secure channels (such as TLS‑protected APIs or secure email), verify endpoints, and monitor for data loss, while enforcing the minimum necessary standard.