HIPAA covered entity vs. business associate: key differences
A covered entity provides or pays for care and controls protected health information (PHI), while a business associate handles that PHI to support the covered entity. That distinction sounds subtle, but it changes which HIPAA rules apply, what contracts you must sign, and who gets the first call when a breach happens. If you label yourself incorrectly, you can waste time on controls you don’t need, or miss safeguards you’re legally required to put in place.
What’s more, the same organization can act as a covered entity in one workflow and as a business associate in another. So the goal isn’t to pick a label once and forget it. It’s important to map how PHI moves through your business and assign responsibilities according to the risk.
Covered entities
A covered entity is the organization that delivers care, pays for care, or standardizes healthcare transactions, and it uses or discloses health information as part of that work. In the HIPAA context, it's the center of regulated healthcare activity.
Who qualifies as a covered entity
HIPAA covered entities fall into three main categories:
- Health plan. These are organizations that provide or pay the cost of medical care, such as health insurers, health maintenance organizations (HMOs), employer-sponsored group health plans, and public programs like Medicare and Medicaid.
- Health care clearinghouse. Entities that convert nonstandard health information into standard formats (or the reverse) belong to this category. They often sit between providers and payers to translate data into the formats required for claims and other transactions.
- Healthcare provider (with a key condition). Examples include doctors, clinics, dentists, pharmacies, psychologists, chiropractors, nursing homes, and similar providers. The key condition is: a provider counts as a covered entity only if it transmits health information electronically in connection with covered transactions (for example, electronic claims, eligibility checks, or claim status requests).
For example, a dental clinic that submits insurance claims electronically (or runs electronic eligibility checks) is a covered entity. But a chiropractor who only takes cash and never sends health info electronically for claims, eligibility, or status transactions is not a covered entity.
Plainly speaking, a small practice that stays fully on paper may fall outside HIPAA. Once it submits an electronic claim or checks eligibility online, it usually crosses into a covered entity territory.
Responsibilities under the HIPAA privacy rule and HIPAA security rule
Covered entities take on the broadest set of obligations because they are most directly involved in the patient relationship and the regulated transactions.
- HIPAA Privacy Rule. Covered entities must define how they use and disclose PHI, provide patients with a Notice of Privacy Practices (where required), honor patient rights (like access requests), and apply the “minimum necessary” standard when using or sharing PHI for many purposes.
- HIPAA Security Rule. If you handle electronic PHI (ePHI), you must protect it with administrative, physical, and technical safeguards. That includes risk analysis and risk management, access controls, audit controls, employee training, and policies that match how your systems work.
- Vendor oversight and contracting. A covered entity can’t pass PHI to a vendor and pretend the risk disappears. Before a vendor touches PHI on the covered entity’s behalf, the covered entity typically needs a business associate agreement (BAA) that sets expectations for safeguards, permitted uses, breach reporting, and downstream subcontractors.
Business associates
A business associate (BA) is a person or company that performs services for a covered entity and, as part of that service, creates, receives, maintains, or transmits protected health information.
In other words, if your work requires PHI to do the job, you may be a HIPAA business associate even if you never interact with patients or provide medical care.
Who qualifies as a HIPAA business associate
A HIPAA business associate can look like a classic vendor or a professional service partner. Common examples include:
- Billing services, revenue cycle vendors, and practice management platforms
- Claims processing and data analytics providers
- Utilization review and quality assurance firms
- Legal, accounting, actuarial, consulting, and financial services (when PHI access is necessary to provide the service)
- Cloud service providers that store or maintain ePHI, even if the data is encrypted
One nuance: a covered entity can become a BA in a specific arrangement. For example, a hospital might be a covered entity for its own patients but act as a business associate when it provides billing services to an independent physician group.
Responsibilities, business associate agreement, and subcontractors
Business associates have real HIPAA obligations, not just contractual promises.
- Security expectations under the HIPAA Security Rule. Business associates must protect ePHI with appropriate safeguards. Regulators can expect risk analysis, access controls, logging, incident response, and vendor management to show up in practice.
- Privacy and breach duties (limited but meaningful). Business associates must limit uses and disclosures to what the BAA and HIPAA allow, and they must report breaches to the covered entity within the timelines set in the agreement (and within HIPAA expectations).
- The business associate agreement is your rulebook. A BAA defines what PHI you can use, what you must protect, how you report incidents, and how you handle subcontractors. If you’re a BA, you typically must sign a BAA with each covered entity customer that shares PHI with you.
- Subcontractor chain. If a business associate hires another vendor that will touch PHI (for example, a hosting provider, support contractor, or document disposal service), that downstream vendor often becomes a business associate too. The BA must push protections downstream through contracts and oversight, so the chain doesn’t break when data leaves your direct control.
Covered entity vs. business associate comparison
Category | Covered entity (CE) | Business associate (BA) |
|---|---|---|
Primary role | Provides care, pays for care, or standardizes transactions | Provides services to a CE that require PHI access |
Relationship to the patient | Often direct | Usually indirect |
Core compliance focus | Privacy Rule + Security Rule + breach notification | Security Rule + BA-specific privacy/breach duties |
Key contract | Initiates the BAA before sharing PHI with vendors | Signs BAAs with CEs and flows requirements to subcontractors |
Breach notification path | Notifies individuals, HHS, and sometimes the media | Notifies the covered entity (per the BAA and HIPAA rules) |
Common examples | Insurer, clinic, hospital, pharmacy, clearinghouse | Billing platform, cloud host for ePHI, analytics vendor, legal advisor with PHI access |
How to tell if you’re a covered entity or business associate
Use this as a practical decision tree. Answer based on what you do with PHI.
Covered entity vs. business associate
Start here:
- Do you run a health plan?
Example: an insurer, health maintenance organization (HMO), employer group health plan administrator, or government health program.
If yes, you’re likely a covered entity. - Do you act as a clearinghouse that standardizes healthcare transactions?
Example: a service that converts claims data between formats for payers and providers.
If yes, you’re likely a covered entity. - Are you a healthcare provider that sends health information electronically for covered transactions?
Example: a clinic that submits electronic claims or checks eligibility online.
If yes, you’re likely a covered entity.
If you answered “no” to all three, move to the BA questions.
Business associates checklist
You’re likely one of the business associates if you answer “yes” to any of these:
- Do you create, receive, maintain, or transmit protected health information for a covered entity?
Example: you host ePHI backups, run a patient messaging platform, or provide outsourced billing. - Do you provide a service where PHI access is necessary to do the work?
Example: legal counsel reviewing patient records for a claim dispute, an accountant auditing billing documentation, a consultant analyzing patient utilization patterns. - Do you support a covered entity’s operations, and PHI appears in support tickets, logs, or admin tools?
Example: a SaaS vendor with admin access that can view PHI during troubleshooting.
If yes, you likely need a business associate agreement, and you should treat the HIPAA Security Rule as a real operating requirement.
When you’re neither (common examples)
Some organizations fall outside both buckets for many activities:
- Employers handling employee health files as employment records
Example: HR records about sick leave or fitness-for-duty notes (other laws may apply, but these records often aren’t PHI under HIPAA in that context). - Life insurers and some workers’ compensation carriers
Example: a life insurance underwriting workflow that doesn’t meet HIPAA’s health plan definition - Researchers (in many cases).
Example: a university research team using data under an IRB protocol or data use agreement, without performing a covered entity service function. - Incidental access vendors
Example: a janitorial team that might occasionally see paperwork but doesn’t handle PHI as part of the service it sells.
If you land in “neither,” you still may have security and privacy duties under contracts, state laws, or other regulations. HIPAA just may not be the one that governs your role.
Summary
In the HIPAA context, covered entities are at the core of care and payment workflows, while business associates support those workflows and handle PHI on the covered entity’s behalf. If you’re unsure where you fit, trace each flow of health information, identify who controls it, and put the right BAAs and security controls around the systems that have access to it.