What distinguishes business associates from HIPAA-covered entities?

by | May 7, 2023 | HIPAA News and Advice

Business associates are entities or individuals that perform certain functions or activities on behalf of HIPAA-covered entities, such as healthcare providers or health plans, involving the use or disclosure of PHI, while HIPAA-covered entities are the organizations that directly provide healthcare services, conduct healthcare transactions electronically, or handle health insurance, and both are required to comply with HIPAA regulations to ensure the privacy and security of PHI, but business associates do so in a capacity that supports the functions of covered entities, often through services like billing, legal, or IT, making them subject to HIPAA’s privacy and security rules to maintain the integrity and confidentiality of PHI even though they are not the primary healthcare service providers. Distinguishing between business associates and HIPAA-covered entities requires an understanding of the regulatory framework established by HIPAA. This distinction holds relevance in healthcare operations, as it determines the responsibilities, obligations, and compliance requirements for various entities involved in handling PHI.

Basis of ComparisonHIPAA-Covered EntitiesBusiness Associates
Role and FunctionDirectly engage in providing medical treatments, diagnoses, and care to patients (e.g., hospitals, clinics, physicians, pharmacies).Perform specific functions or activities on behalf of covered entities to support operational and administrative needs (e.g., legal firms, billing companies, IT service providers).
Nature of ServicesDeliver healthcare services, conduct electronic transactions, manage health insurance policies, and process healthcare data.Offer specialized services such as legal, financial, technological, or consultative support to enhance covered entities’ operations.
Access to PHIHandle and manage PHI as part of patient care and health data management.Require access to PHI for their designated functions, though not primarily engaged in patient care.
ExamplesHospitals, clinics, pharmacies, health insurance companies, government-sponsored health programs.Legal firms, billing companies, IT service providers, cloud storage platforms, third-party consultants.
Regulatory ResponsibilitiesResponsible for implementing privacy safeguards, patient rights, and disclosures, as well as security measures.Address privacy and security through contractual agreements (BAAs) with covered entities, outlining specific responsibilities and security measures.
Business Associate Agreements (BAAs)Not applicable; covered entities do not require BAAs with other entities.Must enter into BAAs with covered entities, detailing terms of engagement and PHI protection measures.
Liability and EnforcementDirectly liable for HIPAA compliance and subject to enforcement actions and penalties for violations.Directly liable for complying with certain HIPAA provisions, subject to penalties as outlined in the HITECH Act and Omnibus Rule.
Primary Patient Care vs. Support ServicesPrimarily involved in direct patient care and medical service provision.Offer support services that enhance operational efficiency without direct patient care involvement.
Overall GoalFocus on patient care, medical services, insurance management, and healthcare transactions.Enhance covered entities’ operations through specialized services while adhering to HIPAA regulations.
Contribution to HealthcareProvide healthcare services and manage patient data for medical treatments and insurance claims.Support and enhance covered entities’ functions while ensuring PHI protection and regulatory compliance.
Table: Comparison Between HIPAA-Covered Entities and Business Associates

HIPAA-covered entities include healthcare providers, health plans, and healthcare clearinghouses, which engage directly in providing medical services, conducting electronic healthcare transactions, and processing health insurance claims. These entities, known as “covered entities,” form the core of the healthcare system that HIPAA regulates. On the other hand, business associates are entities or individuals that perform certain functions or activities on behalf of covered entities, involving the use or disclosure of PHI. Business associates can include service providers, ranging from legal firms and billing companies to IT service providers and cloud storage platforms. Their involvement in healthcare operations necessitates access to PHI, even though they are not the primary entities responsible for delivering healthcare services.

What distinguishes business associates from covered entities is their roles and responsibilities within the healthcare ecosystem. Covered entities are the foundation of healthcare provision, comprising healthcare providers like hospitals, clinics, pharmacies, and individual healthcare practitioners. These entities engage directly with patients, offering medical treatments, diagnoses, and prescriptions. Health plans, including health insurance companies and government-sponsored programs like Medicaid and Medicare, also fall under the umbrella of covered entities, as they manage and administer health insurance policies. Healthcare clearinghouses, which process and translate healthcare data into standardized formats for electronic transactions, are classified as covered entities. Clearinghouses streamline electronic data interchange, ensuring seamless communication between various components of the healthcare system.

In contrast, business associates function as support entities that enable covered entities to fulfill their operational and administrative obligations effectively. These associates offer specialized services that may include legal, financial, technological, or consultative aspects of healthcare operations. They often handle sensitive PHI as part of their service provision, necessitating compliance with HIPAA‘s privacy and security rules. For instance, a legal firm retained by a hospital to provide legal advice on healthcare regulations and patient rights would be considered a business associate. A cloud computing service that stores electronic health records (EHRs) for a medical practice would also fall under the category of a business associate. In these scenarios, while the business associates do not directly engage in patient care, their services contribute to the functioning of the healthcare system and require access to PHI.

The HIPAA Privacy Rule and Security Rule impose stringent obligations on both covered entities and business associates to ensure the protection of PHI. Covered entities are required to implement measures to safeguard PHI and protect patients’ privacy rights. This includes maintaining physical, administrative, and technical safeguards to prevent unauthorized access, disclosure, or alteration of PHI. Covered entities must also appoint a privacy officer and a security officer to oversee compliance efforts. On the other hand, business associates are obligated to enter into business associate agreements (BAAs) with covered entities. These agreements serve as legally binding documents that outline the specific responsibilities of the business associate concerning PHI protection. BAAs describe the measures the business associate will implement to ensure the confidentiality, integrity, and availability of PHI. The agreements also establish procedures for reporting and responding to data breaches or security incidents involving PHI.

The expansion of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the subsequent issuance of the Omnibus Rule in 2013 further strengthened the regulatory framework surrounding business associates. The Omnibus Rule clarified that business associates and their subcontractors are directly liable for complying with certain provisions of the HIPAA Rules and are subject to enforcement actions and penalties for HIPAA violations.


While both covered entities and business associates are important components of the healthcare ecosystem, their roles and responsibilities are very different. Covered entities are the frontline healthcare providers, health plans, and clearinghouses that directly engage with patients and manage healthcare data. Business associates offer services that support covered entities’ operations, requiring access to PHI for functions like billing, legal consultation, and technological support. Regardless of their specific roles, both covered entities and business associates are bound by HIPAA’s privacy and security requirements, ensuring the protection of sensitive patient information and maintaining the integrity of the healthcare system.

HIPAA Covered Entity Topics

What is the definition of a HIPAA-covered entity?
How does an organization determine if it is a HIPAA-covered entity?
Are all healthcare providers considered HIPAA-covered entities?
What obligations does an entity covered by HIPAA have concerning patient data?
Do insurance companies fall under the category of entities covered by HIPAA?
What is a covered entity under HIPAA?
Who would not be considered a covered entity under HIPAA?
Is an employer a covered entity under HIPAA?
Who should HIPAA complaints be directed to within the covered entity?
What are the penalties for a HIPAA-covered entity that breaches patient confidentiality?
Are health technology companies automatically considered HIPAA-covered entities?
What distinguishes a HIPAA entity from non-covered entities?
Can a HIPAA-covered entity share medical records with another such entity without patient consent?
How often should HIPAA-covered entities review their compliance procedures?
What types of training must employees of an entity covered by HIPAA undergo?
How do entities covered by HIPAA handle data breaches?
What is the role of a privacy officer in a HIPAA-covered entity?
Are dental practices considered HIPAA-covered entities?
Can a patient sue a HIPAA-covered entity for a data breach?
How are HIPAA-covered entities audited for compliance?
What are the reporting obligations of a HIPAA entity in case of data exposure?
How do third-party vendors interact with HIPAA-covered entities?
Can a business associate be considered a HIPAA-covered entity?
How should a HIPAA entity respond to unauthorized access to protected health information?
What security measures must entities covered by HIPAA implement?
Are there exemptions for certain types of entities covered by HIPAA?
How long must a HIPAA-covered entity retain medical records?
What patient rights are recognized by entities covered by HIPAA concerning their personal data?
Are telemedicine platforms typically classified as HIPAA-covered entities?
What distinguishes business associates from HIPAA-covered entities?
How can patients file complaints against a HIPAA entity?
What is the significance of the Notice of Privacy Practices for a HIPAA-covered entity?
How do international medical tourism practices intersect with HIPAA-covered entities?
Are there specific encryption standards that a HIPAA-covered entity must adhere to?
How do federal and state laws regarding patient privacy relate to HIPAA-covered entities?
How do HIPAA-covered entities handle minor patient information?
Are pharmacies and drug stores universally categorized as HIPAA-covered entities?
How can a HIPAA-covered entity ensure compliance when integrating new technologies?
What are the key differences between a HIPAA-covered entity and a HIPAA business associate?
Are research institutions always considered HIPAA-covered entities?
What are the boundaries of marketing activities for an entity covered by HIPAA?
Can cloud service providers be classified as HIPAA-covered entities?
How should a HIPAA entity prepare for an official audit or review?
What documentation is essential for a HIPAA-covered entity’s compliance processes?
How often do regulations impacting HIPAA-covered entities get updated?
Do educational institutions fall under the scope of entities covered by HIPAA?
How do mobile health apps and digital health tools intersect with HIPAA-covered entities?
What is the role of electronic health record systems in a HIPAA-covered entity?
How does the Health Information Exchange (HIE) network impact HIPAA-covered entities?
Are mental health professionals bound by the same rules as other HIPAA-covered entities?
How do mergers and acquisitions impact the status of a HIPAA-covered entity?
Can patients access all their health data held by a HIPAA-covered entity?
Are billing and invoicing data handled differently by entities covered by HIPAA than medical data?
3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy