Covered Entities vs Business Associates
Understanding the difference between Covered Entities and Business Associates under HIPAA and why it matters.
Covered Entities vs Business Associates
Under HIPAA, organizations that handle protected health information (PHI) fall into two main categories:
-
Covered Entities
-
Business Associates
Understanding which category your organization falls into is critical for determining your compliance responsibilities.
What Is a Covered Entity?
A Covered Entity is an organization that provides healthcare services or processes health information directly.
Covered Entities include:
1. Healthcare Providers
If you electronically transmit health information in connection with certain transactions (such as billing), you are considered a Covered Entity.
Examples:
-
Physicians and physician groups
-
Dentists
-
Behavioral health providers
-
Chiropractors
-
Physical therapists
-
Hospitals
-
Clinics
2. Health Plans
-
Insurance companies
-
HMOs
-
Employer-sponsored health plans
-
Medicare and Medicaid programs
3. Healthcare Clearinghouses
Organizations that process health information into standard formats for billing or administrative purposes.
If your organization bills insurance electronically, you are almost always a Covered Entity.
What Is a Business Associate?
A Business Associate (BA) is a person or organization that performs services for a Covered Entity and has access to PHI as part of that work.
Business Associates are not the healthcare provider, but they handle PHI on the provider’s behalf.
Examples include:
-
Medical billing companies
-
IT vendors with access to patient data
-
EHR hosting companies
-
Cloud storage providers
-
Consultants with access to PHI
-
Compliance vendors
-
Attorneys reviewing patient information
If your organization creates, receives, maintains, or transmits PHI for a Covered Entity, you are likely a Business Associate.
Key Difference Between the Two
| Covered Entity | Business Associate |
|---|---|
| Provides healthcare or pays for care | Provides services to a Covered Entity |
| Direct relationship with patients | Works on behalf of a Covered Entity |
| Must implement HIPAA compliance program | Must comply with HIPAA Security Rule and portions of Privacy Rule |
| Enters into BAAs with vendors | Signs BAAs with Covered Entities |
What Is a Business Associate Agreement (BAA)?
A Business Associate Agreement (BAA) is a required contract between a Covered Entity and a Business Associate.
It outlines:
-
How PHI will be used and protected
-
Safeguards required
-
Breach reporting obligations
-
Responsibilities of both parties
Covered Entities must have a signed BAA with each Business Associate before PHI is shared.
Failure to have proper BAAs in place is a common compliance violation.
Are Business Associates Directly Liable Under HIPAA?
Yes.
Business Associates are directly responsible for:
-
Implementing safeguards for ePHI
-
Conducting Security Risk Analyses
-
Reporting breaches
-
Ensuring subcontractors also comply
OCR can investigate and fine Business Associates independently.
What If You’re Both?
Some organizations act as both a Covered Entity and a Business Associate.
Example:
A medical practice (Covered Entity) that also provides billing services to another practice (Business Associate).
In that case, HIPAA obligations apply to both roles.
Why This Distinction Matters
Understanding your classification determines:
-
What policies you must have
-
What contracts are required
-
What audits you may face
-
Who is responsible in the event of a breach
Misunderstanding this distinction can result in gaps in compliance, especially around vendor management.
Quick Self-Check
Ask yourself:
-
Do we provide healthcare services and bill electronically? → Covered Entity
-
Do we handle PHI for another healthcare organization? → Business Associate
-
Do we do both? → Both roles apply
If you handle PHI in any capacity, HIPAA likely applies.
Need help determining your classification?
Review your services and vendor relationships carefully or reach out to our team.
Last reviewed: January 2026