Who Must Comply with HIPAA? Covered Entities and BAs

This article is for educational purposes only and does not constitute professional compliance advice or legal counsel. HIPAA requirements and enforcement practices evolve, and you should consult with a qualified compliance professional about your specific situation.

Your organization handles patient information but you're not a hospital. Are you a covered entity or a business associate? The answer determines what you're responsible for, what agreements you need in place with other parties, and how much regulatory exposure you carry. Some organizations discover they're business associates subject to HIPAA obligations when they get contacted by an HHS auditor after a client breach. Others don't realize they're covered entities until they try to buy cyber insurance and find that they can't because they don't meet insurance underwriting requirements. Understanding your role in HIPAA isn't academic—it defines your compliance obligations and your liability structure.

Covered Entities: Healthcare Providers, Plans, and Clearinghouses

A covered entity is an organization that directly provides healthcare, administers health insurance, or processes healthcare transactions. The list is specific. Healthcare providers include doctors, dentists, clinics, hospitals, mental health practitioners, nursing homes, physical therapists, chiropractors, pharmacists, and other professionals who provide healthcare. Health plans include insurance companies, managed care organizations, and employer health plans. Healthcare clearinghouses are organizations that process healthcare transactions like billing intermediaries and claims processors.

The key distinction is this: covered entities directly handle patient data as part of their core business. A hospital provides care to patients, owns patient data, and bears legal responsibility for that data. A health insurance company administers plans, manages member data, and owns compliance for that data. A pharmacy benefits manager processes prescriptions and owns compliance for the data it processes. If you directly provide healthcare or administer health insurance, you're almost certainly a covered entity.

Covered entities have absolute HIPAA obligations. They can't opt out or delegate responsibility. They must comply with the Privacy Rule, Security Rule, and Breach Notification Rule. They must develop comprehensive privacy and security policies, conduct annual risk assessments, implement technical and administrative controls, train workforce members, and maintain extensive documentation. Covered entities bear direct regulatory liability. If HHS finds violations, the covered entity faces penalties and enforcement action regardless of whether the violation was intentional.

Covered entities must also have Business Associate Agreements with any vendor or contractor who touches patient data on their behalf. The BAA is the legal mechanism that extends HIPAA obligations to vendors. Without a BAA, a vendor handling patient data on behalf of a covered entity is operating without legal authority, and the covered entity is violating HIPAA by allowing it.

Business Associates: Vendors and Anyone Else Who Touches Patient Data

A business associate is any organization that handles, processes, stores, or transmits patient data on behalf of a covered entity. This is a broader category than many organizations initially realize. Business associates include IT vendors and managed service providers supporting healthcare organizations, cloud hosting and backup service providers storing patient data, billing and payment processors, healthcare consultants, medical transcription services, marketing vendors handling patient email addresses, data analytics companies, healthcare software vendors, and many others.

The critical concept: if you touch patient data on behalf of a covered entity, you're a business associate even if you don't think of yourself that way. Your business associate status is determined by what you do with patient data, not by what industry you're in or what you call yourself. A software vendor that hosts patient medical records is a business associate even if they sell themselves as a general SaaS company. An IT MSP that manages a healthcare clinic's EHR system is a business associate even if the MSP manages 99 percent non-healthcare clients. The fact that you handle healthcare data makes you a business associate.

Most organizations don't realize they're business associates. MSPs managing healthcare client networks don't always recognize they're HIPAA-scoped. Cloud providers hosting healthcare customer data don't always acknowledge they're business associates. Email providers used by healthcare organizations with patient data might be business associates depending on what data they store. Even internal IT departments within healthcare systems are technically business associates relative to the healthcare providers they support.

Business associates don't own the compliance program the way covered entities do, but they do have HIPAA obligations defined by their Business Associate Agreement. They must maintain security controls appropriate to the data they handle. They must report breaches to the covered entity immediately. They must cooperate with covered entity audits and inspections. They must ensure their own subcontractors—the contractors that the business associate hires—also comply with HIPAA. If a business associate breaches patient data, the covered entity is liable to affected individuals and bears the reputational damage, but the business associate is also subject to HHS enforcement action and penalties.

Determining Your Own Role and Responsibility

How do you determine whether your organization is a covered entity or a business associate? Ask the first question: does your organization directly provide healthcare, administer health insurance, or process healthcare transactions? If the answer is yes, you're probably a covered entity. If no, ask the second question: does your organization handle patient data on behalf of an organization that does? If yes, you're probably a business associate.

For organizations operating in multiple roles, both could apply. An insurance company that owns a pharmacy is both a covered entity (for insurance functions) and possibly a business associate (for pharmacy operations). A healthcare system that owns an IT department is the covered entity, and the IT department is acting as a business associate relative to the healthcare providers. A health plan that subcontracts claims processing to a vendor is the covered entity, and the vendor is the business associate. Roles don't create exemptions—they create obligations.

The practical starting point is simple: does patient data flow through your organization in any form? If yes, HIPAA applies to you. If no, HIPAA doesn't apply (though other regulations might). If you're uncertain, the conservative approach is to assume HIPAA applies. The consequences of thinking you don't need to comply and being wrong are far worse than the costs of complying when it wasn't strictly required. A business associate who thought it didn't have HIPAA obligations faces enforcement action, penalties, and client consequences when HHS catches up to them.

What Changes When You're a Business Associate vs a Covered Entity

The regulatory obligations are substantially different between the two roles. Covered entities must develop and maintain an entire compliance program: comprehensive privacy policies, security policies, risk assessment, workforce training, extensive documentation, breach response procedures. Covered entities face direct regulatory enforcement. HHS can audit a covered entity and assess penalties for violations.

Business associates must comply with HIPAA but through contractual obligations with their covered entity customer. The Business Associate Agreement defines what the business associate must do. Usually this includes maintaining appropriate security controls, reporting breaches to the covered entity, allowing covered entity audits and inspections, and ensuring subcontractors comply. Business associates can be much smaller than their covered entity customers. A single IT person supporting a healthcare clinic is a business associate subject to HIPAA obligations.

The liability structures are different. A covered entity faces direct HHS enforcement, civil penalties ranging from $100 to $50,000 per violation, criminal penalties in cases of knowing violations, and patient lawsuits. A business associate faces HHS enforcement, civil penalties, breach notification costs, and enforcement from the covered entity if the business associate's failure to comply causes damage. If a healthcare clinic's patient data is breached due to an MSP's inadequate security, the clinic notifies patients, the clinic faces reputational damage and breach costs, and the clinic's cyber insurance might not fully cover costs the way it would for a breach caused by internal IT failure. The MSP is also subject to HHS enforcement and penalties.

From a practical standpoint, business associates often have more limited compliance obligations than covered entities. A business associate might not need to conduct a full risk assessment—the covered entity might handle that. A business associate might not need to develop privacy policies—those belong to the covered entity. But the business associate must maintain security controls appropriate to the data they handle, and they must be able to demonstrate those controls to the covered entity. You can be smaller, but you can't be less responsible for security.

Business Associate Agreements: The Non-Negotiable Contract

Any covered entity that works with a business associate must have a Business Associate Agreement in place before the business associate touches any PHI. A BAA is a legal contract that establishes what the business associate will do to protect patient data and what obligations both parties have. Signing a BAA before handling patient data isn't optional. It's a legal requirement.

What requires a BAA? Cloud hosting providers that store patient data require one. Managed service providers that manage healthcare networks require one. Email services hosting patient data require one. Backup and disaster recovery vendors require one. Billing and payment processors require one. Healthcare consultants who access patient data require one. Any vendor who stores, processes, or transmits PHI requires one. Even internal service providers within the same organization might require one if they're handling PHI in a way that creates separation from the main covered entity structure.

The gray area exists around vendors who merely provide a generic tool. If an organization uses Microsoft Teams and encrypts all data themselves before uploading it, the vendor technically isn't handling unencrypted PHI. The question of whether a BAA is required becomes ambiguous. But in practice, covered entities are highly cautious. They typically require BAAs from anyone touching any part of their infrastructure that could potentially access patient data. It's better to have unnecessary BAAs than to discover too late that you needed one.

The BAA itself includes required legal language about how the vendor will safeguard data, what uses of the data are permitted, what the vendor must do if there's a breach (immediate notification to the covered entity), what audit and inspection rights the covered entity has, and what happens with the data when the contract ends (return or destruction). The BAA is a legal document and legal's responsibility to negotiate, but IT often gets asked to review whether the security commitments the organization is making are technically feasible. This is a reasonable request because nobody wants to sign a BAA committing to encryption standards that your systems don't support.

Subcontractor Relationships and Cascading Obligations

Business associates don't carry the entire compliance burden alone. If a business associate contracts with a subcontractor who also handles patient data, that subcontractor is called a "subcontractor of a business associate" but the regulation treats them essentially as a business associate too. The subcontractor must have a contract requiring them to maintain HIPAA-compliant controls.

This creates a cascade: covered entity has a BAA with a business associate, the business associate has a contract with a subcontractor ensuring HIPAA compliance, the subcontractor has contracts with its own vendors. All the way down the chain, organizations handling patient data must comply with security requirements. Each layer is responsible to the layer above it.

The covered entity is ultimately responsible for the entire chain. If a subcontractor of a business associate breaches patient data, the covered entity still has to notify affected patients. The covered entity bears regulatory liability. The covered entity will demand that the business associate contractually ensure subcontractors comply. The business associate will demand the same from its subcontractors.

In practice, this means vendors managing multiple layers of subcontractors all need to understand HIPAA and be able to demonstrate compliance at each layer. Cloud vendors with HIPAA-compliant data centers that use subcontractors for specific services need to document HIPAA compliance at each layer. A healthcare organization using a cloud provider using a backup service using a third-party disaster recovery provider has HIPAA obligations cascading through all of them. Any weak link in the chain creates risk for the entire chain.

Common Misconceptions About Who Needs to Comply

Many organizations mistakenly think they don't need to comply with HIPAA because they're not healthcare providers. This is wrong. If you process healthcare data in any form, HIPAA applies to you. Insurance companies, billing processors, pharmacy benefit managers, IT vendors, cloud providers, transcription services, and consultants all have HIPAA obligations if they handle patient data. The type of organization you are doesn't exempt you. The type of data you handle determines your obligations.

Another misconception: "We're a business associate so HIPAA doesn't really apply to us because the covered entity owns the compliance program." Wrong. Business associates have HIPAA obligations. You must maintain security controls appropriate to the data you handle, report breaches to the covered entity, allow audits, and ensure subcontractors comply. You're subject to HHS enforcement. You can be fined for HIPAA violations. The covered entity owns the overall program, but you own your portion of compliance.

Third misconception: "Our customer said we don't need a Business Associate Agreement because they reviewed our security." Wrong. The BAA is required by HIPAA before a business associate can legally handle patient data. A covered entity's decision to not require a BAA doesn't exempt a business associate from legal requirements. The business associate is still a business associate and still subject to HIPAA regardless of whether a BAA is signed. An unsigned BAA doesn't make the obligation go away. It just makes the violation more obvious.

Fourth misconception: "We anonymize the data so HIPAA doesn't apply." Only if you properly de-identify the data using HIPAA's safe harbor method. Removing some identifiers is not de-identification. Many organizations think they've de-identified data when they haven't. De-identification requires removing all 18 specific identifiers or obtaining a statistical certification. Until the data is properly de-identified, HIPAA applies.

Closing

Your compliance obligations depend entirely on whether you're a covered entity or a business associate. Covered entities own the entire compliance program and face direct regulatory liability. Business associates must maintain HIPAA-compliant controls and report breaches, but their obligations are contractually defined through Business Associate Agreements. Most organizations underestimate their HIPAA obligations because they don't realize they're business associates. If you handle patient data in any capacity—storing it, processing it, transmitting it—assume HIPAA applies until you've definitively determined otherwise. The consequences of thinking you don't have to comply when you actually do are far worse than the costs of complying when you're on the borderline.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects information about HIPAA as of its publication date. Regulations, penalties, and requirements evolve—consult a qualified compliance professional for guidance specific to your organization.