Who Must Comply with HIPAA? Covered Entities and BAs

Reviewed by Marcus Williams, CISSP, HCISPP

HIPAA applies to two categories of organizations: covered entities (healthcare providers, health plans, and healthcare clearinghouses that directly handle PHI) and business associates (any organization that handles PHI on behalf of a covered entity). The HIPAA Omnibus Rule of 2013 made business associates directly liable for HIPAA violations, subject to the same enforcement and penalty structure as covered entities. Business Associate Agreements are legally required before any vendor touches PHI. Subcontractor obligations cascade through the entire vendor chain. If patient data flows through your organization in any form, HIPAA applies.

Your organization handles patient information but you're not a hospital. Are you a covered entity or a business associate? The answer determines what you're responsible for, what agreements you need in place with other parties, and how much regulatory exposure you carry. Some organizations discover they're business associates subject to HIPAA obligations when they get contacted by an HHS auditor after a client breach. Others don't realize they're covered entities until they try to buy cyber insurance and find that they can't because they don't meet insurance underwriting requirements. Understanding your role in HIPAA isn't academic — it defines your compliance obligations and your liability structure.

Covered Entities: Healthcare Providers, Plans, and Clearinghouses

Covered entities are organizations that directly provide healthcare, administer health insurance, or process healthcare transactions. Healthcare providers include doctors, dentists, clinics, hospitals, mental health practitioners, nursing homes, physical therapists, chiropractors, pharmacists, and other professionals who provide healthcare. Health plans include insurance companies, managed care organizations, and employer health plans. Healthcare clearinghouses are organizations that process healthcare transactions like billing intermediaries and claims processors.

The key distinction: covered entities directly handle patient data as part of their core business. A hospital provides care to patients, owns patient data, and bears legal responsibility for that data. A health insurance company administers plans, manages member data, and owns compliance for that data. If you directly provide healthcare or administer health insurance, you're almost certainly a covered entity.

Covered entities have absolute HIPAA obligations. They can't opt out or delegate responsibility. They must comply with the Privacy Rule, Security Rule, and Breach Notification Rule. They must develop comprehensive privacy and security policies, conduct annual risk assessments, implement technical and administrative controls, train workforce members, and maintain extensive documentation. Covered entities bear direct regulatory liability — if HHS finds violations, the covered entity faces penalties and enforcement action regardless of whether the violation was intentional.

Covered entities must also have Business Associate Agreements with any vendor or contractor who touches patient data on their behalf. The BAA is the legal mechanism that extends HIPAA obligations to vendors. Without a BAA, a vendor handling patient data on behalf of a covered entity is operating without legal authority, and the covered entity is violating HIPAA by allowing it. Understanding who qualifies as a business associate is where most organizations get tripped up.

Business Associates: A Broader Category Than Most Organizations Realize

A business associate is any organization that handles, processes, stores, or transmits patient data on behalf of a covered entity. This includes IT vendors and managed service providers supporting healthcare organizations, cloud hosting and backup service providers storing patient data, billing and payment processors, healthcare consultants, medical transcription services, marketing vendors handling patient email addresses, data analytics companies, healthcare software vendors, and many others.

If you touch patient data on behalf of a covered entity, you're a business associate regardless of what you call yourself. A software vendor hosting patient medical records is a business associate even if they sell themselves as a general SaaS company. An IT MSP managing a healthcare clinic's EHR system is a business associate even if the MSP manages 99 percent non-healthcare clients. The fact that you handle healthcare data makes you a business associate.

Before the HIPAA Omnibus Rule of 2013, business associates had contractual obligations but limited direct regulatory liability. The Omnibus Rule changed that fundamentally — business associates are now directly subject to HIPAA enforcement, including civil penalties ranging from $100 to $50,000 per violation and criminal penalties for knowing violations. HHS has pursued enforcement actions directly against business associates, not just covered entities. This is a significant shift that many vendors still haven't fully internalized.

Business associates must maintain security controls appropriate to the data they handle, report breaches to the covered entity immediately, cooperate with covered entity audits and inspections, and ensure their own subcontractors also comply with HIPAA. If a business associate breaches patient data, the covered entity is liable to affected individuals and bears the reputational damage, but the business associate is also subject to HHS enforcement and penalties.

Determining Your Own Role

How do you determine whether your organization is a covered entity or a business associate? The first question: does your organization directly provide healthcare, administer health insurance, or process healthcare transactions? If yes, you're probably a covered entity. If no, the second question: does your organization handle patient data on behalf of an organization that does? If yes, you're probably a business associate.

For organizations operating in multiple roles, both could apply. An insurance company that owns a pharmacy is both a covered entity for insurance functions and potentially a business associate for pharmacy operations. A healthcare system that owns an IT department is the covered entity, and the IT department is acting as a business associate relative to the healthcare providers. Roles don't create exemptions — they create obligations.

The practical starting point: does patient data flow through your organization in any form? If yes, HIPAA applies. If you're uncertain, the conservative approach is to assume HIPAA applies. The consequences of thinking you don't need to comply and being wrong are far worse than the costs of complying when it wasn't strictly required. HHS enforcement data shows that business associates who thought they didn't have HIPAA obligations face the harshest enforcement because the lack of compliance infrastructure is treated as willful neglect. Once you've determined your role, the obligations that follow are substantially different.

Covered Entity vs Business Associate Obligations

Covered entities must develop and maintain an entire compliance program: comprehensive privacy policies, security policies, risk assessment, workforce training, extensive documentation, breach response procedures. Covered entities face direct regulatory enforcement. HHS can audit a covered entity and assess penalties for violations.

Business associates must comply with HIPAA through contractual obligations defined in Business Associate Agreements. The BAA specifies what the business associate must do — typically maintaining appropriate security controls, reporting breaches to the covered entity, allowing audits and inspections, and ensuring subcontractors comply. Business associates can be much smaller than their covered entity customers. A single IT person supporting a healthcare clinic is a business associate subject to HIPAA obligations.

The liability structures differ. A covered entity faces direct HHS enforcement, civil penalties, criminal penalties in cases of knowing violations, and patient lawsuits. A business associate faces HHS enforcement, civil penalties, breach notification costs, and enforcement from the covered entity if the business associate's failure to comply causes damage. If a healthcare clinic's patient data is breached due to an MSP's inadequate security, the clinic notifies patients and faces reputational damage, and the MSP is also subject to direct HHS enforcement. HHS imposed a $2.3 million penalty against a business associate (CHSPSC) in 2020 for failing to implement appropriate security measures that led to a breach affecting 6.1 million individuals.

From a practical standpoint, business associates often have more limited compliance obligations than covered entities. A business associate might not need to develop privacy policies — those belong to the covered entity. But the business associate must maintain security controls appropriate to the data they handle and demonstrate those controls on demand. You can be smaller, but you can't be less responsible for security. The contractual vehicle for all of this is the BAA.

Business Associate Agreements

Any covered entity working with a business associate must have a Business Associate Agreement in place before the business associate touches any PHI. A BAA is a legal contract establishing what the business associate will do to protect patient data and what obligations both parties have.

Cloud hosting providers storing patient data, managed service providers managing healthcare networks, email services hosting patient data, backup and disaster recovery vendors, billing and payment processors, healthcare consultants accessing patient data — all require BAAs. Even internal service providers within the same organization might require one if they handle PHI with structural separation from the main covered entity.

The gray area exists around vendors providing generic tools. If an organization uses a communications platform and encrypts all data before uploading, the vendor technically isn't handling unencrypted PHI. Whether a BAA is required becomes ambiguous. In practice, covered entities are highly cautious and typically require BAAs from anyone touching infrastructure that could potentially access patient data. Better to have unnecessary BAAs than to discover too late that you needed one.

The BAA includes required language about data safeguards, permitted data uses, breach notification obligations, audit and inspection rights, and data disposition when the contract ends. Legal owns the BAA negotiation, but IT often gets asked to review whether the security commitments are technically feasible — a reasonable request because nobody wants to sign a BAA committing to standards your systems don't support. BAA obligations don't stop at the first vendor — they cascade through subcontractor relationships.

Subcontractor Cascading Obligations

Business associates that contract with subcontractors handling patient data must ensure those subcontractors also comply with HIPAA. The subcontractor must have a contract requiring HIPAA-compliant controls. This creates a cascade: covered entity has a BAA with a business associate, the business associate contracts with a subcontractor ensuring HIPAA compliance, the subcontractor contracts with its own vendors. All the way down the chain, organizations handling patient data must comply with security requirements.

The covered entity is ultimately responsible for the entire chain. If a subcontractor of a business associate breaches patient data, the covered entity still has to notify affected patients. The covered entity bears regulatory liability. This means vendors managing multiple layers of subcontractors all need to demonstrate HIPAA compliance at each layer. A healthcare organization using a cloud provider that uses a backup service that uses a disaster recovery provider has HIPAA obligations cascading through all of them. Any weak link creates risk for the entire chain.

Common Misconceptions

Many organizations think they don't need to comply because they're not healthcare providers. This is wrong. If you process healthcare data in any form — insurance companies, billing processors, IT vendors, cloud providers, transcription services, consultants — HIPAA applies. The type of organization you are doesn't exempt you. The type of data you handle determines your obligations.

Another misconception: "We're a business associate so HIPAA doesn't really apply to us because the covered entity owns the compliance program." Wrong. Since the Omnibus Rule, business associates have direct HIPAA obligations and face direct HHS enforcement. You can be fined for HIPAA violations independently of the covered entity.

Third: "Our customer said we don't need a Business Associate Agreement because they reviewed our security." Wrong. The BAA is required by HIPAA before a business associate can legally handle patient data. A covered entity's decision to skip it doesn't exempt either party. An unsigned BAA doesn't make the obligation disappear — it makes the violation more obvious.

Fourth: "We anonymize the data so HIPAA doesn't apply." Only if you properly de-identify using HIPAA's Safe Harbor method. Removing some identifiers is not de-identification. De-identification requires removing all 18 specific identifiers or obtaining a statistical certification from a qualified expert. Until the data is properly de-identified, HIPAA applies.

Your compliance obligations depend entirely on whether you're a covered entity or a business associate. Covered entities own the entire compliance program and face direct regulatory liability. Business associates must maintain HIPAA-compliant controls and report breaches, with obligations contractually defined through BAAs. If you handle patient data in any capacity — storing, processing, transmitting — HIPAA applies until you've definitively determined otherwise.

Frequently Asked Questions

Can an organization be both a covered entity and a business associate?
Yes. An organization functioning as a health plan (covered entity) that also provides administrative services to another covered entity (business associate) holds both designations simultaneously. Each role carries its own obligations. An integrated health system where the IT department serves multiple provider entities may function as a business associate to each of those entities while the parent organization is a covered entity.

Does HIPAA apply to employers who manage employee health benefits?
Employer-sponsored group health plans are covered entities under HIPAA. The employer itself is generally not a covered entity, but the health plan it sponsors is. If the employer handles enrollment data, claims information, or other PHI in connection with the health plan, HIPAA obligations apply to that data handling. Many employers establish a firewall between HR functions that handle plan data and the rest of the organization.

What happens to a business associate if the covered entity goes out of business?
The business associate's HIPAA obligations regarding the PHI it holds survive the termination of the covered entity relationship. The BAA should specify data disposition requirements — return or destruction of PHI when the relationship ends. A business associate still holding PHI from a defunct covered entity must continue to protect that data under HIPAA until it is properly destroyed or de-identified.

How does HIPAA interact with state health privacy laws?
HIPAA establishes a federal floor — state laws that provide greater privacy protections than HIPAA are not preempted. States with stricter breach notification requirements, shorter notification timelines, or broader definitions of protected information override HIPAA's standards where they provide greater protection. Organizations must comply with both HIPAA and applicable state laws, applying whichever standard is more protective of patient privacy.

Are software developers who build healthcare applications business associates?
If the developer accesses, stores, or processes PHI during development, testing, or operation of the application, they are a business associate and require a BAA. Developers who work exclusively with de-identified test data or synthetic data are not business associates. The determination depends on whether real PHI touches the developer's systems at any point in the development or operational lifecycle.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects information about HIPAA as of its publication date. Regulations, penalties, and requirements evolve — consult a qualified compliance professional for guidance specific to your organization.