Covered Entities vs Business Associates: Who Needs HIPAA Compliance?

Share:
Covered Entities include healthcare providers, plans, and clearinghouses, while Business Associates handle PHI for them. Identifying your type is essential for HIPAA compliance.

HIPAA Compliance applies to two categories of organizations: covered entities (health care providers, health plans, and health care clearinghouses) and business associates (any vendor or subcontractor that creates, receives, maintains, or transmits protected health information on a covered entity’s behalf). If your organization touches PHI in any capacity, one of these two labels almost certainly applies to you, and both carry direct legal liability under federal law.

Most organizations that ask “does HIPAA apply to us?” already suspect the answer is yes. They just don’t know which set of obligations applies. That distinction matters. Covered entities and business associates share the same underlying rules, but the compliance responsibilities, contractual requirements, and penalty exposure differ in ways that catch healthcare technology companies, billing vendors, and cloud providers off guard every year.

What Is a Covered Entity?

A covered entity is defined under 45 CFR 160.103 as one of three types of organizations:

  • Health care providers: Hospitals, clinics, physicians, dentists, psychologists, pharmacies, and nursing homes, but only if they transmit health information electronically in connection with a transaction for which HHS has adopted a standard, such as claims, eligibility checks, and billing.
  • Health plans: Health insurers, HMOs, company health plans, and government programs that pay for care, including Medicare and Medicaid.
  • Health care clearinghouses: Organizations that process or facilitate the processing of health information from a non-standard format into a standard one, such as billing services and repricing companies.

Covered entities carry the primary compliance burden. They must appoint a privacy and security officer, define permissible uses and disclosures of PHI, honor patient rights to access and amend their records, and issue breach notifications when things go wrong.

One nuance worth flagging is that not every healthcare-adjacent organization is automatically a covered entity. A provider that never transmits information electronically in a HIPAA-covered transaction technically falls outside the definition, although in practice this is increasingly rare given how digitized claims and billing have become.

What Is a Business Associate?

A business associate is any person or entity, other than a member of the covered entity’s own workforce, that performs a function or service on the covered entity’s behalf involving access to PHI. According to HHS’s official guidance on covered entities and business associates, this covers a wide range of roles, including billing companies, IT and cloud service providers, medical transcription services, consultants, and accreditation organizations.

Common business associate categories include:

  • Cloud and SaaS providers hosting or processing ePHI, even when the data is encrypted and the vendor cannot view it.
  • IT support and managed security providers with access to systems that store PHI.
  • Billing and claims processing vendors.
  • Data analytics and AI platforms that ingest clinical data on a covered entity’s behalf.
  • Subcontractors engaged by a business associate. The obligation cascades downstream.

That last point trips up a lot of vendor chains. A subcontractor that handles PHI for a business associate is itself considered a business associate, and it must accept the same contractual and security obligations as the entity above it. This is exactly the ecosystem Ampcus Cyber unpacks in its piece on what qualifies as electronic protected health information and where it tends to live across modern healthcare infrastructure.

Where the Two Roles Genuinely Differ?

The Privacy Rule was written primarily to regulate covered entities. However, the HITECH Act closed a major gap by making business associates directly and independently liable for certain violations, not just contractually liable to the covered entity that hired them.

CriteriaCovered EntityBusiness Associate
Direct HHS liabilityYes, for all applicable HIPAA Rules.Yes, but limited to specific provisions, mainly the Security Rule and breach notification.
Patient-facing obligationsYes, including notice of privacy practices, access rights, and amendments.No direct relationship with patients.
Contractual requirementMust execute a Business Associate Agreement (BAA) with each vendor.Must sign the BAA and execute agreements with its own subcontractors.
Breach notification roleNotifies affected individuals, HHS, and media when applicable.Notifies the covered entity, which then carries out broader notification.
Typical triggering activityDelivering care, administering benefits, or processing claims.Performing a function involving PHI on someone else’s behalf.

A useful test HHS applies is whether an entity’s access to PHI is truly incidental and infrequent, such as a courier or the postal service acting as a mere data conduit. In those cases, it does not become a business associate. Once access is routine and essential to the service being provided, the label applies, whether a contract exists or not.

Why the Business Associate Category Keeps Expanding

Every year, more organizations fall into the business associate bucket without realizing it. The two biggest drivers are:

  1. Cloud adoption: HHS has confirmed that a cloud service provider is a business associate the moment it creates, receives, or maintains ePHI, even if the data is encrypted on the client side and the provider holds no decryption key.
  2. AI and analytics tools: Any vendor whose model ingests, processes, or generates outputs derived from PHI inherits business associate status, and its infrastructure is expected to meet the same Security Rule standard as a hospital’s EHR system. Enforcement has caught up with this reality faster than many vendors anticipated.

This expanding scope is also why HIPAA rarely stands alone anymore. Most healthcare organizations are simultaneously managing overlapping obligations under HITECH and often align with frameworks such as HITRUST, ISO 27001, or SOC 2. Ampcus Cyber’s analysis of why healthcare compliance now extends beyond HIPAA through the HITECH connection explains how HITECH strengthened enforcement and brought business associates directly into the regulator’s line of sight. Organizations serving both U.S. and international patients should also understand how these obligations differ from other privacy regimes. See the comparison of HIPAA vs. GDPR for the key distinctions.

What Happens If You Get the Classification Wrong

Misclassifying your organization or failing to execute a BAA with a vendor that qualifies as a business associate, is one of the most common findings in HHS Office for Civil Rights investigations. According to HHS guidance, a covered entity must enter into a written contract with any vendor meeting the business associate definition. Skipping that step does not exempt either party from liability if PHI is exposed.

Consequences can include:

  • Civil monetary penalties assessed directly against the business associate, not just the covered entity.
  • Mandatory corrective action plans and ongoing OCR monitoring.
  • Breach notification costs, legal exposure, and reputational damage.
  • Loss of contracts, since enterprise healthcare customers increasingly require proof of compliance before signing.

Determining Your Status and Your HIPAA Compliance Responsibilities

If your organization delivers care, administers a health plan, or processes claims electronically, you are almost certainly a covered entity. If you provide a service to one of those organizations, including hosting, billing, analytics, consulting, or IT support, and that service involves access to PHI, you are a business associate regardless of company size or whether health data is your core product.

Understanding whether your organization is a Covered Entity or a Business Associate is the foundation of a successful HIPAA compliance program. A misclassification can expose your business to regulatory penalties, contractual risks, and unnecessary security gaps.

Ampcus Cyber helps healthcare organizations, technology providers, cloud service vendors, and Business Associates assess their HIPAA obligations, establish compliant Business Associate Agreements (BAAs), conduct risk analyses, and implement security controls aligned with regulatory requirements.
Whether you are building a new compliance program or strengthening an existing one, our experts can help you achieve and maintain HIPAA compliance with confidence.

Connect with our experts to build a resilient compliance program that stands up to OCR scrutiny and protects sensitive healthcare data.

Enjoyed reading this blog? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

×

7th August 2026

New Delhi, India

Know more
Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Talk to an expert