Covered entity vs. business associate: which one are you under HIPAA?

The distinction between a HIPAA covered entity and a business associate determines your obligations, your direct liability, and what agreements you must have in place. Here is how to determine your status and what it means.

By CoreFolio

Published May 20, 2026Verified May 20, 20266-minute read

Two organizations can handle the same patient data, with equally serious obligations under HIPAA — and have entirely different legal status. One is a covered entity; the other is a business associate. Both can face direct enforcement by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Understanding which category applies to your organization determines what you must do, what agreements you need, and who can investigate you.

What makes an organization a covered entity

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines three types of covered entities in 45 CFR § 160.103:

Health care providers who transmit any health information in electronic form in connection with a covered transaction. This includes physicians, dentists, chiropractors, physical therapists, psychologists, counselors, pharmacies, home health agencies, hospitals, and any other entity that provides health care and submits claims or conducts other covered transactions electronically. The key test is the electronic transaction — a cash-only provider who never submits electronic claims, checks eligibility electronically, or transmits claims through a clearinghouse may not qualify as a covered entity.

Health plans, including health insurance companies, HMOs, employer-sponsored group health plans with 50 or more participants, and government health programs such as Medicare, Medicaid, and TRICARE.

Health care clearinghouses, which process nonstandard health information into standard transactions or vice versa.

What makes an organization a business associate

A business associate is a person or entity — other than a member of a covered entity’s workforce — that, on behalf of a covered entity:

Creates, receives, maintains, or transmits protected health information (PHI) to perform a function or activity regulated by HIPAA, including:

Claims processing or administration
Data analysis, processing, or administration
Utilization review
Quality assurance
Patient safety activities
Billing and collections
Benefit management
Practice management
Repricing

Or provides services to a covered entity that involve access to PHI, including legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

Common organizations that are business associates of health care providers:

Medical billing companies and revenue cycle management firms
EHR and practice management software vendors
Cloud storage and backup services where PHI is stored
IT support providers with remote access to systems containing PHI
Transcription services
Answering services that receive patient messages
Accountants and attorneys who review records containing PHI in the course of their services
Health information exchange organizations
Data analytics and population health vendors

What is not a business associate

The definition has important exclusions:

Workforce members. Employees, volunteers, trainees, and others whose work is under the direct control of the covered entity — whether or not they are paid — are part of the covered entity’s workforce and are not business associates. They are covered by the covered entity’s internal policies and training, not by BAAs.

Treatment disclosures between covered entities. When a physician refers a patient to a specialist and transmits records for treatment, the specialist is not acting as a business associate of the referring physician — the disclosure is for treatment purposes and is permitted directly under the Privacy Rule. A BAA is not required for routine treatment referrals and consultations between covered entities. (Note: Some entities in joint treatment arrangements or organized health care arrangements do not need BAAs for certain functions, but most separate provider-to-provider exchanges for treatment do not require them.)

Incidental access without PHI function. A janitor who might inadvertently see a patient name on a monitor while cleaning is not a business associate. An electrician making repairs is not a business associate. The definition requires performing functions or services that involve PHI — not merely being present in an environment where PHI exists.

Conduits. Organizations that transmit PHI but do not access its content — for example, the U.S. Postal Service or a courier service delivering sealed paper records — are conduits, not business associates. Internet service providers transmitting encrypted ePHI without the ability to decrypt it may also qualify as conduits.

The covered entity–business associate distinction matters most here

Who requires a BAA: Every business associate relationship must be documented in a written business associate agreement (BAA) before any PHI is shared. The BAA requirement flows from 45 CFR §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e). Covered entities must execute BAAs with their business associates; business associates must execute BAAs with their subcontractors who access PHI.

Who has direct enforcement liability: Before the HITECH Act of 2009, only covered entities faced direct OCR enforcement. The 2013 Omnibus Rule implemented HITECH’s provisions and made business associates directly liable for:

Violations of the Security Rule (the full administrative, physical, and technical safeguard requirements)
Impermissible uses and disclosures of PHI
Failure to provide breach notification to the covered entity
Failure to enter into BAAs with their own subcontractors
Failure to apply the minimum necessary standard

OCR can investigate and penalize a business associate directly, without involving the covered entity. Conversely, a covered entity can be penalized for selecting a business associate it knew or should have known was not HIPAA compliant.

Breach notification direction: A covered entity notifies patients and HHS. A business associate notifies the covered entity — within 60 calendar days of discovering a breach. The covered entity’s 60-day clock for patient notification runs from the date the business associate discovered the breach, not from when the covered entity received the report. This is a common source of exposure: a business associate who delays internal discovery or reporting compresses the covered entity’s response window.

The subcontractor chain

When a business associate uses a subcontractor that will access PHI, the subcontractor is itself a business associate of the business associate — and a BAA is required between them. The same direct liability rules apply to subcontractors.

Example: A covered entity (physician practice) engages a billing company (business associate). The billing company uses a cloud-hosted practice management platform (subcontractor / business associate of the business associate). The chain of BAAs must be:

Physician practice → billing company (BAA)
Billing company → cloud platform (BAA)

If the cloud platform experiences a breach and has no BAA with the billing company, both the billing company and the physician practice may face enforcement exposure — the billing company for failing to execute a subcontractor BAA, the physician practice for failing to ensure its business associate had appropriate downstream protections.

Determining your organization’s status

If you are uncertain whether your organization is a covered entity, a business associate, both, or neither:

Use the CMS Covered Entity Decision Tool (cms.gov) to determine whether your organization meets the covered entity definition.
List every client or partner whose PHI you access. If you access another organization’s PHI to perform services on their behalf, you are likely their business associate.
List every vendor who accesses your PHI. They are likely your business associates and require BAAs.
Audit existing BAAs. Many organizations discover they have some BAAs in place (typically with the EHR vendor, which required it) and are missing BAAs with IT support, cloud storage, billing, and other vendors.

Sources: 45 CFR § 160.103 (covered entity and business associate definitions); 45 CFR §§ 164.308(b), 164.314(a), 164.502(e), 164.504(e) (BAA requirements); HHS “Covered Entities and Business Associates,” hhs.gov/hipaa/for-professionals/covered-entities; HHS “Business Associates,” hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates; HHS Direct Liability of Business Associates Fact Sheet; HITECH Act of 2009; HHS 2013 Omnibus Rule (78 Fed. Reg. 5566, January 25, 2013). Last verified May 20, 2026.

FAQ

Common questions

What is the difference between a covered entity and a business associate under HIPAA?

A covered entity is an organization that is directly regulated by HIPAA — a health care provider that transmits PHI electronically, a health plan, or a health care clearinghouse. A business associate is a person or entity that performs functions or services on behalf of a covered entity that require access to PHI. The key difference is that covered entities are the primary regulated parties; business associates are regulated because of their relationship with covered entities.

Can one organization be both a covered entity and a business associate?

Yes. A covered entity can be a business associate of another covered entity. For example, a hospital that provides billing services to a physician practice is acting as a business associate of that practice, even though it is independently a covered entity. In this situation, a BAA is still required between the two organizations.

Are business associates directly liable under HIPAA?

Yes. Since the HITECH Act of 2009 and the 2013 Omnibus Rule, business associates are directly liable for compliance with the HIPAA Security Rule and for certain Privacy Rule violations. This means OCR can bring enforcement actions against a business associate independently, without going through the covered entity. Subcontractors of business associates are also directly liable.

Does a covered entity need a BAA with its own employees?

No. Workforce members acting under the authority and within the scope of employment of a covered entity are not business associates. They are covered by the covered entity's internal policies, training, and sanction policy — not by BAAs. The BAA requirement applies only to external persons and entities.

Keep learning

How-to
Does HIPAA apply to small practices?
Many small healthcare practices assume they are too small for HIPAA. The law has no size exemption. Here is the two-part test that determines whether you are a covered entity — and what applies if you are.
May 20, 20265-minute read
How-to
Who needs a HIPAA business associate agreement?
Not every vendor needs a BAA. Not every relationship that feels like it should requires one. Here is the legal test, the categories that consistently require BAAs, the common exceptions, and what happens if you skip one.
May 20, 20266-minute read
How-to
HIPAA requirements for solo and small practices: what applies and what is scaled
HIPAA has no size exemption. A solo practitioner is a covered entity subject to the same Privacy Rule, Security Rule, and Breach Notification Rule as a large health system. Here is what that means in practice, what is scaled to size, and what is not.
May 20, 20267-minute read