HIPAA divides the organizations it regulates into two categories: covered entities and business associates. Knowing which one you are determines your obligations and the contracts you must put in place.
Covered entities
Under 45 CFR 160.103, a covered entity is one of three types of organization:
- Health plans - health insurers, HMOs, employer group health plans, and government programs that pay for care, such as Medicare and Medicaid.
- Health care clearinghouses - entities that process health information from one format into another, for example a billing service that converts claims into standard transactions.
- Health care providers who transmit health information electronically in connection with a HIPAA standard transaction, such as submitting claims or checking eligibility.
The electronic transaction trigger is important. A provider who never bills electronically may technically fall outside the definition, but in practice nearly all providers conduct at least one covered transaction.
Business associates
A business associate is a person or organization, other than a member of the covered entity's workforce, that creates, receives, maintains, or transmits PHI to perform a function or service on the covered entity's behalf. Examples include:
- Billing and coding companies
- Cloud storage and hosting providers that store ePHI
- IT support and managed service providers with access to systems containing PHI
- Shredding and document destruction vendors
- Some attorneys, accountants, and consultants
Subcontractors that handle PHI on behalf of a business associate are themselves business associates and must be bound by the same protections.
Business associate agreements
A covered entity must have a written business associate agreement (BAA) before allowing a business associate to handle PHI. The BAA describes how the business associate may use the information, requires appropriate safeguards, and obligates the business associate to report breaches. Business associates are directly liable for certain HIPAA requirements, not just contractually liable to the covered entity.
Who is not a business associate?
Not every vendor needs a BAA. Entities that only have incidental, infrequent exposure to PHI, or that act as mere conduits transporting data without accessing it more than incidentally, may fall outside the definition. The classic conduit example is a postal or courier service. The line can be subtle, so when in doubt, treat the relationship conservatively and document your reasoning.
Hybrid and affiliated entities
Some organizations perform both covered and non-covered functions. A university with a medical clinic, or a company with a self-insured health plan alongside unrelated business lines, may not want all of its operations swept into HIPAA. The Privacy Rule allows such an organization to designate itself a hybrid entity, formally separating its health care components from the rest so that HIPAA obligations attach mainly to the components that actually handle PHI. Related rules address affiliated covered entities and organized health care arrangements, which let legally separate organizations operate under shared privacy practices. These designations are powerful but must be documented carefully; an organization that treats itself as hybrid without proper designation may not get the benefit it expects.
How to classify a relationship
When a new vendor or partner comes on board, a short series of questions clarifies the category. Does the organization furnish health care, run a health plan, or operate as a clearinghouse, and does it conduct standard electronic transactions? If so, it is likely a covered entity. Does it instead perform a service for a covered entity that involves access to PHI? If so, it is likely a business associate that needs a BAA. Does it merely transport sealed data without meaningful access, like a courier? It may be a conduit. Documenting the answer, and the reasoning behind it, creates a record you can rely on later.
Why the distinction matters
Your category drives your duties. Covered entities must provide a notice of privacy practices, honor patient access rights, and comply with all of the HIPAA rules. Business associates must safeguard ePHI under the Security Rule, follow their BAA, and report breaches. Both can face enforcement. Getting the classification right at the start of a relationship prevents gaps that surface only after an incident.