Covered Entity vs Business Associate Under HIPAA

The two roles, defined

A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that handles protected health information (PHI) as part of delivering or paying for care. A business associate is a third party that handles PHI on behalf of a covered entity to perform a service — such as hosting, billing, analytics, or IT support.

Both roles carry direct obligations under HIPAA, and both must build HIPAA compliance programs. But the nature of those obligations, and the relationship between the parties, differs in important ways.

What a covered entity is

Covered entities are the primary holders of patient information. They include providers like hospitals, clinics, physician practices, and pharmacies (when they bill electronically); health plans such as insurers and HMOs; and clearinghouses that translate health data between formats. Covered entities have the most comprehensive obligations under HIPAA because they originate and control most PHI.

A covered entity must comply with the full Privacy Rule, the Security Rule for its electronic data, and the Breach Notification Rule, and it must ensure that every vendor handling its PHI is bound by a Business Associate Agreement.

What a business associate is

A business associate is any organization that creates, receives, maintains, or transmits PHI on a covered entity’s behalf. The category is intentionally broad. Common examples include cloud and SaaS providers, data-storage firms, billing and coding companies, claims processors, analytics and reporting vendors, e-prescribing gateways, transcription services, and many consultants and IT providers.

The defining test is function: if you handle PHI to perform a service for a covered entity (or another business associate), you are a business associate — even if you never see a patient and even if the data is encrypted and you never decrypt it.

How responsibilities differ

Covered entities carry the full weight of the Privacy Rule, including patient-facing obligations like providing a Notice of Privacy Practices, honoring access requests, and managing authorizations. Business associates are bound by the Security Rule and the relevant parts of the Privacy Rule that flow through their Business Associate Agreement, and they are directly liable for safeguarding the ePHI they handle.

In practice, this means a covered entity manages the patient relationship and the overall use of PHI, while a business associate focuses on securing the data entrusted to it and supporting the covered entity’s compliance.

The Business Associate Agreement that connects them

The legal bridge between the two roles is the Business Associate Agreement (BAA). Before a covered entity shares PHI with a business associate, a signed BAA must be in place. The BAA contractually obligates the business associate to safeguard PHI, use it only as permitted, report breaches, and ensure its own subcontractors are bound by equivalent terms. Operating without a required BAA is itself a HIPAA violation, even if no breach ever occurs.

Can you be both?

Yes. An organization can be a covered entity in one context and a business associate in another. A hospital is a covered entity for its own patients, but if it also provides services that handle another covered entity’s PHI, it acts as a business associate in that relationship. Likewise, a business associate that hires a subcontractor to handle PHI takes on a role similar to a covered entity in that downstream relationship, including the duty to sign a BAA.

Why the distinction matters for vendors

For technology companies, recognizing business-associate status is often the moment HIPAA becomes real. Many SaaS founders assume HIPAA is their healthcare customers’ problem, only to discover that handling PHI makes them directly liable. Healthcare buyers increasingly require vendors to sign BAAs and demonstrate safeguards before any deal closes, so understanding and embracing the business-associate role is both a legal necessity and a commercial advantage.

Determining your role

To classify yourself, start with how you interact with PHI. If you originate or control patient information as a provider, plan, or clearinghouse, you are a covered entity. If you handle PHI to deliver a service to one of those organizations, you are a business associate. Document your determination, then build the program — safeguards, policies, and agreements — that your role requires. The clearer this classification, the more straightforward the rest of your compliance journey becomes.

Common business-associate mistakes

The most frequent mistake organizations make is failing to recognize their business-associate status. Technology vendors, in particular, often assume HIPAA is solely their healthcare customers’ concern, only to discover during a security review that they are directly liable. A close second is operating without Business Associate Agreements in place, or relying on outdated agreements that do not reflect current data flows.

Other common errors include neglecting subcontractor BAAs, underestimating the Security Rule obligations that apply to ePHI, and assuming that encrypted data they cannot read exempts them from HIPAA — it does not.

What each role must document

Covered entities and business associates both carry documentation obligations, but they differ in emphasis. A covered entity maintains a Notice of Privacy Practices, patient-rights procedures, and the full suite of privacy and security policies. A business associate focuses on its security policies, risk analysis, safeguard documentation, breach-response procedures, and its BAAs with customers and subcontractors.

In both cases, documentation is not optional paperwork — it is the primary evidence of compliance that regulators and customers will ask to see.

How the relationship works in practice

In a typical engagement, a covered entity selects a vendor, conducts due diligence on its security posture, and signs a BAA before any PHI is shared. The business associate then safeguards the data, uses it only for the agreed purposes, supports the covered entity’s compliance obligations, and reports any breach promptly. If the business associate uses subcontractors, it flows equivalent obligations down through its own BAAs.

This chain of agreements and responsibilities is what allows PHI to move through a complex ecosystem of providers and vendors while remaining protected at every step.

Choosing the right side to focus on

If you are unsure which role dominates your obligations, look at where your risk concentrates. Covered entities should invest heavily in patient-facing privacy practices and enterprise-wide safeguards. Business associates should prioritize securing the specific systems that touch customer PHI and maintaining airtight BAAs. Organizations that play both roles need to keep the two sets of obligations distinct and well-documented so neither is overlooked.

Know your role, own your obligations

The covered-entity and business-associate distinction is more than terminology — it defines the shape of your entire compliance program. Covered entities steward patient relationships and the broad use of PHI; business associates secure the data entrusted to them and support their customers’ compliance. Both are directly accountable under HIPAA, and both depend on Business Associate Agreements to keep PHI protected as it moves between them.

Identify your role honestly, document it, and build the program it demands. For technology vendors in particular, embracing business-associate status early — rather than discovering it during a stalled deal — turns a potential liability into a competitive strength. Knowing your role is the first step toward dependable HIPAA compliance.