What’s The Difference Between A Covered Entity & Business Associate?

Knowing the distinction between a covered entity and a business associate is essential because the Health Insurance Portability and Accountability Act Privacy Rule is administered differently between the two. If you understand the difference, then you understand who has access to your medical data and what authority they possess to do with that medical information.

The HIPAA Privacy Rule protects a person’s medical records and their other personal health information, as well as gives that patient rights to their health information. But it also applies to covered entities and business associates, in that it requires each to follow specific rules and sets restrictions and conditions on the use and disclosure of certain patient information.

Legally, the HIPAA Privacy Rule just applies to covered entities. A covered entity can be health plans, health care clearinghouses or health care providers that electronically transmit any type of health information. Examples of these are your doctor, hospital, insurance company and health insurance plan — no matter if it’s a private, employee, state or federal plan.

But it’s common for a lot of health care providers and health plans to use the services of other individuals or a business to help carry out their health care functions. Thus we get business associates.

More specifically, a business associate is an individual or entity that executes particular responsibilities that include the use or disclosure of protected health information in support of, or as a service to, a covered entity. A health plan, health care clearinghouse or covered health care provider could be a business associate for another covered entity, but a member of the covered entity’s personnel is not considered a business associate.

Possible business associates are an attorney, a CPA firm, an independent medical transcriptionist or a pharmacy benefits manager. Services provided by business associates can be accounting, billing, claims processing or data management. And of course, these are just a few examples of each.

Covered entities hold the responsibility for guaranteeing its business associates are safeguarding protected health information. The contract between a covered entity and its business associate must be HIPAA compliant, and if a business associate breaches its contract, then it’s up to the covered entity to correct that breach or terminate the contract.

9 thoughts on “What’s The Difference Between A Covered Entity & Business Associate?”

  1. Can a Florida mobile home community (Known as a Cooperative under F.S. 719) become a covered entity or business associate if it accepts and distributes to its shareholders the personal and protected health information of another? Example: The Board and Community Association Manager accepts health information to evaluate if a shareholder is allowed to use a motorcycle upon the community grounds. Another example: The community Action News Editor has sent via email to shareholders the personal health information of fellow shareholders who are ill or hospitalized…. such as medications and dosages prescribed to them and even that one shareholder had been diagnosed with the MRSA Virus.

    Hello Tom – Both examples would most-likely qualify your firm as a business associate. But neither example would lean towards making your firm as a covered entity. SM 12-12-2016

    1. There seems to be some confusion as it relates to Laboratories. Can you answer this question for me. A family planning clinic is a “covered entity” and Laboratory that is CLIA certified and transmit records electronically is a “covered entity.” Therefore a HIPAA agreement is not needed since both are legally “cover entities,” correct? I am willing to learn.

      1. Hi Dave! The following response was provided by our VP of Data Security, John Lazo.

        That is correct, see below for the explanation:

        A: Members of an organized health care arrangement. Covered entities that participate in an organized health care arrangement (“OHCA”) are not business associates of each other while performing functions on behalf of the OHCA; “thus, they may use and disclose [PHI] for the joint health care activities of the OHCA without entering into a business associate agreement.” (OCR FAQ; see 45 CFR 160.103). An OHCA is (1) “A clinically integrated care setting in which individuals typically receive health care from more than one health care provider” (e.g., a hospital and its medical staff); (2) an organized system of health care in which more than one covered entity participates and in which the participating covered entities engage in joint utilization review, quality improvement, or payment activities (e.g., provider networks); or (3) certain arrangements between group health plans and other insurers. (45 CFR 160.103). The OHCA exception only applies to covered entities (e.g., healthcare providers and health plans) that perform functions for the OHCA; it does not apply to other entities that require PHI to perform functions on behalf of the OHCA.

        B: Healthcare providers who receive PHI to treat patients. A healthcare provider is not a business associate of other covered entities while rendering treatment to patients. (See 45 CFR 160.103; see also 65 FR 82476 and 82504). As explained by the OCR:

        The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See 45 CFR 164.502(e)(1). Therefore, any covered health care provider (or other covered entity) may share [PHI] with a health care provider for treatment purposes without a business associate contract.

        (OCR FAQ). For example,

        A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
        A physician is not required to have a business associate contract with a laboratory as a condition of disclosing [PHI] for the treatment of an individual.
        A hospital laboratory is not required to have a business associate contract to disclose [PHI] to a reference laboratory for treatment of the individual.

        1. Does that include a covered entity that compensates a group of healthcare providers to provide services to its patients? Or an individual healthcare provider to serve in the capacity of a medical director? Wouldn’t this be a business associate relationship because they are performing a service (albeit treatment) on behalf of the covered entity?

          1. There is no substitute for legal counsel on these matters, as auditors we need to understand HIPAA. With that waiver out of the way, I will reference the HHS website, “In these situations, a covered entity is not required to have a business associate contract or other written agreement in place before protected health information may be disclosed to the person or entity.

            Disclosures by a covered entity to a health care provider for treatment of the individual. For example:
            A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.”


            Hope this helps – thank you for your comment and question.

            Steven Marco

  2. Please provide clarification. If a document data company (Prime Contractor) sub contracts a portion of work for a Covered Entity to another document data management company, will the Prime document company be considered a Covered Entity or a Business Associate to the Sub Contractor.

    1. Hi Michelle,
      John Lazo, our VP of Data Security provided an answer to your question:

      “No they don’t become Cover Entities however Business Associates are still under the same responsibilities as CE’s.
      CE’s Include:
      Healthcare Providers
      Health Plan Providers
      Healthcare Clearinghouses

      BA’s Include:
      Any of the above could be BA as well but not every BA can be a CE
      Medical Billing
      Document Storage and Destruction
      Record Storage
      Software companies
      Collection agencies
      Answering Services
      Medical Device manufacturers
      Marketing companies
      Cleaning services
      Medical couriers
      Asset recyclers
      Document Shredding

      One of the main differences between CE’s and BA’s is who reports to the OCR/HHS/STATE: CE Always reports to OCR and a BA will report to the CE. This does not mean that BA’s do not have any liability because they will still be responsible under regulations, civil and even criminal laws just like a CE would be.”

    2. Hi Michelle. It appears as though the Prime Subcontractor is a BA to the CE. The “other document data management company” is a subcontractor to the Prime Subcontractor and should have a BAA between them.

  3. Lisa Moon, PhD

    What about NCE in the community that need PHI to coordinate care? Coordination of care is not defined under HIPAA. If PHI is needed by the community-based organization (e.g., salvation army, homeless shelter case manager) is a BA needed? Or does the consumer that owns the PHI responsible for signing an authorization to release information to that community-based organization (Non-covered entity)?

Leave a Comment

Your email address will not be published. Required fields are marked *









Pass Rate

five star review


Star Reviews

Let HIPAA One do the heavy lifting for your company when it comes to compliance. Make us part of your team to stay up-to-date, stay automatically compliant, and most importantly, protect your client's information.


Join Us in Our Mission to Simplify HIPAA Compliance!

Simple. Automated. Affordable.

Scroll to Top