What is Covered Entity vs Business Associate?
A covered entity is a health plan, health care clearinghouse, or health care provider that transmits health information electronically in connection with standard transactions. A business associate is a person or organization that creates, receives, maintains, or transmits PHI to perform services for a covered entity. Both must comply with HIPAA, but their roles and obligations differ.
Knowing which category you fall into matters because it defines your HIPAA obligations. Covered entities — clinics, hospitals, dental and mental-health practices, insurers — are bound by the Privacy, Security, and Breach Notification Rules directly. Business associates — billing firms, EHR vendors, MSPs, cloud hosts, shredding services — became directly liable under the HITECH Act and must comply with the Security Rule and applicable Privacy Rule provisions.
A concrete example: a therapy practice is a covered entity; the transcription service it hires is a business associate; that service's offshore subcontractor is also a business associate. Each PHI-handling link needs a Business Associate Agreement connecting it to the chain.
Documented role determination, a vendor inventory, and the right BAAs make audits and vendor due-diligence faster because you can show exactly where you sit and who you rely on. Templates accelerate that documentation, but classifying yourself correctly and meeting the matching obligations is what actually keeps you compliant.
Related terms: Business Associate Agreement (BAA) · Protected Health Information (PHI) · Vendor Risk Management · Data Controller vs Data Processor
Frequently asked questions
- Can an organization be both a covered entity and a business associate?
- Yes. For example, a hospital is a covered entity for its own patients but acts as a business associate when it provides services involving another covered entity's PHI. Your obligations follow the role you are playing in each relationship.
- Is a cloud storage provider a business associate?
- Yes, if it maintains or transmits PHI for a covered entity — even if the data is encrypted and the vendor never views it. OCR has confirmed cloud service providers handling PHI are business associates and need a BAA.
- Are business associates directly liable under HIPAA?
- Yes. Since the HITECH Act and the 2013 Omnibus Rule, business associates are directly accountable for compliance with the Security Rule and applicable Privacy Rule requirements, and can be penalized by OCR for violations.
Toolkits that cover Covered Entity vs Business Associate
HIPAA Compliance Toolkit — Medical Practices
18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.
HIPAA Compliance Toolkit — Dental Practices
18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written specifically for dental offices.
HIPAA Compliance Toolkit — Mental Health Practices
18 editable HIPAA policies written for therapists and behavioral-health practices — teletherapy security, psychotherapy-notes handling — plus the Security Risk Assessment workbook and audit evidence checklist.
Learn more in our HIPAA guide, explore the editable policy templates, or browse the full compliance glossary.