In This Article
Quick Decision Test
Answer these questions to determine your HIPAA status:
Question 1: Are you a healthcare provider (doctor, hospital, pharmacy, etc.) that transmits health information electronically?
Question 2: Are you a health plan (insurance company, HMO, employer health plan)?
Question 3: Are you a healthcare clearinghouse?
If YES to any: You're likely a Covered Entity
Question 1: Do you perform services for a Covered Entity that involve PHI access?
Question 2: Do you create, receive, maintain, or transmit PHI on behalf of a Covered Entity?
Question 3: Has a Covered Entity asked you to sign a Business Associate Agreement?
If YES to any: You're likely a Business Associate
What is a Covered Entity?
Covered Entities are the organizations HIPAA was originally designed to regulate. They're directly subject to HIPAA rules.
The Three Types of Covered Entities
| Type | Definition | Examples |
|---|---|---|
| Healthcare Providers | Any provider of medical or health services who transmits health information electronically in connection with certain transactions | Hospitals, physicians, dentists, chiropractors, nursing homes, pharmacies, clinics, psychologists |
| Health Plans | Individual or group plans that provide or pay for medical care | Health insurance companies, HMOs, employer-sponsored health plans, government programs (Medicare, Medicaid, military health) |
| Healthcare Clearinghouses | Entities that process nonstandard health information into standard formats | Billing services, repricing companies, community health management systems |
Key Point: Electronic Transactions
Healthcare providers become Covered Entities only if they transmit health information electronically in connection with HIPAA-covered transactions (claims, eligibility, enrollment, etc.). A provider who only accepts cash and never submits electronic claims might not be a Covered Entity - but this is rare.
What is a Business Associate?
Business Associates are vendors, contractors, and service providers who handle PHI on behalf of Covered Entities. The HITECH Act (2009) made Business Associates directly liable for HIPAA compliance.
Business Associate Definition
A person or organization that:
- Performs functions or activities involving PHI on behalf of a Covered Entity, OR
- Provides services to a Covered Entity involving PHI disclosure
Common Business Associate Functions
- Claims processing or administration
- Data analysis, processing, or administration
- Utilization review
- Quality assurance
- Billing
- Benefit management
- Practice management
- Repricing
Common Business Associate Services
- Legal, actuarial, accounting, consulting services
- Data aggregation
- Management, administrative, accreditation services
- Financial services
Technology Companies as Business Associates
Many technology companies are Business Associates:
- EHR/EMR vendors: Store and process patient records
- Cloud providers: Host systems containing PHI
- IT service providers: Have access to systems with PHI
- SaaS vendors: Applications processing PHI
- Data analytics companies: Analyze patient data
- Telehealth platforms: Facilitate patient interactions
Key Differences: CE vs BA
| Aspect | Covered Entity | Business Associate |
|---|---|---|
| Who they are | Healthcare providers, health plans, clearinghouses | Vendors/contractors handling PHI for CEs |
| Direct patients | Yes - interact directly with patients | No - work on behalf of CEs |
| Privacy Rule | Fully applicable | Applicable via BAA and HITECH |
| Security Rule | Fully applicable | Directly applicable since HITECH |
| Breach Notification | Must notify individuals, HHS, media | Must notify Covered Entity |
| BAA required | Must have BAAs with their BAs | Must sign BAAs with CEs and their own subcontractors |
| OCR enforcement | Direct enforcement | Direct enforcement (since HITECH) |
Real-World Examples
Covered Entity Examples
- Hospital: Provides medical services, bills insurance electronically → CE
- Solo physician practice: Treats patients, submits electronic claims → CE
- Pharmacy: Dispenses medication, processes electronic prescriptions → CE
- Health insurance company: Provides health coverage → CE
- Employer with self-insured health plan: The health plan component is a CE
Business Associate Examples
- EHR vendor: Hosts patient records for hospital → BA
- Medical billing company: Processes claims for physician practice → BA
- Cloud provider (AWS/Azure): Hosts healthcare applications → BA
- IT support company: Has remote access to systems with PHI → BA
- Shredding company: Destroys documents containing PHI → BA
- Healthcare attorney: Reviews medical records for litigation → BA
- Transcription service: Transcribes physician dictation → BA
Subcontractor Examples (BA's BA)
- SaaS vendor uses AWS: SaaS is BA; AWS is subcontractor (also a BA)
- Billing company uses clearinghouse: Billing company is BA; clearinghouse is BA
What if You're Neither?
Some organizations handle health-related information but aren't Covered Entities or Business Associates:
Not Covered by HIPAA
- Fitness apps: Collecting user-entered health data (not from CEs)
- Employers: Employment records (not health plan records)
- Schools: Student health records (covered by FERPA, not HIPAA)
- Life insurance: Not "health plans" under HIPAA
- Workers' compensation: Not covered as health plans
- Consumer health websites: User-provided information
Just because HIPAA doesn't apply doesn't mean you have no obligations. State laws, FTC regulations, and other privacy frameworks may still govern how you handle health information. And if you later contract with a Covered Entity, you could become a Business Associate.
Gray Areas
Some situations require careful analysis:
- Health apps that integrate with EHRs: Likely BA when receiving PHI from CE
- Wearable device companies: Depends on data source and relationships
- Research organizations: Complex rules around research uses
- Public health authorities: Special provisions apply
When in doubt, assume HIPAA applies and consult legal counsel. The penalties for getting it wrong are significant, and OCR takes a broad view of who qualifies as a Business Associate.