A few years ago, I got a call from the CEO of a mid-sized billing company. His team had been processing claims for a hospital system for over a decade. He was convinced his company didn't need a HIPAA compliance program because — his words — "we're not a healthcare provider." Three months later, the Office for Civil Rights came knocking. The distinction between covered entity vs business associate wasn't academic for him anymore. It was a six-figure problem.

If you handle protected health information in any capacity, understanding which side of this line you fall on isn't optional. It determines your legal obligations, your liability exposure, and exactly what happens to your organization when something goes wrong.

Covered Entity vs Business Associate: What's the Actual Difference?

A covered entity is an organization that directly creates, receives, maintains, or transmits PHI as part of standard healthcare operations. Under the HIPAA statute, three types of organizations qualify: health plans, healthcare clearinghouses, and healthcare providers who conduct electronic transactions. That's it. If you're a hospital, physician practice, dental office, or health insurance company, you're a covered entity.

A business associate is any person or organization that performs a function or activity on behalf of a covered entity — and that function involves access to protected health information. Think billing companies, IT vendors, cloud hosting providers, shredding services, EHR platforms, and even certain law firms. If your work requires you to see, touch, store, or transmit PHI, you're a business associate under HIPAA.

The Department of Health and Human Services spells this out clearly in their official guidance on business associates. If you haven't read it lately, now is the time.

Before the HITECH Act of 2009, business associates lived in a gray zone. Covered entities were responsible for policing their vendors through contracts, but OCR had limited direct enforcement power over business associates themselves. That changed dramatically.

Today, business associates are directly liable under HIPAA for compliance with the Security Rule, certain provisions of the Privacy Rule, and Breach Notification requirements. OCR doesn't need to go through the covered entity to come after you. They will — and have — come directly.

The $4.3 Million Wake-Up Call for Business Associates

In 2016, Advocate Medical Group's parent organization, Advocate Health Care, paid $5.55 million to settle multiple HIPAA violations with OCR. But some of the most instructive enforcement actions have targeted business associates specifically.

Consider the case of Business Associate CHSPSC LLC, a subsidiary providing IT services to Community Health Systems hospitals. In 2020, CHSPSC agreed to a $2.3 million settlement with OCR after a breach affecting over 6 million individuals. The root cause? Failure to implement proper security controls despite handling massive amounts of ePHI for dozens of covered entity hospitals. OCR made clear: being a business associate doesn't reduce your obligations. It may actually increase your exposure because you typically handle data for multiple covered entities simultaneously.

You can review OCR's enforcement actions and resolution agreements on the HHS breach resolution page.

What Each Party Is Required to Do Under HIPAA

Covered Entity Obligations

  • Full Privacy Rule compliance: Covered entities must implement policies governing how PHI is used, disclosed, and protected across all operations.
  • Patient rights management: This includes handling access requests, amendment requests, and accounting of disclosures.
  • Workforce training: Every member of your workforce — from front desk staff to physicians — must receive HIPAA training. If you run a clinical practice, our HIPAA training for physicians and clinical environments covers exactly what your team needs.
  • Business Associate Agreements (BAAs): You must execute a BAA with every vendor who accesses PHI on your behalf. No handshake deals. No assumptions.
  • Breach notification to individuals and HHS: Covered entities bear the responsibility for notifying affected patients within 60 days of discovering a breach.

Business Associate Obligations

  • Security Rule compliance: Implement administrative, physical, and technical safeguards for all ePHI in your custody.
  • Risk analysis: You must conduct your own independent risk assessment — you can't piggyback on the covered entity's analysis.
  • Breach reporting to the covered entity: Business associates must report any breach of unsecured PHI to the covered entity without unreasonable delay, and no later than 60 days after discovery.
  • Subcontractor management: If you hire downstream vendors (subcontractors) who access PHI, you must have BAAs with them too. The chain doesn't stop at you.
  • Workforce training: Yes, business associates need to train their staff on HIPAA as well. OCR has been explicit about this.

The Business Associate Agreement: Where Most Organizations Get Sloppy

I've reviewed hundreds of BAAs over my career. At least a third of them were either outdated templates that predated the Omnibus Rule, or vague documents that didn't specify breach notification timelines, permitted uses and disclosures, or termination procedures.

A BAA isn't a checkbox. It's a legally binding document that defines the rules of engagement between a covered entity and a business associate. When a breach happens, the first thing OCR asks for is the BAA. If it's incomplete, missing, or was never signed, both parties have a problem.

Here's what your BAA must include at a minimum:

  • Permitted and required uses of PHI
  • Obligation not to use or disclose PHI beyond the agreement
  • Safeguards the business associate will implement
  • Breach notification procedures and timelines
  • Requirements for subcontractor agreements
  • Return or destruction of PHI upon contract termination

When Does a Vendor NOT Qualify as a Business Associate?

Not every vendor relationship triggers BAA requirements. The key question is whether the vendor accesses PHI. A janitorial company that cleans your office but never interacts with patient records? Not a business associate. A plumber who fixes a pipe in your server room but has no access to systems? Not a business associate.

But the moment that janitorial company starts handling shredding of paper records containing PHI, the relationship changes. Context matters. Function matters. When in doubt, treat the relationship as one that requires a BAA until you can document otherwise.

Can an Organization Be Both a Covered Entity and a Business Associate?

Yes. This happens more often than people realize. A hospital that is itself a covered entity may also provide billing services for a smaller physician practice, making it a business associate of that practice. The obligations layer on top of each other.

I've seen this create confusion during breach investigations, because the organization has dual roles and the compliance team didn't clearly separate the two sets of obligations. Map your relationships. Document which hat you're wearing for each arrangement.

What OCR Looks at During an Investigation

When OCR investigates a breach — whether it originated at a covered entity or a business associate — they follow a predictable pattern. They want to see:

  • A current, thorough risk analysis
  • Evidence of workforce training
  • Executed BAAs for all relevant vendor relationships
  • Documented policies and procedures
  • Evidence that you actually follow those policies, not just that they exist on a shelf

The difference between a covered entity vs business associate investigation is mostly about scope. For covered entities, OCR digs into Privacy Rule compliance and patient rights. For business associates, the focus shifts heavily toward Security Rule implementation and breach notification procedures. But both sides get scrutinized hard.

Your Next Steps: Get the Classification Right, Then Train Accordingly

If you're still unsure whether your organization is a covered entity, a business associate, or both, start with the HHS guidance. The HHS covered entity guidance page includes a decision tool that walks you through the classification.

Once you know your designation, align your training to your actual obligations. Generic HIPAA awareness isn't enough. Covered entities need training that addresses patient rights, minimum necessary standards, and disclosure rules. Business associates need training focused on safeguards, breach reporting chains, and subcontractor management. Our full HIPAA training catalog is built around these real-world distinctions.

The covered entity vs business associate distinction isn't a technicality. It's the foundation of every compliance program, every BAA negotiation, and every OCR investigation. Get it wrong, and you're building your entire compliance house on sand. Get it right, and every other piece of your HIPAA program falls into place with clarity.