If you've encountered the question "the enforcement rule applies to covered entities only — true or false" on a compliance quiz, you might assume the answer is true. After all, HIPAA was originally built around covered entities. But the correct answer is false — and misunderstanding this point has cost business associates millions of dollars in civil money penalties and settlement agreements with the Office for Civil Rights (OCR).

Why "The Enforcement Rule Applies to Covered Entities Only" Is False

Before the HITECH Act of 2009 and the subsequent Omnibus Rule of 2013, business associates operated in a regulatory gray zone. Their HIPAA obligations were primarily contractual — enforced through business associate agreements (BAAs) rather than direct federal action. That changed dramatically.

The Omnibus Rule amended 45 CFR Part 160, Subparts C through E — the HIPAA Enforcement Rule — to make business associates directly liable for compliance with applicable provisions of the Privacy Rule and Security Rule. OCR can now investigate business associates, impose civil money penalties, and negotiate resolution agreements with them just as it does with covered entities.

So when someone states the enforcement rule applies to covered entities only, the answer is unequivocally false. Both covered entities and business associates fall under the enforcement rule's jurisdiction.

How OCR Has Enforced HIPAA Against Business Associates

This isn't theoretical. OCR has pursued enforcement actions directly against business associates multiple times, establishing clear precedent that these organizations bear independent regulatory risk.

  • Business Associate Settlement — 2018: Fresenius Medical Care North America agreed to a $3.5 million settlement after five separate breach incidents. OCR cited failures in risk analysis and device-level encryption — Security Rule requirements that apply directly to business associates.
  • Business Associate Penalty — 2020: CHSPSC LLC, a business associate providing IT services to Community Health Systems hospitals, paid $2.3 million to settle allegations that it failed to conduct an enterprise-wide risk analysis and implement proper information system activity review controls.
  • 2024 Enforcement Trends: OCR's enforcement activity continues to target business associates that handle protected health information (PHI) without adequate safeguards. Director Melanie Fontes Rainer has repeatedly stated that business associates "are not exempt from HIPAA enforcement."

These cases prove that OCR treats business associates as independently accountable entities under the enforcement rule — not merely as extensions of covered entities.

What the Enforcement Rule Actually Covers

The HIPAA Enforcement Rule (45 CFR Part 160, Subparts C, D, and E) establishes the procedures and penalties for HIPAA violations. Here's what it governs for both covered entities and business associates:

  • Compliance and investigation procedures: How OCR receives complaints, conducts investigations, and performs compliance reviews.
  • Civil money penalties: The four-tier penalty structure ranging from $137 to $68,928 per violation (as adjusted for inflation), with annual caps up to $2,067,813 per identical provision violated.
  • Hearing procedures: The administrative hearing process for entities that contest a penalty determination.

The penalty tiers apply based on the level of culpability — from "did not know" to "willful neglect, not corrected" — and they apply identically whether the respondent is a covered entity or a business associate.

The Minimum Necessary Standard and Shared Liability

One area where covered entities and business associates share enforcement exposure is the minimum necessary standard. Under the Privacy Rule, both must limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose.

When a business associate over-accesses or improperly discloses protected health information, both the business associate and the covered entity that engaged them may face scrutiny. OCR routinely examines whether the covered entity conducted adequate due diligence, maintained a current BAA, and monitored the business associate's compliance practices.

This shared liability model means your organization cannot outsource HIPAA risk simply by signing a BAA. If your business associate suffers a breach and you failed to perform a proper risk analysis of that relationship, your covered entity is exposed as well.

Where Workforce Training Fits Into Enforcement Readiness

Whether your organization is a covered entity or a business associate, one of the most common deficiencies OCR identifies during investigations is inadequate workforce training. Under 45 CFR § 164.530(b), covered entities must train all workforce members on HIPAA policies and procedures. Under 45 CFR § 164.308(a)(5), the Security Rule requires security awareness training for both covered entities and business associates.

In virtually every resolution agreement I've reviewed, OCR includes corrective action plan requirements for enhanced training programs. This isn't coincidental — it reflects OCR's position that training failures are root causes, not symptoms.

If your workforce hasn't completed current HIPAA training and certification, your organization lacks the foundational defense that OCR expects to see during any investigation. Both your covered entity staff and your business associate partners need documented, role-appropriate training.

Three Steps to Align Your Organization With Enforcement Realities

1. Audit Your Business Associate Relationships

Review every vendor, contractor, and subcontractor that creates, receives, maintains, or transmits PHI on your behalf. Confirm that executed BAAs are current and reflect the Omnibus Rule requirements — not outdated pre-2013 language.

2. Conduct a Comprehensive Risk Analysis

OCR's most frequently cited deficiency is the failure to perform an adequate, enterprise-wide risk analysis under 45 CFR § 164.308(a)(1). This applies to both covered entities and business associates. Document the analysis thoroughly and update it whenever your environment changes.

3. Implement Documented Workforce Training

Every workforce member — from front-desk staff to C-suite executives — needs HIPAA training that covers the Privacy Rule, Security Rule, Breach Notification Rule, and your organization's specific policies. Explore HIPAA Certify's workforce compliance program to ensure your training meets OCR expectations and generates the documentation you'll need during an investigation.

Stop Treating Business Associates as Outside the Enforcement Rule

The notion that the enforcement rule applies to covered entities only is a pre-2013 relic that persists in outdated training materials and poorly written quiz questions. The regulatory reality since the Omnibus Rule is clear: business associates face direct enforcement, independent penalties, and OCR investigation authority.

Your compliance program — whether you're a covered entity, a business associate, or both — must reflect this fact. Update your Notice of Privacy Practices, revise your BAAs, train your workforce, and treat enforcement readiness as a shared responsibility across every entity that touches PHI.