Covered Entities and Business Associates

The federal HIPAA privacy regulations apply to what is termed “covered entities.” A covered entity is a health care provider, health plan, or health care clearinghouse. Health care providers include physicians, hospitals, and clinics, as well as other types of providers, who transmit health information in electronic form in connection with a transaction for which HHS has adopted a standard. A decision tool is available to help determine if an individual or organization is a covered entity.  

Covered entities are bound by the HIPAA requirements for their own activities, as well as those organizations with which they contract for essential functions, such as telehealth platforms, billing, collections, medical record storage, etc. These entities are called “business associates.” Covered entities must have a business associate contract or other agreement, which requires the business associate to also be in compliance with HIPAA.  

HIPAA requires covered entities to do the following: 

• Assign HIPAA responsibility to a designated person to serve as the HIPAA privacy and security officer
• Know the use and disclosure rules for protected health information (PHI)
• Know the rights of individual patients
• Implement and maintain written Privacy and Security policies
• Develop compliant forms such as authorizations to release PHI and notice of privacy practices
• Execute appropriate business associate agreements
• Perform and document a risk analysis of e-PHI
• Implement required safeguards
• Train workforce
• Respond immediately to any violation or breach
• Provide notice of a data breach to affected individuals, the Secretary of the Department of Health and Human Services, and, in some cases, the media
• Document actions
• Comply with State laws, including those that have more stringent privacy protections 

Additional Resources 

• See HHS materials for covered entities, including Fast Facts for Covered Entities and Communicating with a Patient's Family, Friends, or Others Involved in the Patient's Care.
• The HHS webpage, Direct Liability of Business Associates, covers HIPAA violations for which business associates are directly liable. 

Disclaimer: This information is general in scope and educational in nature. It is not intended as legal advice. If you require legal advice, contact an attorney.