What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity

The terms covered entity and business associate are used extensively in HIPAA legislation, but what are the differences between a HIPAA business associate and HIPAA covered entity?

What Are HIPAA Covered Entities?

HIPAA covered entities are healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information for transactions covered by HHS standards.

Healthcare providers include hospitals and clinics, doctors, dentists, chiropractors, psychologists, pharmacies and nursing homes. Health plans include health insurance companies, company health plans, government programs that pay for healthcare, and HMO’s. Healthcare clearinghouses include transcription service companies that format data to make it compliant and organizations that process non-standard health information.

Even if an entity is a healthcare provider, health plan or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards. In such cases, the entity would not be required to comply with HIPAA Rules.

Legally, the HIPAA Privacy Rule only applies to covered entities, although since covered entities usually require the services of vendors, which may need access to PHI in order to perform certain tasks, the HIPAA Privacy Rule permits covered entities to share PHI with those companies.

Before PHI can be shared, vendors must agree to use the PHI only for the tasks that they have been contracted to perform. They must also agree not to disclose the PHI to other entities, and must implement safeguards to ensure the confidentiality, integrity, and availability of PHI. Covered entities must obtain ‘satisfactory assurances,’ in writing, in the form of a contract, that HIPAA Rules will be followed.

What is a HIPAA Business Associate?

A HIPAA business associate is any entity, be that an individual or a company, that is provided with access to protected health information to perform services for a HIPAA covered entity.

Software providers, whose solutions interact with systems that contain ePHI, are considered business associates, as are cloud service providers, cloud platforms, document storage companies (physical and electronic storage), collection agencies, medical billing companies, asset and document recycling companies, answering services, attorneys, actuaries, consultants, medical device manufacturers, transcription companies, CPA firms, third party administrators, medical couriers, and marketing firms. Business associates of covered entities must also comply with HIPAA Rules and can be fined directly by regulators for noncompliance.

Business associates of HIPAA covered entities must sign a contract with the covered entity, termed a business associate agreement or BAA, that outlines the responsibilities of the business associate and explains that the business associate is required to comply with HIPAA Rules.

It is the responsibility of a business associate to ensure that if any subcontractors are used, they too agree to comply with HIPAA Rules and sign a BAA. Information on when a business associate agreement is not required are detailed here.

While a business associate must agree to comply with HIPAA Rules and is responsible for ensuring the confidentiality, integrity, and availability of PHI in its possession, it is the responsibility of a covered entity to ensure that all business associates are complying with HIPAA Rules. If a business associate fails to comply with HIPAA Rules, it is the responsibility of the covered entity to take action to ensure noncompliance is corrected or the contract with the business associate is terminated.

The HHS has developed a tool that explains the differences between a HIPAA business associate and a HIPAA covered entity. You can use the tool to determine if you are a covered entity or a business associate and whether HIPAA Rules must be followed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.