The Difference Between A Business Associate And A Covered Entity
The terms covered entity and business associate are used widely through HIPAA legislation, but what are the differences between a HIPAA business associate and HIPAA-covered entity?
What Are HIPAA Covered Entities?
HIPAA-covered entities are health plans, healthcare clearinghouses, and healthcare organizations that electronically transmit health information in transactions covered by Department of Health & Human Services (HHS) standards.
Healthcare providers include hospitals and clinics, doctors, dentists, chiropractors, psychologists, pharmacies and nursing homes. Health plans include health insurance companies, company health plans, some government programs that pay for healthcare, and HMOs. Healthcare clearinghouses include transcription service companies that format data to make it compliant and organizations that process non-standard health information.
Even if an entity is a healthcare provider, they are not considered a HIPAA-covered entity if they do not transmit any information electronically in transactions for which HHS has adopted standards. In such cases, the entity would not be required to comply with the federal HIPAA Rules, but would be required to comply with state privacy and security regulations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HIPAA covered entities often require the services of third-party service providers to operate effectively. When a service is provided for, or on behalf of, a covered entity for an activity or function regulated by the HIPAA Administrative Simplification Regulations – and the service involves uses and disclosures of Protected Health Information (PHI) – certain elements of the Privacy Rule apply to the third-party service providers.
Before PHI can be shared, third-party service providers (aka business associates) must agree to use the PHI only for functions that they have been contracted to perform and must implement safeguards to ensure the confidentiality, integrity, and availability of PHI. Covered entities must obtain ‘satisfactory assurances,’ in writing, in the form of a contract, that HIPAA Rules will be followed.
What is a HIPAA Business Associate?
A HIPAA business associate is any entity, be that an individual or a company, provided with access to PHI in order to perform regulated services for, or on behalf of, a HIPAA-covered entity.
Software providers, whose solutions interact with systems that contain ePHI, are considered business associates, as are cloud service providers, cloud platforms, document storage companies (physical and electronic storage), collection agencies, medical billing companies, asset and document recycling companies, answering services, attorneys, actuaries, consultants, medical device manufacturers, transcription companies, CPA firms, third party administrators, medical couriers, and marketing firms. Business associates of covered entities must also comply with HIPAA Rules and can be fined directly by regulators for non-compliance.
Business associates of HIPAA-covered entities must sign a contract with the covered entity, termed a business associate agreement or BAA, that outlines the responsibilities of the business associate and explains that the business associate is required to comply with HIPAA Rules.
It is the responsibility of a business associate to ensure that if any subcontractors are used, they too agree to comply with HIPAA Rules and sign a BAA. Information on when a business associate agreement is not required is detailed here.
While a business associate must agree to comply with HIPAA Rules and is responsible for ensuring the confidentiality, integrity, and availability of PHI in its possession, it is the responsibility of a covered entity to ensure that all business associates are complying with HIPAA Rules. If a business associate fails to comply with HIPAA Rules, it is the responsibility of the covered entity to take action to ensure noncompliance is corrected or the contract with the business associate is terminated.
The HHS has developed a tool that explains the differences between a HIPAA business associate and a HIPAA-covered entity. You can use the tool to determine if you are a covered entity or a business associate and whether HIPAA Rules must be followed.
What are the Differences between a HIPAA Business Associate and a HIPAA Covered Entity? FAQs
Are there exceptions to the definition of a HIPAA-covered entity?
Yes. HIPAA does not apply to employer-administered health plans with fewer than 50 participants, to some government-funded programs (i.e., the food stamp program), and to educational institutions that provide healthcare services solely for students. Educational institutions that provide services to both students and the public are known as hybrid entities.
If a cloud service provider is used to store encrypted ePHI and doesn´t “interact” with the ePHI, is the cloud service provider still a business associate?
Even if the cloud service provider cannot view the ePHI because it is encrypted, and the cloud service provider does not have the decryption key, it is still considered a business associate. This is because the cloud service provider must comply with the Administrative, Physical, and Technical Safeguards of the Security Rule to ensure the confidentiality, integrity, and availability of ePHI on behalf of the covered entity.
Are consultants employed by a covered entity regarded as business associates?
Employees of covered entities are members of a covered entity´s workforce and are therefore not business associates. It is important to be aware that the term “workforce” in HIPAA not only applies to employees, but to any person who, in the performance of work for the covered entity, is under the direct control of the covered entity, whether they are paid by the covered entity or not. This definition means it is not only necessary to provide HIPAA training to paid employees, but to all members of the workforce.
Does a healthcare provider have to sign a BAA with Google to use Gmail?
This depends on whether communications sent via Gmail include ePHI. If PHI is disclosed in an email sent from a Gmail account (not to a Gmail account), a BAA must be signed with Google. The same applies if the healthcare provider uses Google’s productivity tools (Drive, Chat, Sheets, etc.) to share PHI between members of the provider´s workforce or with business associates.
Can a covered entity be a business associate of another covered entity?
Yes. If, for example, Hospital A provides a service for Hospital B that involves the disclosure of PHI, then Hospital A – although being a covered entity in its own right – is operating as a business associate for Hospital B. There are exceptions to this definition when both hospitals participate in the same “organized health care arrangement” or are part of an “affiliated entity” in which multiple units under common ownership are affiliated as a single entity for the purposes of HIPAA.
Who is a HIPAA Business Associate?
A HIPAA Business Associate is any third-party service provider that provides a service for or on behalf of a Covered Entity when the service involves the collection, receipt, storage, or transmission of Protected Health Information. This definition applies even when the Business Associate cannot access PHI because it is encrypted and the Covered Entity maintains the decryption key. For example, a “zero-knowledge” software solution is a Business Associate under HIPAA.
