HIPAA Covered Entity vs. Business Associate: What's the Difference?
By BAA Generator Editorial · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 5 min read
Key Takeaways
- ✓ Covered entities are directly regulated by all HIPAA rules
- ✓ Business associates are regulated through their BAA plus direct Security Rule obligations under HITECH
- ✓ CEs include hospitals, physician practices, health insurers, Medicare/Medicaid plans
- ✓ BAs include EHR vendors, billing companies, cloud providers, IT support firms; subcontractors of BAs are also covered
Covered Entity Definition with Examples
A covered entity is one of three types of organizations under 45 CFR § 160.103. The three types are healthcare providers (who transmit PHI electronically for covered transactions), health plans, and healthcare clearinghouses. For a full breakdown with decision guidance, see when does HIPAA apply.
Examples of covered entities:
- Healthcare providers: Hospitals, multi-specialty clinics, solo physician practices, dental offices, mental health practices, chiropractors, podiatrists, home health agencies, pharmacies, nursing facilities, physical therapy practices
- Health plans: Health insurance companies, HMOs, preferred provider organizations (PPOs), Medicare Advantage plans, Medicaid managed care plans, employer-sponsored group health plans, Medicare supplemental insurers, long-term care insurers
- Healthcare clearinghouses: Companies that process nonstandard health information into standard electronic formats for transmission — relatively rare as a standalone category
Business Associate Definition with Examples
A business associate is a person or entity that: (1) performs functions or activities on behalf of a covered entity; (2) involving the use or disclosure of PHI. The HITECH Act also covers subcontractors of business associates who handle PHI on the BA's behalf.
Examples of business associates:
- Technology vendors: EHR/EMR vendors, practice management software, patient portal providers, cloud storage and hosting providers, data backup services
- Administrative vendors: Medical billing and coding companies, claims processing companies, revenue cycle management firms
- Professional services: Healthcare attorneys who review PHI, accountants who access financial records containing PHI, consultants who analyze patient data
- Clinical support vendors: Transcription services, laboratory companies, medical device vendors with remote monitoring access, telehealth platform providers
- Infrastructure: IT managed service providers with PHI system access, network security firms, disaster recovery vendors
The BA-Subcontractor Chain
The HITECH Act extended HIPAA's reach down the vendor chain. A business associate must obtain BAAs from any subcontractors that will create, receive, maintain, or transmit PHI on the BA's behalf. These are called subcontractor BAAs. See subcontractor BAA requirements for a complete guide.
This creates a chain of accountability: the covered entity has a BAA with its EHR vendor (BA), the EHR vendor has a BAA with its cloud infrastructure provider (subcontractor BA), and the cloud provider has a BAA with any of its own subprocessors that store or process PHI. Each link in the chain must be documented.
Hybrid Entities
Some organizations perform both covered and non-covered functions. A university that operates a hospital is the classic example: the university itself is not a covered entity, but its healthcare components are. HIPAA allows these "hybrid entities" to designate their healthcare components as the covered entity and establish firewalls so that non-covered components are not subject to HIPAA's requirements.
Hybrid entity status must be formally designated, and the covered healthcare component must implement full HIPAA compliance. Non-covered components of the same organization are not automatically subject to HIPAA — but PHI must not flow from covered components to non-covered components without appropriate safeguards.
Covered Entity vs. Business Associate: Comparison
| Feature | Covered Entity | Business Associate |
|---|---|---|
| Examples | Hospital, physician practice, health insurer, Medicare plan | EHR vendor, billing company, cloud provider, law firm with PHI |
| Primary HIPAA obligations | Privacy Rule, Security Rule, Breach Notification Rule, BAA requirements | Security Rule, BAA obligations, breach notification to CE |
| Who they contract with | Must sign BAAs with all BAs who access PHI | Must sign BAAs with subcontractors who access PHI |
| Enforcement mechanism | Direct OCR enforcement | Direct OCR enforcement (post-HITECH) + BAA breach remedies |
| Notice of Privacy Practices | Required (must provide to patients) | Not required |
Frequently Asked Questions
What is the difference between a HIPAA covered entity and a business associate?
A covered entity is a healthcare provider, health plan, or clearinghouse that directly handles patient health information as part of its core function. A business associate is any person or organization that performs services for a covered entity involving access to PHI — such as EHR vendors, billing companies, and cloud providers. Covered entities are directly regulated by all HIPAA rules; business associates are subject to the Security Rule and their BAA obligations, and since HITECH are directly liable for breaches they cause.
Is an EHR vendor a covered entity or a business associate?
An EHR vendor is a business associate, not a covered entity. The vendor provides software and services to healthcare providers who are the covered entities. The EHR vendor creates, receives, maintains, and transmits PHI on behalf of its covered entity customers, making it a BA. The EHR vendor must sign a BAA with each covered entity client before accessing or storing their patient data.
Do business associates need to sign BAAs with their own subcontractors?
Yes. Under the HITECH Act, business associates must obtain BAAs from any subcontractors that will create, receive, maintain, or transmit PHI on the BA's behalf. This requirement creates a chain of BAAs that must extend through all layers of the vendor relationship. A BA who fails to obtain a subcontractor BAA is in violation of HIPAA and in breach of its own BAA with the covered entity.
What is a hybrid entity under HIPAA?
A hybrid entity is an organization that performs both covered and non-covered functions under HIPAA. A university operating a hospital is the classic example. Hybrid entities may designate their healthcare components as the covered portion and maintain separation between covered and non-covered functions. The covered components must comply with all HIPAA requirements; the non-covered components are not required to — but PHI must not flow between them without appropriate controls.
Need a BAA Between a Covered Entity and Business Associate?
Generate a complete HIPAA-compliant BAA for any vendor relationship in minutes — free, no account required.
Generate Your BAA Free →