The Health Insurance Portability and Accountability Act (HIPAA) is mandatory for organizations in the healthcare industry that handle protected health information (PHI). The U.S. Department of Health and Human Services (HHS) enforces this requirement to ensure that organizations uphold their responsibility to protect the privacy, security, and integrity of individuals’ data.

‍

Even though HIPAA applies to many entities, the specific requirements vary based on the organization’s role as either covered entities or business associates. Understanding where your organization fits can help you focus on the right obligations, prevent compliance issues, and avoid violations and fines.

‍

This guide explains how HIPAA applies to each entity type, so you can better understand your responsibilities within the healthcare ecosystem.

‍

Who needs HIPAA compliance?

Every organization that collects, stores, processes, or transmits PHI is required to be HIPAA-compliant. PHI is any individually identifiable health information related to a patient’s condition, treatment, or payment for care. To be considered PHI, this information must be created, received, maintained, or transmitted by a covered entity or business associate. Examples include:

‍

• Personal information like Social Security numbers (SSNs)
• Medical records
• Test results
• Health insurance information

‍

A common area of confusion you may have is when does personally identifiable information (PII) become PHI. The distinction comes from whether the data is tied to the individual's health data, which is in practice a broad concept covering health conditions, the provision of care, and payment for care. For instance, an SSN on its own is considered PII, not PHI. However, when combined with health-related data—such as test results, diagnoses, or insurance details—the SSN  becomes PHI because the combined information clearly links back to a specific individual.

‍

If PHI isn't properly secured, it faces the risk of being stolen, sold, misused, or encrypted and held for ransom by malicious actors. Complying with HIPAA helps protect against these risks.

‍

Determining whether an organization falls under HIPAA’s scope isn’t always straightforward. The first step is to assess your organization’s assets and activities. Examine whether you handle PHI in any form, including electronic and paper. 

‍

If you do, the next step is to identify how HIPAA applies to you. HIPAA classifies organizations into two categories, which define your responsibilities and specific compliance requirements. These are:

‍

1. Covered entities
2. Business associates

‍

‍

{{cta_withimage13="/cta-blocks"}} | HIPAA compliance checklist

‍

What are covered entities under HIPAA?

Covered entities are individuals, organizations, or institutions within the healthcare system that transmit PHI electronically as part of their administrative or financial obligations, governed by HHS standards.

‍

These entities are divided into three categories:

‍

1. Healthcare providers: Individuals or organizations that deliver medical or health services, submit bills, or get paid for those services. A provider qualifies as a covered entity only if they transmit health information electronically.
2. Health plans: Public and private organizations that provide or pay for the cost of medical care.
3. Healthcare clearinghouses: Organizations that act as middlemen between providers and payers, converting nonstandard health information into standardized formats and vice versa. This is necessary when healthcare providers and health plans have different software and need to share information.

Here are examples of individuals and organizations in each category:

‍

‍

If you’re still uncertain whether your organization qualifies as a covered entity, you can use the Covered Entity Decision Tool developed by the Centers for Medicare & Medicaid Services.

‍

What are the obligations of covered entities?

All organizations classified as covered entities must comply with HIPAA’s key rules, the most notable of which include:

‍

1. Security Rule: Establishes standards for how ePHI can be used and disclosed, and gives patients rights over their health information.
2. Privacy Rule: Requires that covered entities implement technical, physical, and administrative safeguards to protect health information from unauthorized access, alteration, or destruction. One of the core principles of the privacy rule is the Minimum Necessary Rule, which limits how much PHI can be used or disclosed to only what’s essential for a given task.
3. Breach Notification Rule: Defines what constitutes a breach under HIPAA and outlines the procedure covered entities must follow when PHI is compromised.

‍

What are HIPAA business associates?

A HIPAA business associate or BA is an individual or organization that accesses, stores, uses, or transmits PHI while providing services to or performing functions on behalf of covered entities. These services include processing claims, billing, data analysis, IT services, and more. 

‍

While BAs help covered entities carry out their healthcare operations, they are third parties and not part of the covered entity’s workforce. For example, a company that manages medical billing for a hospital is considered a BA because it handles sensitive information on the hospital’s behalf, even though its employees don’t work at the hospital.

‍

Other examples of entities that qualify as business associates under HIPAA include:

‍

• Cloud service providers that store PHI
• IT support vendors with access to PHI
• Risk management consultants that help covered entities reduce compliance risks
• Data analysis firms with access to health information
• Legal firms that handle health information

‍

However, not all third parties that handle PHI are considered business associates. For example, sending PHI to a laboratory or specialist for the purpose of treatment falls under treatment, payment, and healthcare operations (TPOs), not a business associate relationship as defined by HIPAA. Additionally, entities that only provide data transmission services (such as the U.S. Postal Service or electronic carriers) without accessing the content of the PHI are not classified as business associates.

‍

What are the obligations of business associates?

Like covered entities, business associates must comply with the HIPAA Security Rule and Breach Notification Rule. Their responsibilities under the Privacy Rule depend on the specific terms of their contract with the covered entity, which must be outlined in a business associate agreement (BAA).

‍

“

Enforcing business associate agreements effectively starts well before signing. Covered entities should run a due diligence checklist—looking at things like past SOC 2 and other compliance reports, recent breach history, and technical controls implementation. High-risk findings should be addressed up front and treated as a pre-condition for doing business.”

Markindey Sineus

GRC Subject Matter Expert, GTM, Vanta

|

LinkedIn

‍

Understanding HIPAA business associate agreements

A business associate agreement is a legally binding contract signed between a covered entity and its business associate. It outlines each party’s responsibilities for protecting and managing PHI, including how PHI is created, received, maintained, and transmitted.

‍

A BAA must outline several provisions between the two parties, including:

‍

• Permitted and required uses and disclosures of PHI by the BA
• Appropriate safeguards to prevent unauthorized use or disclosure
• Procedures for reporting any improper use, disclosure, or breaches of unsecured PHI 
• Compliance with Privacy Rule obligations when the BA performs functions on behalf of the covered entity
• Return or destruction of PHI when the cooperation ends

‍

You can review additional provisions that may be included in a BAA by referring to the model agreement provided by the HHS.

‍

The contractual obligations of BAs also extend to any subcontractors they work with that handle PHI. For example, if a healthcare billing company (a business associate) outsources its data storage to a cloud service provider, that cloud provider must also sign a BAA. The subcontractors are held to the same HIPAA standards and must agree to follow the applicable requirements and safeguards.

‍

Signing a BAA doesn’t automatically make either party HIPAA compliant. Business associates must continuously implement and demonstrate the safeguards and practices the regulation requires. Similarly, covered entities are responsible for conducting due diligence, including requesting and reviewing evidence that their BAs comply with HIPAA requirements.

‍

{{cta_withimage39="/cta-blocks"}} | The Healthcare compliance checklist

‍

How to ensure HIPAA compliance as a covered entity or business associate

Here are the steps you need to take to achieve HIPAA compliance, regardless of your entity type:

‍

1. Understand your HIPAA obligations: Based on your classification, identify which parts of the regulation apply to you. For example, covered entities must comply with the HIPAA Privacy Rule in full, while BAs are only bound by the provisions outlined in their business associate agreement.
2. Perform a gap analysis: Based on your role under HIPAA, evaluate your current policies and practices to identify areas where you don’t meet the mandatory requirements.
3. Draft and sign a BAA: If you work with other entities that handle PHI on your behalf, outline and sign a BAA to define each party’s responsibilities for safeguarding that information.
4. Monitor HIPAA compliance: Regularly review your security measures, staff training, and contracts to ensure ongoing adherence to HIPAA rules. 

‍

HIPAA’s broad scope and its open-to-interpretation nature can make it challenging for both covered entities and business associates to achieve compliance. To streamline the process, a best practice is to leverage a HIPAA automation solution.

‍

These tools can automate tasks such as risk assessments, policy drafting, evidence collection for HIPAA compliance, reporting, and more. In doing so, they help organizations save time, reduce human error, and improve audit readiness.

‍

Build trust and meet HIPAA standards faster with Vanta

Vanta is a robust compliance and trust management solution that helps companies accelerate HIPAA compliance and safeguard PHI, all within a single platform.

‍

Vanta automates most of the evidence collection needed for HIPAA compliance, allowing your teams to focus on higher-impact security tasks and close deals.

‍

The platform offers a dedicated HIPAA compliance product that delivers numerous time-saving features, including:

‍

• Step-by-step guides and resources for becoming HIPAA compliant
• Integration with 375+ platforms
• Real-time security monitoring and instant security reports
• Pre-built policy templates
• Security training management and gap analysis tools

‍

If you already comply with other frameworks such as SOC 2, ISO 27001, and HITRUST, Vanta’s cross-mapping feature can expedite HIPAA compliance by helping you reuse overlapping controls.

‍

Schedule a custom demo to explore how Vanta can accelerate your journey to HIPAA compliance.

‍

{{cta_simple18="/cta-blocks"}} | HIPAA product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

‍