Covered entities, business associates and their subcontractors as applicable, must comply with HIPAA Rules. If an entity does not meet the definition of a covered entity or a business associate, HIPAA Rules do not apply.

Covered Entities

By definition, any organization that collects, creates, or transmits PHI, is known as a covered entity. Healthcare organizations that are considered covered entities include:

HIPAA Ready
HIPAA Ready
HIPAA Compliance Management Application

Reduce Administrative Burden

See all the information in a centralized space

Keep your team updated with regular information

Contact Us
  • Covered healthcare providers such as chiropractors, clinics, dentists, doctors, nursing homes, pharmacies, and psychologists.
  • Health plans such as health insurance companies, health maintenance organizations (HMOs), company health plans, and government programs that pay for healthcare (e.g Medicare and Medicaid).
  • Health care clearinghouses such as billing services, repricing companies, community health management information systems, and value-added networks.

Business Associates

Business associates are vendors to a covered entity that creates, receives, maintains or transmits protected health information (PHI) while performing their functions that involve PHI.

Business associates may include, but not limited to these careers:

  • Lawyers
  • Accounting or consulting firms
  • Cloud service providers
  • File sharing vendors
  • Shredding service providers
  • Translator service providers
  • Consultants hired to conduct internal audits, perform coding reviews, etc.
  • Business Associates
  • Information technology vendors.

According to HHS, a covered entity can only disclose PHI to an entity to help carry out their healthcare operations, but not for the business associate’s independent use or purpose. For example, a business associate or a subcontractor cannot use the covered entity’s PHI for its own email communications.

Subcontractors

Similar to business associates, subcontractors are vendors to a business associate that creates, receives, maintains or transmits PHI on behalf of a business associate. For instance, a business associate may delegate a function, service, or activity to an entity to streamline their operations. While a covered entity may take help from a business associate, business associates may take help from another entity. Under HIPAA, these entities are called business associate subcontractors.