Awareness article
Covered Entity vs Business Associate
A plain-language guide to who is directly regulated by HIPAA, when a vendor becomes a business associate, and why that distinction changes PHI software evaluation.
Short answer
A healthcare provider is usually the covered entity. A vendor becomes a business associate when it creates, receives, maintains, or transmits PHI on the provider's behalf. That determines whether a BAA and a fuller vendor review are required. It helps clinics turn HIPAA requirements into assigned owners, recurring reviews, dated evidence, and practical controls that can be explained during an OCR inquiry.
The healthcare provider is usually the covered entity. A vendor becomes a business associate when it creates, receives, maintains, or transmits PHI for that provider. Once that happens, the vendor review stops being a casual procurement decision and becomes a HIPAA decision.
What is a covered entity
For most readers here, the covered entity is the healthcare organization delivering care and performing HIPAA-regulated transactions. That entity owns the obligation to choose defensible workflows and vendors.
What is a business associate
A business associate is a third party that handles PHI on the covered entity’s behalf. That can include:
- collaboration tools
- file storage platforms
- forms software
- workflow automation tools
- consultants and service providers
Why this changes software buying
Once a vendor crosses into business-associate territory, your team needs a stronger review path:
- BAA availability
- in-scope services and plan tiers
- sharing and access controls
- exclusions and unsupported features
- operational fit for the workflow
Clinic operating guidance
Treat covered Entity vs Business Associate as an operational control, not only as a reference topic. A small clinic should name the person who owns the workflow, list the systems where PHI or compliance evidence may appear, and decide what must be recorded when the issue comes up. That record can be simple, but it should show the date, the people involved, the systems checked, and the reason the clinic chose its next step.
Start with the HIPAA rule that is closest to the work. Privacy Rule topics usually require the clinic to ask whether the use or disclosure is permitted, limited to the minimum necessary where that standard applies, and consistent with patient rights. Security Rule topics usually require an inventory of systems, access controls, audit activity, and risk management follow-up. Breach topics require a fact-based review of what happened, who received the information, whether PHI was actually viewed or acquired, and what mitigation changed the risk.
Evidence to keep
For covered Entity vs Business Associate, the evidence should be practical enough for a manager to maintain. Keep the policy or checklist version that was in effect, the staff or vendor responsible for the work, and the dated notes showing what was reviewed. If the issue involves policy ownership or recurring review, preserve the screenshots, logs, tickets, messages, or vendor records that explain the decision. If it involves staff follow-up or audit evidence, record who approved the action and when the follow-up should be checked again.
Use the page topic as the operating standard: define the owner, the affected systems, the review trigger, and the evidence the clinic will keep. Those points should be reflected in the clinic’s actual records. A page that says the clinic reviews access quarterly is weaker than a review log showing the user list, exceptions, removals, and owner sign-off. A policy that says vendors are reviewed is weaker than a vendor file with the BAA status, PHI use case, renewal date, and incident contact.
Review cadence
Review covered Entity vs Business Associate when the clinic changes software, adds a location, changes staffing, receives a patient complaint, identifies a suspected incident, or updates a vendor relationship. Annual review is useful, but it is not enough when the workflow changes sooner. The clinic should also connect this topic to training so front desk, billing, clinical, and management staff understand the examples they are most likely to see.
The goal is not to create a large binder. The goal is to leave enough evidence that another reviewer can understand what the clinic knew, what rule or source it relied on, what action it took, and what still needs follow-up. That is the level of documentation that makes HIPAA work repeatable in a small clinic instead of dependent on memory.
Related pages
Use When a Vendor Needs a BAA for a deeper vendor workflow, PHI Tools and Vendors for the guide hub, and the vendor BAA tracker to document which vendors cross that line. For the individual term definitions, see covered entity and business associate.
PHIGuard commercial baseline
PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current limited offer details.
HIPAA Basics
Core definitions, rules, and operating concepts small clinics need before they can evaluate vendors or workflows.
What Is a Business Associate Agreement Under HIPAA?
Business associate agreement (BAA) explained: what it is, when HIPAA requires it, required contract elements under 45 CFR §164.504(e), and OCR penalty risk.
Accounting of Disclosures: HIPAA Definition for Small Clinics
Patients have a right to an accounting of PHI disclosures for purposes other than TPO for six years. 45 CFR § 164.528. Learn what must be tracked and reported.
Sources