HIPAA Covered Entity or Business Associate - Which are You?

The useful starting point is not the organization name, job title, or industry label. Start with the role your organization is playing in the relationship where patient information is handled.

Ask whether you are handling patient information for your own healthcare operations, or whether you are handling it for another healthcare organization. HIPAA can treat those roles differently, and the same organization can play more than one role depending on the relationship.

Health plans, health care clearinghouses, and many health care providers can be covered entities under HIPAA. For providers, one practical signal is whether the organization furnishes healthcare and conducts standard healthcare transactions electronically, such as insurance claims.

Medical practices, dental offices, behavioral health clinics, pharmacies, chiropractors, and similar providers often need to ask this question early because the answer changes which privacy, security, and documentation work applies.

A business associate is usually a vendor or service provider that creates, receives, maintains, or transmits PHI for a covered entity. Examples can include medical billing companies, healthcare IT providers, EHR vendors, answering services, consultants, cloud storage providers, and claims processors.

The question is relationship-specific. A general vendor label is not enough by itself; the practical question is whether the service involves PHI for a covered entity.

The answer is not always either/or. A clinic may be a covered entity for its own patients. If that same organization also provides a service to another covered entity and handles PHI for that service, it may also be acting as a business associate in that relationship.

That is why the better question is not simply, "What type of company are we?" It is, "What role are we playing in this relationship?"

HIPAAList asks how HIPAA applies to your organization because that answer changes the readiness path. It can affect which documents are useful, which vendors matter, which BAA records need attention, and what work should come next.

This page is educational and is not legal, regulatory, or cybersecurity advice. If the answer is unclear or a relationship has meaningful legal or contract consequences, involve qualified counsel or compliance advisors.

Are you a HIPAA covered entity, a business associate, or both? That last option is the one a lot of people miss.

The quick way to think about it is to start with the role you are playing. Are you handling patient information for your own healthcare organization, or are you handling it for someone else?

If you are a medical practice, dental office, behavioral health clinic, pharmacy, chiropractor, or similar provider, you may be a covered entity, especially if you send standard healthcare transactions electronically, like insurance claims.

The first question is whether you provide healthcare and handle patient information as part of your own services. If yes, think covered entity.

HIPAA also cares about who you help. A business associate is usually a vendor or service provider that handles PHI for a covered entity, such as a medical billing company, healthcare IT provider, EHR vendor, answering service, consultant, cloud storage provider, or claims processor.

The second question is whether you create, receive, maintain, or transmit PHI for another healthcare organization. If yes, think business associate.

You can be both. A clinic may be a covered entity for its own patients, but if that same organization provides a service to another covered entity and handles PHI for that service, it may also be acting as a business associate.

The better question is not what type of company you are. It is what role you are playing in this relationship.

Here is the quick test: do you provide healthcare, pay for healthcare, or process healthcare transactions? Think covered entity. Do you handle PHI for another covered entity? Think business associate. Do both apply? Then you may need to treat your organization as both.

That is why the HIPAAList Organization Profile starts by asking what kind of organization you are. Your answer changes what applies to you, which documents you need, which vendors matter, and what actions should come next.

You are not trying to write a legal memo. You are trying to start your HIPAA program in the right place.