Before you build compliance, know what HIPAA actually requires of you

Every HIPAA obligation you carry — from risk assessments to breach notifications to workforce training — is determined by a single upstream question: What is your entity status under HIPAA?

Get this wrong and you either over-invest in controls that do not apply to you, or — far worse — miss obligations that absolutely do. OCR does not grade on intent. They grade on whether you met the requirements that apply to your classification.

This is Step 1 of our 17-step HIPAA compliance roadmap because everything that follows depends on it.

The four HIPAA entity types

HIPAA does not apply uniformly to every organization that touches health data. The law creates distinct categories, each with different scopes of obligation.

1. Covered Entity

A Covered Entity is any organization that electronically transmits health information in connection with a HIPAA-covered transaction. In practice, this means three types of organizations:

• Healthcare providers who conduct electronic transactions — billing, eligibility checks, referrals, claims. If your dental practice submits electronic claims to an insurer, you are a Covered Entity. Period.
• Health plans — insurers, HMOs, employer-sponsored health plans, Medicare, Medicaid.
• Healthcare clearinghouses — entities that process nonstandard health information into standard formats.

Most independent practices reading this fall squarely into the first category. If you bill electronically, you are a Covered Entity. The full weight of the Privacy Rule, Security Rule, and Breach Notification Rule applies to you.

2. Business Associate

A Business Associate is any person or organization that performs a function or activity on behalf of a Covered Entity that involves access to PHI. Common examples:

• Your IT managed service provider
• Your cloud-based EHR vendor
• Your billing company
• Your answering service
• Your shredding company
• Your email hosting provider (if used for PHI)

Business Associates are directly liable under HIPAA since the 2013 Omnibus Rule. They must comply with the Security Rule, the Breach Notification Rule, and relevant portions of the Privacy Rule. They must have a signed Business Associate Agreement (BAA) with every Covered Entity they serve.

If your practice uses an outside billing service, that service is your Business Associate. If they experience a breach, you are both on the hook.

3. Hybrid Entity

A Hybrid Entity is an organization that performs both covered and non-covered functions. A university with a medical school is a classic example — the medical center is covered, the engineering department is not.

For independent practices, hybrid status is less common but not impossible. If your organization has a division that never touches PHI and operates independently from the clinical side, you may qualify. The key requirement: you must formally designate which components are covered and which are not. This designation must be documented.

Most small and mid-size practices do not need to worry about hybrid status. If your entire operation revolves around patient care and the associated billing, you are simply a Covered Entity.

4. Vendor (non-covered, non-BA)

Some organizations interact with the healthcare industry but do not meet the definition of either a Covered Entity or a Business Associate. Examples include:

• A janitorial service that cleans your office but never accesses PHI
• A general contractor who renovates your waiting room
• A web design firm that builds your marketing site (assuming no patient portal or PHI access)

These vendors are not regulated by HIPAA — but the moment they gain access to PHI, the analysis changes. If your cleaning crew has unsupervised access to areas where PHI is visible on screens or paper, you have a problem that a BAA alone cannot solve.

Why misclassification is dangerous

The most common misclassification we see: practices that believe their vendors are not Business Associates when they clearly are.

Your cloud storage provider stores appointment records? Business Associate. Your IT consultant remotes into your EHR server? Business Associate. Your accountant receives patient billing data? Business Associate.

Every one of these relationships requires a signed BAA. Without it, you have an active HIPAA violation — even if no breach has occurred. OCR has levied six-figure fines specifically for missing BAAs.

The second most common error: Business Associates who believe HIPAA does not apply to them. Since the 2013 Omnibus Rule, it does. Directly. A Business Associate can be fined independently of the Covered Entity it serves.

How to determine your status

Run through this decision tree:

1. Do you provide healthcare and bill electronically? If yes, you are a Covered Entity.
2. Do you handle PHI on behalf of a Covered Entity? If yes, you are a Business Associate.
3. Does your organization have both covered and non-covered divisions? If yes, you may be a Hybrid Entity — but you must formally designate the covered components.
4. None of the above? You are likely an uncovered vendor — but verify that no function or workflow touches PHI before you stop there.

If you are uncertain, use our entity determination tool to walk through the classification in detail.

What your status means for the next 16 steps

Your entity classification determines which HIPAA rules apply, which safeguards you must implement, and what documentation you need to produce if OCR comes knocking.

Covered Entities must comply with:

• The Privacy Rule (all of it)
• The Security Rule (all of it)
• The Breach Notification Rule (all of it)
• The Enforcement Rule

Business Associates must comply with:

• The Security Rule (all of it)
• The Breach Notification Rule (all of it)
• Relevant portions of the Privacy Rule (use and disclosure limitations)
• BAA terms with each Covered Entity

Hybrid Entities must apply all Covered Entity requirements to designated healthcare components, and must implement safeguards to prevent PHI from leaking to non-covered components.

This distinction matters at every step of the compliance journey — from risk assessment scope to training requirements to breach response timelines.

Get this right before you move forward

Misidentifying your status does not just create a documentation gap. It creates a structural flaw in your entire compliance program. Every policy, every risk assessment, every training session is scoped against your entity type. If the foundation is wrong, everything built on it is wrong.

Take the time to classify correctly. Document your determination. If your status changes — for example, if you begin offering a new service that creates BA relationships — update the classification and adjust your program accordingly.

The risk assessment in Step 2 depends on getting this right. So does every step after it.

Resources

| Resource | Description | |---|---| | HHS HIPAA Overview | General guidance on Covered Entities and Business Associates from the U.S. Department of Health & Human Services | | 45 CFR §160.103 | The legal definitions of Covered Entities, Business Associates, and Hybrid Entities in the HIPAA regulations | | HHS "Are You a Covered Entity?" Tool | A decision-tree designed to help organizations determine if they're a Covered Entity |

---

This is Step 1 of our 17-step HIPAA compliance roadmap. Next: Step 2 — Map Your PHI Risks.