Feeling confused about your new healthcare role?

The medical industry has evolved into an institution where many providers are feeling left behind and insecure of all changes that have taken place. New roles are defined, health bills are presented to Congress, and definitions are being established to keep up with the health information privacy laws frequently. Hopefully, this blog will provide a more concise explanation of your roles within the industry, and how each role is an intersection to the grand scheme of things.

The U.S. Department of Health & Human Services (HHS) is very clear on who, and how these roles are defined, and the responsibilities of each. The HHS thoroughly defines these responsible parties as Covered Entities and Business Associates.

Who are the Covered Entities? 

Covered Entities are health care providers, health plans, and healthcare clearinghouses.

Health Care Providers include Doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies; but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard, are defined as covered entities. [1]

Health Plans include Health insurance companies, HMOs, Company health plans, and government programs such as Medicare & Medicaid. [1]

Health Care Clearinghouses include entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. [1] An example of a clearinghouse would be RelayHealth Financial.

Who are the Business Associates?

Business Associates play a major role in making sure that the services rendered are accounted for, and housed accurately for their assigned covered entity. Think of business associates as “where the rubber meets the road” of the industry.

Without business associates, it would be pretty hard for covered entities to function properly; frankly, it would be impossible. These “third-party contributors” set the course as IT Support vendors who have access to sensitive PHI, to attorneys gaining access to medical records. The roles are vast and are growing as service classifications are developed. And because of their complex and numerous roles, the responsibility of business associates is one to uphold in high regard.

Business Associates are defined as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate. [2]

Examples of business associates are as follows [2]:

  • A third party administrator that assists a health plan with claims processing.
  • Medical Billing Company
  • A CPA firm whose accounting services to a health care provider involves access to protected health information.
  • An attorney whose legal services to a health plan involve access to protected health information.
  • A consultant that performs utilization reviews for a hospital.
  • Shredding Company

As you can see, when PHI is created, received, and maintained on behalf of a Covered Entity, the responsibilities of the Business Associates will continuously expand, and grow over time.

Business Associate Contracts

There is a misconception in the industry:  Business Associates are not held liable to the regulations of HIPAA because services are provided on behalf of a Covered Entity. This isn’t true. Per the HHS, a business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule[3]. To make sure that each entity adheres to the Security Rule, established written contracts between a covered entity and business associate must be obtained.

Each Covered Entity that utilizes a Business Associate must have a business associate agreement in place. The agreements are used to ensure both parties agree to handle PHI in accordance with HIPAA regulations. This includes how documents will be transmitted and stored while setting practical safeguards within the designated office. Check out the sample business associate agreement here.

Check out our security roles as business associates here.




Since 2001, Simone Harris has developed a solid foundation in administrative healthcare services and business development. She has 18+ years within the healthcare sector and serves as the Executive of Business of Operations and Compliance Officer. Modified Solutions is furnished with professional medical administrative resources that are firmly rooted in compliance, integrity, and experience. To learn more visit https://modified-solutions.com/.