Certified Information Privacy Professional (CIPP): US - HIPAA Covered Entities and Business Associates

What This Is

HIPAA’s Covered Entity (CE) and Business Associate (BA) designations define who must follow the Health Insurance Portability and Accountability Act’s privacy and security rules. A CE is any health?care provider, health plan, or health?care clearinghouse that creates, receives, or transmits protected health information (PHI). A BA is any person or organization that performs a function or service for a CE that involves PHI (e.g., a billing company, cloud?hosting provider, or a software vendor). Understanding the CE/BA split is critical because it determines who must implement safeguards, sign a Business Associate Agreement (BAA), and report breaches—mistakes can lead to steep OCR fines and reputational damage.

Real?world example: A regional hospital (CE) contracts with a third?party tele?health platform to host video visits. The platform stores the video recordings (PHI). Because the platform is a BA, it must sign a BAA, implement HIPAA?required security controls, and report any breach to the hospital and the Office for Civil Rights (OCR).

Key Terms & Provisions

• Covered Entity (CE): Under 45?C.F.R. §§?160.103 &?164.501, a health?care provider, health?care plan, or health?care clearinghouse that transmits PHI electronically.
• Business Associate (BA): Any person or entity that performs a function or service for a CE that involves PHI, or that creates, receives, maintains, or transmits PHI on behalf of the CE (45?C.F.R. §§?160.103 &?164.502).
• Business Associate Agreement (BAA): A written contract that obligates the BA to protect PHI, limits permissible uses, and requires breach notification. Must be in place before any PHI is shared.
• Protected Health Information (PHI): Individually identifiable health information (e.g., medical records, billing info) covered by HIPAA’s Privacy Rule.
• Minimum Necessary Standard: The CE and BA must limit PHI use, disclosure, and request to the smallest amount needed to accomplish the intended purpose (45?C.F.R. §?164.502(b)).
• HIPAA Security Rule: Requires administrative, physical, and technical safeguards for electronic PHI (ePHI). Applies to both CEs and BAs.
• Breach Notification Rule: A covered breach must be reported to the affected individuals within 60 days, to OCR within 60 days (if ?500 individuals), and to the media if ?500 individuals (45?C.F.R. §§?164.404?164.408).
• Sub?Business Associate: A BA may engage another BA (sub?BA) but must obtain written assurances that the sub?BA will comply with the same HIPAA obligations.
• HIPAA Enforcement: The Office for Civil Rights (OCR) can impose civil penalties up to $50,000 per violation (max $1.5?M per year) and criminal penalties for willful neglect.
• HIPAA “Hybrid” Entity: An organization that is both a CE (e.g., a hospital) and a BA (e.g., it provides billing services to other CEs).
• State Law Interaction: State privacy or data?breach statutes may apply in addition to HIPAA, but HIPAA preempts only where state law is less protective of PHI.

Step?by?Step Process Flow (Applying CE/BA Rules)

1. Identify the Relationship – Determine whether the party is a CE, a BA, or a hybrid (review contracts, services performed, and whether PHI is handled).
2. Conduct a PHI Inventory – Catalog all PHI flows (creation, receipt, storage, transmission) and map them to the responsible entity.
3. Execute a Business Associate Agreement – Draft or obtain a BAA that includes the required clauses (use/ disclosure limits, breach notification, sub?BA provisions, termination).
4. Implement Minimum?Necessary Controls – Configure systems, policies, and training so that only the PHI needed for the task is accessed or shared.
5. Apply Security Safeguards – Deploy administrative (risk analysis, policies), physical (facility controls), and technical (encryption, access logs) safeguards per the Security Rule.
6. Monitor & Report – Continuously monitor for unauthorized access; if a breach occurs, follow the breach?notification timeline (60?day deadlines) and document the response.

Common Mistakes

• Mistake: Treating a vendor that only stores PHI as a “service provider” and skipping the BAA.
  Correction: Any entity that stores, processes, or transmits PHI on behalf of a CE is a BA and must have a signed BAA before any PHI is transferred.

• Mistake: Assuming the minimum necessary rule applies only to disclosures, not to internal access.
  Correction: Both external disclosures and internal accesses must be limited to the minimum necessary; role?based access controls are required.

• Mistake: Believing that a breach affecting fewer than 500 individuals does not require OCR notification.
  Correction: All breaches must be reported to OCR; the 500?person threshold only determines whether a public (media) notice is required.

• Mistake: Forgetting to obtain written assurances when a BA hires a sub?BA.
  Correction: The primary BAA must contain a clause obligating the BA to secure a sub?BA agreement that mirrors the original BAA’s obligations.

• Mistake: Assuming HIPAA preempts all state privacy laws.
  Correction: HIPAA preempts only state statutes that are less protective of PHI; more protective state breach?notification or privacy laws still apply.

CIPP Exam Insights

1. CE vs. BA Distinction: Exams love to test the “who does the privacy rule?” question. Remember: Only CEs are directly subject to the Privacy Rule; BAs are subject via the BAA.
2. BAA Must Be in Place Before PHI Transfer: A common trap is an answer that says “BAA can be signed after the first data exchange.” The correct answer is pre?exchange.
3. Minimum Necessary vs. Full Disclosure: The exam may present a scenario where a CE wants to share an entire chart with a specialist. The correct answer is to share only the information necessary for the specialist’s purpose.
4. Breach Notification Timing: The 60?day deadline is a frequent exam fact?check; watch out for “30?day” distractors.

Quick Check Questions

1. Question: A hospital (CE) contracts a cloud?hosting provider to store its ePHI. The provider is asked to sign a BAA after the first file is uploaded. Is this acceptable?
   Answer: No. A BAA must be executed before any PHI is transferred; otherwise the provider is a non?compliant BA.

2. Question: A health?plan (CE) hires a third?party claims processor (BA) that, in turn, uses a subcontractor to perform data entry. What must the original BA do?
   Answer: The BA must obtain a written sub?BA agreement that obligates the subcontractor to the same HIPAA terms.

3. Question: A breach affects 350 patients. Which notifications are required?
   Answer: The CE must notify the affected individuals and OCR within 60 days; a media notice is not required because the breach is under 500 individuals.

Last?Minute Cram Sheet (10 One?Liners)

1. HIPAA Covered Entity = Provider, Health Plan, or Clearinghouse (45?C.F.R. §?160.103).
2. Business Associate = Performs a service involving PHI for a CE (45?C.F.R. §?164.502).
3. BAA must be signed before any PHI exchange – no “post?hoc” agreements.
4. Minimum Necessary applies to all accesses, not just external disclosures.
5. Breach Notification Deadline = 60 days to individuals, OCR, and (if ?500) media.
6. Maximum Civil Penalty = $50,000 per violation (capped at $1.5?M per year).
7. Sub?BA Requirement: Primary BA must secure a written sub?BA that mirrors the original BAA.
8. Security Rule = Administrative, Physical, Technical safeguards for ePHI (45?C.F.R. §§?164.308?164.312).
9. HIPAA Preemption: Only preempts state laws that are less protective of PHI.
10. Exam Trap: “All BAs are automatically covered entities.” – False; BAs are not CEs unless they also meet the CE definition (e.g., a hybrid entity).