Covered Entity vs. Business Associate

The distinction matters because it changes what the clinic must do before work begins.

What a covered entity is in practice

For most readers of this site, the covered entity is the clinic itself. The clinic controls patient relationships, treatment operations, and the use of PHI in the normal course of care delivery.

What makes a vendor a business associate

A vendor becomes a business associate when it creates, receives, maintains, or transmits PHI for the clinic as part of providing a service. The test is functional. It does not matter whether the vendor calls itself a project manager, a storage company, an IT consultant, or a workflow platform.

Why small clinics get confused

Vendors often market “HIPAA-ready” or “secure” plans without clearly stating whether a BAA is available, on which tier, and under what operating assumptions. That leaves clinics comparing general security language instead of answering the real question: does this vendor take on business associate obligations for the workflow we want to run?

The practical workflow

Before PHI enters a system, the clinic should answer:

1. Will this vendor handle PHI on our behalf?
2. If yes, is there a signed BAA in place?
3. Does the product actually support the controls we need once PHI is there?

The first two questions establish the legal relationship. The third determines whether the workflow is operationally defensible.