HIPAA is strict in how it defines entity types. And those entity types determine whether organizations need to comply with HIPAA and determine the liability of the organization.
When HIPAA was written, it was explicit about the types of organizations that needed to comply with it. HIPAA defines two types of organizations:
These include healthcare providers, healthcare insurance companies, and healthcare clearinghouses (healthcare transaction processors).
These are organizations that covered entities work with 3rd party organizations to help carry out operations and have access to health data. The most common business associates are electronic health record (EHR) companies and revenue cycle management (RCM) companies.
Covered entities are a relic of traditional healthcare delivery. HHS defines covered entities as entities that deliver care and “electronically transmits health information in connection with certain transactions”; “transactions” here mean traditional insurance claims. The last ten years have seen new technology-enabled healthcare delivery models and services, many of which do not fit the mold of how HIPAA defines covered entities and, as such, do not have to comply with HIPAA. Direct to consumer mobile or web apps that collect and provide medical guidance or “care”, either by providers or AI / ML, but do not transmit standard transactions, are not covered entities under HIPAA.
In 2013, HIPAA was updated to extend the definition of business associates to include 3rd party organizations that assist business associates. It called this new layer of business associates “subcontractors”, or essentially business associates of business associates. The most common subcontractors are technology companies like cloud service providers (AWS, Microsoft Azure, and Google Cloud Platform).
Under HIPAA, covered entities are the owners of health data. They also own the liability for health records if a data breach occurs. When a covered entity works with a business associate, they extend that liability to the business associate through a business associate agreement. When a business associate works with a subcontractor, they extend their own liability to the business associate through a business associate agreement.
As you can imagine, there are 1,000s of covered entities and almost all of them are large organizations with complex operations. Most covered entities work with many different 3rd party organizations as business associates. Business associates, increasingly reliant on technology partners, have many subcontractors. Because of this chain of liability from covered entities to business associates to subcontractors, there are tons of business associate agreements and tons of liability in healthcare. It’s a mess and a lawyer's dream.
The main thing for you to understand is the type of entity you work for and the 3rd parties that are covered under business associate agreements.