HIPAA Privacy Rule directly regulates only 'Covered Entities'
The definition of a covered entity is:
- A health plan
- A health care clearinghouse
- A health care provider who transmits any health information in electronic form directly
Health care providers are covered entities under HIPAA only if they conduct any HIPAA standard transactions electronically. A medical practice that conducts claims and related transactions using only paper and the telephone is not a covered entity.
Business associates are defined as "a person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right."