There are two categories of entities who are regulated by HIPAA and are required to be in full compliance.
This is the main focus of the original law. Covered entities are those who, in their normal activities, create, maintain, directly access and/or transmit PHI and ePHI. Examples of these entities are healthcare providers, clearinghouses, insurance plans, and employers who self-insure. [Note: In general a specific individual is not considered a covered entity. Their employer is the covered entity. Individuals, however, still have a duty to support and ensure compliance and would likely face disciplinary action by their employer for individual behaviors that compromise compliance. Their employer would be the target of OCR fines and penalties.]
Covered Entities are responsible for reporting any data breaches to the OCR as well individuals affected and the media. The reporting deadline varies depending upon the number of persons affected.
When we think of covered entities, we think of the obvious: medical offices, health insurance providers, and hospitals. However, there are many others who come in contact with PHI and ePHI, and via this contact, are swept up under HIPAA regulations and become subject to the same fines and penalties for non-compliance as covered entities. Examples of business associates could include attorneys, accountants, IT contractors, managed service providers, billing firms, data storage centers, and even email servers. Fundamentally, any entity that comes in contact with the data is regulated by HIPAA. If they only touch the data in the aggregate and never deal with specific PHI, or if they handle the data in a purely pass-through sense–think email providers–they are subject to regulation. In 2016, the OCR specifically included cloud storage providers and data centers as business associates.
Now this is where things get complex. A Covered Entity is responsible for identifying anyone they work with that comes in contact with the Covered Entity's PHI. Once they identify that entity as a Business Associate, they are responsible for ensuring that the Associate is in compliance. This is done through the acquisition of a signed Business Associate agreement. This contract is a signed statement that the Associate meets all HIPAA compliance requirements. By signing the agreement, the Business Associate now becomes subject to the same fines and penalties as the covered entity should a data breach occur “on their watch.”
What does this mean in a practical sense? A covered entity has to be sure that it's PHI remains secure even when it passes out of their hands. If a data breach hits a Business Associate, it is required to notify the covered entity within the reporting requirements of the regulation.