There are three types of entities described in the statute. The first is the patient. That’s easy. The second is the Covered Entity (CE) and the third is the Business Associate (BA). The CE performs medical services on the patient and has the most trusted access of the information. A hospital or an insurance company is a CE.
A BA is someone who a CE uses for services and who needs access to the PHI of the CE’s patients to perform some level of service. A traditional BA is a bill processing company that sends medical invoices and processes payments. They have and need access to the patient information (name, address) and the medical record (diagnosis code, charge etc.) to perform the work for the CE.
Since the HIPAA omnibus rule changes have been implemented, cloud service providers and other hosting providers are now considered BAs.