1.2 · HIPAA Basics
The Three Roles
HIPAA splits the world into three kinds of organizations. Which role you play decides which rules apply to you and who you are responsible for. Understanding this is the single most important framing for everything else in this section, because it explains why we have to sign contracts with so many different vendors.
The three roles at a glance
| Role | Who fits this | What it means for them |
|---|---|---|
| Covered Entity | Front-line healthcare provider: hospitals, doctors, dentists, mental health practices, ABA clinics. | Original holder of the patient relationship. Carries the primary HIPAA obligation. |
| Business Associate | Any organization a Covered Entity hires whose work involves Protected Health Information. This is us. | The same Security Rule safeguards that apply to the clinic apply to the Business Associate, because the same data is involved. |
| Subcontractor | Any organization a Business Associate hires whose work involves Protected Health Information. AWS, Bedrock, Cognito, etc. | Inherits the same HIPAA obligations the Business Associate carries. The chain can extend indefinitely. |
Covered Entity (the clinic)
A Covered Entity is the front-line healthcare provider. They are the ones directly providing care to patients and billing for that care. Hospitals, doctors, dentists, mental health practices, and the ABA clinics that use this platform are all Covered Entities. They are the original holders of the patient relationship and they carry the primary HIPAA obligation.
Business Associate (us)
A Business Associate is any organization a Covered Entity hires whose work involves touching Protected Health Information. This is us. ABA clinics hire our platform to run parts of their operations, and we end up storing and processing their clients’ information. By HIPAA’s definition, that makes our company a Business Associate to every clinic we serve. The same HIPAA Security Rule safeguards that apply to the clinic apply to us, because we are handling the same data.
Subcontractor (AWS and others below us)
A Subcontractor is any organization a Business Associate hires whose work involves touching Protected Health Information. AWS hosts our database. AWS Bedrock processes documents through Claude. Cognito stores our user identities. Every single one of those vendors is a Subcontractor to us, and they inherit the same HIPAA obligations we carry. A Subcontractor that hires another Subcontractor passes the obligation down again, indefinitely.
Why this chain matters
HIPAA treats this as a chain of responsibility. The Covered Entity is responsible for picking compliant Business Associates. The Business Associate is responsible for picking compliant Subcontractors. And so on. If any single link in that chain is broken, the entire chain is broken. An exposed record at the deepest Subcontractor is still a HIPAA violation against the Covered Entity who originally held the patient relationship.
That is why we cannot simply pick a database based on price. The database vendor must be willing to sit inside this chain. The same goes for the AI provider, the file storage, the email service, and the error monitoring tool. Every vendor either accepts the obligation in writing or we cannot use them for regulated data.
What this means in practice
| Reality | How we operate against it |
|---|---|
| The clinics are also the entities we are formally answerable to under HIPAA. | If we cause a breach, the clinics are the ones the law expects to act first, and they will look to us for accountability. |
| Every vendor we route Protected Health Information through has to sign a Business Associate Agreement. | The contract that locks each link of the chain in place is covered on the next page. |
| We have to keep documentation showing the chain exists. | If HHS audits us, they will ask to see signed agreements with each Subcontractor we use. We track that on the BAA Status page. |
In short: we are the middle link in a legally-defined chain. We owe the clinics above us the safeguards HIPAA requires. We require those same safeguards from every vendor below us. The contract that proves all of that is the Business Associate Agreement.