45 CFR 160.103 Definitions: Key HIPAA Terms Explained

45 CFR 160.103 sets the baseline definitions that power the HIPAA Privacy Rule and HIPAA Security Rule. When you understand these terms precisely, you can write clearer policies, sign better vendor contracts, and make faster, defensible decisions about health data. This guide explains the most-used definitions and shows how to apply them in daily compliance work.

Definitions in HIPAA Privacy and Security Rules

Section 160.103 provides a shared vocabulary for HIPAA’s Administrative Simplification rules. It standardizes what “use,” “disclosure,” “covered entity,” and “protected health information” mean across the Privacy Rule, Security Rule, breach notification, and enforcement provisions.

Because enforcement and patient rights hinge on these meanings, you should check 160.103 first whenever you interpret exceptions, authorizations, or vendor obligations. Returning to the definitions prevents inconsistent decisions and policy drift.

Privacy Rule and Security Rule at a glance

• The HIPAA Privacy Rule governs when PHI may be used or disclosed and outlines the rights of the individual.
• The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI).
• Shared definitions in 160.103 keep both rules aligned, especially for “business associate,” “workforce,” “health care provider,” and “protected health information.”

Terms Related to Covered Entities

“Covered Entity” is a foundational definition in 45 CFR 160.103. A covered entity is any of the following:

• Health plan: An individual or group plan that provides or pays the cost of medical care, such as health insurers, HMOs, employer-sponsored group health plans, and certain government programs.
• Health care clearinghouse: An entity that translates health information between nonstandard and standard HIPAA transaction formats (for example, billing services or repricing companies).
• Health care provider: Any provider of medical or health services—or any person or organization that furnishes, bills, or is paid for health care—who transmits health information in electronic form in connection with a HIPAA standard transaction (such as claims or eligibility inquiries).

A provider qualifies as a covered entity only when it conducts at least one standard transaction electronically. Paper-only workflows do not trigger covered entity status, but in practice most providers send claims or eligibility checks electronically.

Transactions that make a difference

• Claims and encounter submissions and related remittances.
• Eligibility and coverage inquiries and responses.
• Claim status, referrals, authorizations for services, and coordination of benefits.

Workforce and hybrid structures

Your employees, volunteers, trainees, and others under your direct control are the workforce; they are not business associates. If your organization performs both covered and noncovered functions, consider designating a hybrid entity so HIPAA applies to the health care components while other divisions remain outside HIPAA’s scope, supported by access controls and policies.

Protected Health Information Explained

“Protected Health Information” (PHI) is individually identifiable health information created or received by a covered entity or business associate that relates to a person’s health condition, the provision of health care, or payment for care, and that is transmitted or maintained in any form or medium.

What counts as identifiable

Information is identifiable when it includes elements that can point to a specific person. Common identifiers include names, geographic details smaller than a state, dates directly tied to an individual, contact information, Social Security and medical record numbers, device and biometric identifiers, full-face photos, and any other unique code that can reasonably identify someone.

PHI vs. ePHI

PHI includes paper, verbal, and electronic forms. The Security Rule applies specifically to electronic PHI (ePHI) in EHR systems, patient portals, email, cloud storage, mobile devices, and backups.

What PHI excludes

• De-identified information (no reasonable basis to identify the person, achieved via expert determination or by removing the specified identifiers).
• Education records and student treatment records protected by FERPA.
• Employment records a covered entity maintains in its role as employer.
• Individually identifiable health information for a person deceased more than 50 years.

Limited data sets

A limited data set is still PHI, but with certain direct identifiers removed. You may use or disclose it for research, public health, or health care operations with a data use agreement that restricts recipient activities.

Understanding Business Associates

A “Business Associate” is a person or entity, other than a workforce member, that performs functions or services for a covered entity—and those activities involve creating, receiving, maintaining, or transmitting PHI. Subcontractors that handle PHI on behalf of a business associate are also business associates.

Common examples

• Cloud hosting, data centers, and backup providers that store ePHI.
• Billing, coding, and revenue cycle vendors.
• EHR and patient portal providers and their support teams.
• Shredding, scanning, and records management firms.
• Consultants, attorneys, and auditors who need PHI to perform services.

Who is not a business associate

• Your workforce under the direct control of the covered entity or business associate.
• “Conduits” that merely transport information without routine access to its content (for example, postal services or common carriers).
• Providers sharing PHI for treatment; each remains a covered entity, not a business associate of the other for treatment purposes alone.

Business Associate Agreements

You must execute a Business Associate Agreement (BAA) with each vendor that handles PHI. A BAA defines permitted uses and disclosures, requires safeguards aligned to the HIPAA Security Rule, mandates breach reporting, and flows down obligations to subcontractors.

Clarifying the Role of the Individual

The “Individual” is the person who is the subject of PHI. In many cases a personal representative—such as a parent of an unemancipated minor or someone holding a health care power of attorney—must be treated as the Individual, consistent with applicable law and specific exceptions.

Key rights you must support

• Access and obtain copies of PHI, including electronic copies when readily producible.
• Request amendments to PHI in designated record sets.
• Receive an accounting of certain disclosures.
• Request restrictions and confidential communications.

Define and document your identity verification, recognition of personal representatives, and processes for special cases so staff apply the definition of “Individual” consistently and correctly.

Explanation of Authorization Requirements

“Authorization” is an Individual’s written permission to use or disclose PHI for purposes not otherwise permitted or required by the HIPAA Privacy Rule. You most often need it for marketing, many research disclosures without a waiver, or releasing records to third parties at the patient’s request.

When you do not need an authorization

• Treatment, payment, and health care operations.
• Disclosures required by law, certain public health activities, and specified oversight or law enforcement purposes.
• Disclosures to the Individual or personal representative, and certain directory or limited fundraising uses with required notices.

Core elements of a valid authorization

• Description of the information to be used or disclosed.
• Who is authorized to disclose and who may receive the information.
• The purpose for the use or disclosure.
• An expiration date or event.
• Signature and date of the Individual (or authorized personal representative, with authority described).
• Required statements about the right to revoke, the potential for redisclosure, and any conditions tied to treatment, payment, enrollment, or eligibility.

Authorizations must be in plain language. Provide a copy to the signer, retain documentation, and honor revocations except to the extent you have already relied on the authorization.

Application of 45 CFR 160.103 in Compliance

Definitions are operational tools. Using 45 CFR 160.103 proactively helps you classify relationships, map data flows, and avoid impermissible uses or disclosures before they happen.

Put the definitions to work

• Inventory covered functions and confirm which components are part of the Covered Entity.
• Catalog all vendors that create, receive, maintain, or transmit PHI; execute BAAs; and ensure subcontractor coverage.
• Locate all PHI and ePHI, then apply Security Rule safeguards and logging proportionate to risk.
• Label data sets as PHI, limited data set, or de-identified to enable the right sharing pathways.
• Train staff on “use,” “disclosure,” “minimum necessary,” “Business Associate,” and “Authorization,” using scenario-based exercises.
• Align incident response with definitions of “breach,” “unsecured PHI,” and “business associate” to trigger correct notifications.

Common pitfalls to avoid

• Calling a vendor a “conduit” when it actually stores or routinely accesses ePHI.
• Applying HIPAA to employment records simply because you are a Covered Entity.
• Assuming consumer health apps are covered by HIPAA when no Covered Entity or Business Associate is involved.
• Using overbroad authorizations that omit required elements or conflict with state requirements.

Conclusion

Mastering the definitions in 45 CFR 160.103 aligns your HIPAA Privacy Rule and HIPAA Security Rule programs from the ground up. When you classify entities, relationships, and data correctly, you reduce risk, streamline disclosures, and make every policy and contract more defensible.

FAQs.

What is the definition of a covered entity under 45 CFR 160.103?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a standard transaction. Providers qualify when they conduct at least one HIPAA standard transaction electronically, such as submitting claims or checking eligibility.

What qualifies as protected health information (PHI)?

PHI is individually identifiable health information created or received by a covered entity or business associate that relates to health status, care, or payment and is transmitted or maintained in any form. It excludes de-identified information, education records under FERPA, employment records held in the employer role, and information about a person deceased for more than 50 years.

How is a business associate defined under HIPAA?

A business associate is a person or entity, other than a workforce member, that performs functions or services for a covered entity involving the creation, receipt, maintenance, or transmission of PHI. Subcontractors that handle PHI on behalf of a business associate are also business associates. Mere conduits that only transport data without routine access are not business associates.

What constitutes an authorization under HIPAA rules?

An authorization is the Individual’s written permission for uses or disclosures of PHI not otherwise permitted by the Privacy Rule. It must identify the information, who may disclose and receive it, the purpose, an expiration date or event, and include the signer’s dated signature plus required statements about revocation, redisclosure, and any applicable conditions.