According to HIPAA: Covered Entities, Examples, and Common Compliance Issues

According to HIPAA: Covered Entities, Examples, and Common Compliance Issues are core topics you must understand if you create, receive, maintain, or transmit Protected Health Information (PHI). This guide clarifies who is covered, typical pitfalls, and practical steps for Privacy Rule Compliance, the HIPAA Security Rule, and Electronic Health Transactions.

Use it to map your role, reduce risk through disciplined Risk Analysis, and strengthen safeguards without slowing care or operations.

Definitions of Covered Entities

Covered entity

A covered entity is one of the following: a health plan, a health care clearinghouse, or a health care provider who transmits health information electronically in connection with a standard transaction (such as claims, eligibility checks, or remittance advice). The designation turns on both your function and whether you use standard Electronic Health Transactions.

PHI and when it applies

PHI is individually identifiable health information in any form—paper, verbal, or electronic—held or transmitted by a covered entity or its business associate. If you are a covered entity, all uses and disclosures of PHI must follow the Privacy Rule’s “minimum necessary” standard unless an exception applies.

Business associates versus covered entities

Business associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity (for example, a cloud EHR host or billing service). They are not covered entities, but they are directly regulated by HIPAA and must be bound by Business Associate Agreements.

Categories of Covered Entities

Health plans

Health plans include Medicare, Medicaid, health insurance issuers, HMOs, employer-sponsored group health plans, and certain government programs that pay for health care. If you operate a plan that provides or pays for medical care, HIPAA applies.

Health care providers (conducting standard transactions)

Providers—such as hospitals, clinicians, dentists, pharmacies, labs, and telehealth practices—are covered entities when they transmit standard Electronic Health Transactions, directly or through a clearinghouse. Paper-only providers that never conduct standard electronic transactions are not covered under HIPAA.

Health care clearinghouses

Clearinghouses transform nonstandard health data into standard transaction formats (and vice versa). Examples include medical billing processors, repricing firms, and switch networks that route claims and remittances.

Hybrid entities

Organizations with both covered and non-covered functions (e.g., a university with a medical clinic) may designate their health care components as “hybrid entities,” bringing the health components under HIPAA while leaving unrelated units outside its scope.

Examples of Covered Entities

Health plans

• Medicare Advantage plans and Medicaid managed care organizations
• Commercial insurers and HMOs offering individual or group coverage
• Employer-sponsored group health plans that pay for employees’ medical care

Health care providers

• Hospitals, ambulatory surgery centers, and physician practices
• Dentists, behavioral health counselors, and physical therapists
• Clinical laboratories, imaging centers, and pharmacies
• Durable medical equipment suppliers and telehealth-only clinics

Health care clearinghouses

• Medical billing and claims translation services
• EDI networks converting 837 claims and 835 remittances
• Repricing and utilization management intermediaries processing standard transactions

Common HIPAA Compliance Issues

• Insufficient or outdated Risk Analysis and risk management plans
• Missing or incomplete Business Associate Agreements with vendors handling PHI
• Unauthorized access or snooping due to weak access controls or shared logins
• Unencrypted devices, misconfigured cloud storage, or insecure data transfers
• Failure to follow minimum necessary, leading to overbroad disclosures
• Delayed or improper patient access responses under the Privacy Rule
• Inadequate audit logging, monitoring, or incident response processes
• Improper PHI disposal (e.g., non-shredded paper records or un-wiped media)
• Workforce training gaps, social engineering, and weak authentication practices

Risk Management Practices

Conduct a structured Risk Analysis

• Inventory systems, apps, devices, data stores, and third parties touching PHI
• Map PHI data flows across creation, use, transmission, storage, and disposal
• Identify threats and vulnerabilities; rate likelihood and impact for each asset
• Calculate risk levels and document current and planned controls

Implement prioritized risk treatment

• Address high risks with technical controls (encryption, MFA), policies, and procedures
• Track actions in a living risk register; review at least annually or after major changes
• Test backups and disaster recovery to meet availability requirements of the HIPAA Security Rule

Vendor management and BAAs

• Perform due diligence on vendors; sign Business Associate Agreements before PHI is shared
• Require security controls, breach notification terms, and flow-down obligations to subcontractors
• Reassess vendors regularly and upon incidents or significant service changes

Incident response and reporting

• Establish playbooks for containment, investigation, documentation, and notification
• Enable audit logs, keep evidence, and conduct lessons-learned to prevent recurrences

Employee Training Requirements

Provide role-based training on Privacy Rule Compliance and security awareness before workforce members access PHI and periodically thereafter. Update training when policies, systems, or threats change.

• Core topics: minimum necessary, permitted uses/disclosures, patient rights, and reporting concerns
• Security essentials: phishing recognition, MFA, password hygiene, and device/media handling
• Operational practices: safe telehealth, remote work expectations, and secure messaging
• Documentation: record completion, track comprehension, and enforce sanctions for violations

Safeguards for Protected Health Information

Administrative Safeguards

• Policies, procedures, and workforce oversight aligned with the HIPAA Security Rule
• Access governance, role-based permissions, and sanctions for violations
• Contingency planning: backups, disaster recovery, and emergency operations
• Vendor oversight with executed Business Associate Agreements and periodic reviews

Physical Safeguards

• Facility access controls, visitor management, and secure server rooms
• Workstation positioning, screen privacy, and clean-desk practices
• Media controls: inventory, encryption, secure transport, and certified disposal

Technical Safeguards

• Unique IDs, least-privilege access, and multi-factor authentication
• Encryption in transit and at rest; secure configuration baselines and patching
• Automatic logoff, audit logging, and continuous monitoring for anomalies
• Data loss prevention for email, file sharing, and mobile devices

Standards for Electronic Health Transactions

Use standard transaction formats (e.g., 837 claims, 835 remittance, 270/271 eligibility, 276/277 claim status, 278 referrals) and adhere to code set standards. Align your EDI workflows and vendor contracts to ensure transactions remain compliant end to end.

Conclusion

If you are a health plan, a qualifying provider, or a clearinghouse, HIPAA applies to your PHI and your vendors. Consistent Risk Analysis, strong safeguards, reliable vendor management, and ongoing training close the most common compliance gaps and protect patients and your organization.

FAQs.

What entities are considered covered under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit PHI in standard Electronic Health Transactions. Providers become covered when they conduct standard electronic transactions, directly or through a clearinghouse.

What are the most common HIPAA compliance issues?

Frequent issues include incomplete Risk Analysis, missing Business Associate Agreements, weak access controls, unencrypted devices, delayed patient access responses, inadequate monitoring, and improper PHI disposal.

How should covered entities handle Business Associate Agreements?

Execute BAAs before sharing PHI, verify vendors’ security practices, define breach notification duties, ensure subcontractor flow-down, and review agreements during vendor onboarding, renewal, and after material changes.

What are the essential safeguards for protecting PHI?

Implement Administrative Safeguards (policies, risk management, access governance), Physical Safeguards (facility and media controls), and Technical Safeguards (MFA, encryption, logging). Align operations with the HIPAA Security Rule and maintain Privacy Rule Compliance across all uses and disclosures.