Are We a HIPAA Covered Entity? Checklist to Determine Your Status

HIPAA Covered Entity Definition

To decide whether you are a HIPAA covered entity, start with the formal categories: health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. If you fit one of these and handle protected health information (PHI), you are within HIPAA’s scope.

Use this quick status check: Do you provide medical services and send electronic claims, eligibility checks, prior authorizations, or remittance advice? Are you an insurer or group health plan that pays for care? Do you convert health data between formats for billing or exchange? A “yes” to any typically means you are a HIPAA covered entity.

• Identify your role: provider, plan, or clearinghouse.
• Confirm that you create, receive, maintain, or transmit PHI.
• Verify that you conduct standard electronic transactions.
• If you do not meet these criteria but handle PHI for others, you are likely a business associate and must execute business associate agreements (BAAs).

Conduct Risk Assessments

A risk assessment is the foundation of compliance. Inventory where PHI resides—systems, apps, devices, and vendors—and map data flows from collection to disposal. Evaluate threats and vulnerabilities, considering people, processes, and technology.

Rate likelihood and impact, document findings, and drive a risk management plan with owners and deadlines. Reassess at least annually and after material changes to your environment or operations.

• Catalog PHI, systems, users, and third parties.
• Evaluate administrative safeguards, physical safeguards, and technical safeguards against identified risks.
• Prioritize gaps, implement remediation, and track to closure.
• Maintain evidence: risk analysis, decisions, and approvals.

Appoint a Privacy Officer

Designate a privacy officer to own your privacy policies, procedures, and workforce training. This leader coordinates complaint resolution, oversees uses and disclosures, and ensures the “minimum necessary” standard is applied to PHI.

Define clear responsibilities and authority. The privacy officer should work closely with the security lead, monitor regulatory changes, review incidents, manage BAAs, and report program status to leadership.

• Formally assign the role and publish contact details.
• Document a charter covering policy governance, oversight, and escalation paths.
• Allocate resources for training, audits, and continuous improvement.

Implement Security Rule Compliance

Translate your risk assessment into concrete controls aligned to the Security Rule’s three pillars. Ensure controls are right-sized for your environment and documented from policy to procedure to proof.

• Administrative safeguards: risk management, workforce training, sanctions, access authorization, contingency planning, and vendor risk management.
• Physical safeguards: facility access controls, workstation security, device and media controls, secure disposal, and visitor management.
• Technical safeguards: unique user IDs, multi-factor authentication, role-based access, encryption in transit and at rest, audit logs, integrity monitoring, and secure transmission protocols.

Embed these controls into daily operations—change management, patching, vulnerability management, and incident response—so compliance is sustained, not episodic.

Establish Business Associate Agreements

Identify every vendor or partner that creates, receives, maintains, or transmits PHI on your behalf—billing services, cloud storage, EHR hosting, telehealth platforms, analytics firms, and consultants. Execute business associate agreements before sharing PHI.

Each BAA should define permitted uses and disclosures, required safeguards, reporting duties, subcontractor flow-downs, and termination obligations. Maintain a current inventory and monitor compliance throughout the vendor lifecycle.

• Confirm whether a relationship involves PHI; if yes, require a BAA.
• Include safeguard obligations (administrative, physical, technical) and breach reporting timelines.
• Flow down requirements to subcontractors and address return/secure destruction of PHI at termination.
• Document diligence, ongoing monitoring, and issue remediation.

Maintain Documentation and Training

Keep a complete, current record of your program: the risk analysis and risk management plan, privacy policies and procedures, access management, audit results, incident logs, BAAs, and device inventories. Retain records according to policy and legal requirements.

Train your workforce on HIPAA basics, role-specific practices, acceptable use, and incident reporting. Validate understanding with attestations and refresh training regularly; track completion and remediate gaps promptly.

• Publish and review privacy policies and procedures on a set cadence.
• Maintain training plans, completion logs, sanctions, and acknowledgments.
• Update documentation after system, vendor, or process changes.

Develop Breach Notification Plan

Prepare for incidents involving unsecured PHI with a clear, rehearsed plan. Define how you triage alerts, contain threats, preserve evidence, and perform a risk-of-compromise assessment to determine if notification is required.

Your plan should outline breach notification requirements to individuals, regulators, and—when applicable—the media, along with internal approval workflows and templates. Coordinate timelines with any obligations set in your BAAs and align communications with your legal and executive teams.

• Establish incident intake, severity classification, and escalation paths.
• Document criteria for breach vs. security incident and required notifications.
• Prebuild contact lists, message templates, and response playbooks.
• Run tabletop exercises and capture lessons learned to strengthen controls.

In summary, confirm whether you are a HIPAA covered entity, then operationalize compliance: assess risk, assign ownership, implement safeguards, manage BAAs, document thoroughly, train your workforce, and prepare to respond effectively to any PHI incident.

FAQs

What entities qualify as HIPAA covered entities?

Covered entities include health plans (such as insurers and group health plans), health care clearinghouses that convert data between formats, and health care providers who transmit health information electronically in connection with standard transactions. If these organizations handle protected health information, they are subject to HIPAA.

How do I determine if my organization is a covered entity?

Evaluate your role and workflows. If you provide care or pay for care and perform standard electronic transactions (claims, eligibility, authorizations, remittances), you are likely a HIPAA covered entity. If you do not meet those categories but handle PHI on behalf of a covered entity, you are a business associate and must execute business associate agreements.

What are the main responsibilities of a HIPAA covered entity?

Key responsibilities include protecting PHI through administrative safeguards, physical safeguards, and technical safeguards; maintaining privacy policies and procedures; conducting risk assessments and remediation; training the workforce; managing vendors with BAAs; and meeting breach notification requirements when applicable.

How often should HIPAA policies be reviewed and updated?

Review and update HIPAA policies at least annually and whenever there are material changes to systems, vendors, regulations, or operations. Refresh training accordingly, document revisions, and keep evidence of approvals and workforce acknowledgments.