Are We a HIPAA Covered Entity? Organizational Checklist and Compliance Risks

Determining whether you are a HIPAA covered entity is the first step to protecting Protected Health Information (PHI) and avoiding costly mistakes. This organizational checklist walks you through the three covered-entity categories, then outlines Risk Assessment Standards, safeguards, Business Associate Agreement Requirements, and key compliance risks.

Use this guide to decide if your operations fall under the HIPAA Privacy Rule and HIPAA Security Rule—especially where Electronic Protected Health Information (ePHI) is created, received, maintained, or transmitted.

Identifying Healthcare Providers

You are a covered health care provider if you furnish, bill, or are paid for health care and transmit health information electronically in connection with standard transactions (for example, claims, eligibility checks, or referrals). The trigger is the electronic transmission of such data, not your size, specialty, or payment model.

Provider status checklist

• Do you submit claims, eligibility inquiries, prior authorizations, or remittance advice electronically to or from a health plan?
• Do you use an EHR, billing platform, clearinghouse, or vendor that transmits PHI on your behalf?
• Do you exchange ePHI with other providers or plans for treatment, payment, or operations?
• If you are part of a larger organization, have you designated health care components (hybrid entity) and separated non-covered functions?

Common edge cases to review

• Telehealth, remote monitoring, and digital therapeutics platforms that transmit ePHI.
• Cash-pay or direct care practices that still use vendors sending standard transactions.
• Labs, imaging centers, and university clinics embedded within larger institutions.

Assessing Health Plans

Health plans are covered entities. They include insurers, HMOs, government programs, employer-sponsored group health plans, HRAs, and certain FSAs. Employers themselves are not covered entities, but the group health plan they sponsor typically is.

Health plan status checklist

• Do you sponsor or operate a group health plan that receives or transmits PHI electronically?
• Do plan administrators or TPAs access ePHI to pay claims or manage benefits?
• Have plan documents been amended to permit the plan sponsor to receive only the minimum necessary PHI?
• Have you verified whether any small, employer-administered plan exemptions apply and documented that analysis?

Key distinctions

• Maintain a strict boundary between employer HR records and plan PHI.
• When in doubt, treat plan operations as subject to the HIPAA Privacy Rule and HIPAA Security Rule for ePHI.

Recognizing Healthcare Clearinghouses

Healthcare clearinghouses transform nonstandard health information into standard formats (and vice versa). Examples include electronic data interchange (EDI) translators that convert billing data for standard transactions. Clearinghouses are covered entities regardless of whether they serve providers or plans.

Clearinghouse status checklist

• Do you convert health information between nonstandard and standard transaction formats for others?
• Do you act as an intermediary routing standardized transactions between providers and plans?
• If you provide broader billing or practice management services, is any component functioning as a clearinghouse?

If you do not meet the clearinghouse definition but still handle PHI for a covered entity, you are likely a business associate and need a Business Associate Agreement.

Conducting Risk Assessments

The HIPAA Security Rule requires a risk analysis to identify threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Align your process to recognized Risk Assessment Standards to ensure completeness and repeatability.

Core steps

• Define scope: inventory systems, applications, devices, users, and data flows that create, receive, maintain, or transmit ePHI.
• Identify threats and vulnerabilities: consider technical, administrative, and physical factors plus third-party and cloud risks.
• Evaluate likelihood and impact to derive risk ratings; document assumptions and evidence.
• Map existing controls to the HIPAA Security Rule and note gaps.
• Create a prioritized remediation plan with owners, timelines, and acceptance criteria.
• Document results, obtain leadership approval, and update after significant changes or at planned intervals.

Frequent pitfalls

• Using generic templates that miss your actual assets and data flows.
• Overlooking mobile devices, messaging, telehealth, backups, or vendor-hosted systems.
• Failing to document decisions, residual risks, and evidence of execution.

Implementing Safeguards

Safeguards convert assessment insights into controls required by the HIPAA Security Rule and supported by the HIPAA Privacy Rule’s minimum necessary standard. Focus on layered defenses across administrative, technical, and physical domains.

Administrative safeguards

• Governance: policies, standards, role-based access procedures, and sanction processes.
• Workforce: security and privacy training, awareness, and background checks as appropriate.
• Vendor oversight: due diligence, BAAs, and continuous monitoring of third parties.
• Contingency planning: backups, disaster recovery, and tested incident response.

Technical safeguards

• Access controls with unique IDs, least privilege, and multi-factor authentication.
• Encryption of ePHI in transit and at rest; secure key management.
• Audit controls: centralized logging, alerting, and regular review of access and changes.
• Integrity controls: anti-malware, patching, configuration baselines, and change management.

Physical safeguards

• Facility access controls, visitor management, and environmental protections.
• Device and media controls: secure disposal, re-use procedures, and encryption on portable media.

Establishing Business Associate Agreements

Business associates create, receive, maintain, or transmit PHI on behalf of a covered entity or another business associate. Before sharing PHI, execute a BAA that specifies Business Associate Agreement Requirements and embeds enforceable protections.

When a BAA is required

• Cloud hosting, EHR vendors, billing services, transcription, analytics, and telehealth platforms handling PHI for you.
• Consultants, MSPs, and data destruction vendors with potential PHI access.
• Subcontractors to your business associates that will handle PHI (flow-down obligation).

What your BAA should include

• Permitted and required uses/disclosures of PHI with a minimum necessary commitment.
• Security obligations aligned to the HIPAA Security Rule for ePHI, including breach and incident reporting timelines.
• Requirements to ensure subcontractor compliance and to implement appropriate safeguards.
• Right to audit, cooperation in investigations, and prompt mitigation of issues.
• Termination rights, and return or secure destruction of PHI at contract end.

Managing Compliance Risks

Compliance is an ongoing program, not a one-time project. Establish governance, track remediation, monitor vendors, and maintain documentation that demonstrates adherence to the HIPAA Privacy Rule and HIPAA Security Rule.

Program essentials

• Annual (or change-driven) risk analysis with documented risk management actions.
• Written policies and procedures, versioned and approved, with workforce training and attestations.
• Access reviews, audit log monitoring, and periodic technical tests of critical controls.
• Incident response with clear triage, investigation, and breach notification workflows.
• Vendor risk management: due diligence, BAA inventory, and performance monitoring.

Compliance Penalties and exposures

• Civil monetary penalties, corrective action plans, and extended oversight for significant or willful violations.
• Contractual exposure with customers and partners, including indemnity and termination risk.
• Reputational harm, operational disruption, and costs for forensics, notification, and remediation after incidents.

Bottom line: confirm whether you are a HIPAA covered entity, complete a thorough risk assessment, implement layered safeguards, and use strong BAAs. Doing so reduces risk to patients, your organization, and your stakeholders.

FAQs.

What criteria define a HIPAA covered entity?

An organization is a HIPAA covered entity if it is a health care provider that transmits standard electronic transactions, a health plan, or a health care clearinghouse. If you do not meet those definitions but handle PHI for one of them, you are likely a business associate instead.

How do organizations determine their covered entity status?

Map your functions to provider, plan, or clearinghouse roles; verify whether you transmit standard electronic transactions; and document where PHI and ePHI flow. If only parts of your organization perform covered functions, designate a hybrid entity and define health care components to isolate covered operations.

What are the consequences of failing HIPAA risk assessments?

Gaps remain unidentified, raising breach likelihood and enforcement exposure. Regulators may view the absence of a credible risk analysis and risk management plan as a serious deficiency, leading to investigations, corrective action plans, and potential civil penalties.

How do business associate agreements protect patient data?

BAAs require business associates to implement safeguards, limit PHI use and disclosure, flow down obligations to subcontractors, and notify you of incidents and breaches. They create accountability, clarify roles, and reinforce security and privacy requirements that protect patient data.