Are You a Covered Entity Under HIPAA? Practical Guide for Organizations

Define Covered Entities

Under HIPAA, a covered entity is any organization that fits one of three categories: a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with a HIPAA-covered transaction. Whether you are a covered entity under HIPAA depends on your functions, not just your industry label.

Covered entities handle protected health information (PHI), including electronic protected health information (ePHI), to deliver or pay for care. Many organizations are “hybrid entities,” where only specific departments perform covered functions. In practice, you should map business processes to see where PHI is created, received, maintained, or transmitted.

• Health plans pay for medical care and manage benefits.
• Health care clearinghouses convert nonstandard health data to standard formats (and vice versa).
• Health care providers become covered when they conduct a HIPAA-covered transaction electronically, directly or through an intermediary.

Identify Health Plans

Health plans include individual and group plans that provide or pay the cost of medical care. If you administer benefits or pay claims, you likely fall into this category and must meet health plan compliance requirements.

• Examples: HMOs, preferred provider organizations, Medicare, Medicaid, TRICARE, and most employer-sponsored group health plans.
• Group health plans are covered entities; however, a self-administered plan with fewer than 50 participants is generally not treated as a covered entity.
• Plan sponsors (employers) are not covered entities, but the plan itself is. Sponsors must establish plan documents and firewalls before receiving protected health information (PHI).

Not all benefit programs are health plans. Life insurance, disability benefits, and workers’ compensation programs typically are not HIPAA health plans, though they may be subject to other laws. Validate edge cases—such as employee assistance programs—to ensure the benefit truly provides or pays for medical care.

Recognize Health Care Providers

Any person or organization that furnishes, bills, or is paid for health care is a provider. You are a covered provider when you transmit health information electronically in a HIPAA-covered transaction. This includes sending claims via a practice management system or through a billing service acting on your behalf.

• Typical covered providers: physicians, dentists, therapists, hospitals, clinics, laboratories, pharmacies, DME suppliers, and telehealth practices.
• If you only use paper and never transmit standard electronic transactions, you may not be a covered entity—but most providers exchange eligibility, claims, or remittance data electronically at some point.

Health care provider obligations include safeguarding ePHI, following the minimum necessary standard, issuing a Notice of Privacy Practices when applicable, honoring patient rights (access, amendment, and more), executing business associate agreements, and training the workforce.

Explain Health Care Clearinghouses

Clearinghouses process health information to or from standard transaction formats used between providers and health plans. If your core business is translating, routing, or repricing health data between nonstandard and standard formats, you likely meet health care clearinghouse criteria.

• Functions commonly performed: converting paper or proprietary claim files to standard EDI, validating data, aggregating transactions, and forwarding them to payers.
• Examples: medical claims clearinghouses, repricing organizations, community health information systems, and value-added networks focused on HIPAA transactions.
• Note: Pure data entry or general billing services that do not translate data into standard formats are typically business associates, not clearinghouses.

Comply with HIPAA Regulations

Covered entities must comply with the HIPAA privacy rule, the HIPAA security rule, and the breach notification rule. Together, these rules govern how you use, disclose, protect, and report issues involving PHI and ePHI.

• Governance: designate privacy and security officials, conduct an enterprise-wide risk analysis, and maintain risk management plans with documented remediation.
• Policies and procedures: address uses and disclosures, patient rights, minimum necessary, sanctions, complaint handling, and incident response. Retain documentation for at least six years.
• Workforce measures: provide role-based training, manage access based on job duties, and apply sanctions for violations.
• Business associates: execute business associate agreements before sharing ePHI with vendors (e.g., cloud hosts, billing companies, EHR providers).
• Patient rights: process requests for access, amendments, accounting of disclosures, restrictions, and confidential communications within required timeframes.
• Health plan compliance specifics: update plan documents, establish sponsor firewalls, and distribute required notices to participants.

Understand Electronic Health Transactions

A HIPAA-covered transaction is a standardized electronic exchange between providers, health plans, and clearinghouses. If you conduct any of these transactions electronically, you trigger covered entity status (for providers) and must use the designated standards.

• Claims and encounters (e.g., professional and institutional claims) and coordination of benefits.
• Eligibility inquiries and responses; claim status requests and responses.
• Referrals and prior authorizations; payment and remittance advice.
• Enrollment and disenrollment in a health plan; health plan premium payments.

These transactions typically use ASC X12N or NCPDP standards. Emailing a PDF or faxing a claim is not a standard transaction, but most operational workflows rely on certified systems that generate standard EDI under the hood. Clearinghouses exist to ensure your files meet these standards.

Implement Privacy and Security Measures

Turn compliance into daily practice through layered safeguards. Start with an accurate data inventory and map how ePHI flows across systems, locations, and vendors. Then apply administrative, physical, and technical controls aligned to the HIPAA security rule and reinforced by the privacy rule.

• Administrative safeguards: risk analysis, risk mitigation plans, workforce training, vendor due diligence, access governance, and contingency planning with tested backups.
• Physical safeguards: secure facilities, device and media controls, screen privacy, workstation placement, and protected storage and disposal of media.
• Technical safeguards: unique user IDs, role-based access, multifactor authentication, automatic logoff, audit logging, encryption in transit and at rest, and network segmentation.
• Data lifecycle: define retention schedules, de-identification or pseudonymization where appropriate, and irreversible disposal for end-of-life assets.
• Monitoring and response: continuous logging, alerting for anomalous access, documented incident response, and timely breach notification assessments.

In summary, decide if you are a covered entity under HIPAA by examining your functions and transactions. Health plans, clearinghouses, and providers that conduct standard electronic exchanges must follow the HIPAA privacy rule and security rule, implement practical safeguards for ePHI, and maintain clear documentation, training, and vendor controls.

FAQs

What organizations qualify as covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with a HIPAA-covered transaction. Many employers sponsor group health plans that are covered entities even though the employer itself is not. Some organizations are hybrid entities, where only designated units perform covered functions.

How do covered entities handle electronic health information?

They manage electronic protected health information using the minimum necessary standard, access controls, encryption, and audit logs, and they restrict disclosures to permitted purposes such as treatment, payment, and health care operations. Vendors that create, receive, maintain, or transmit ePHI must sign business associate agreements, and incident response and breach notification processes must be in place.

What are the main compliance requirements for covered entities?

Core requirements include implementing the HIPAA privacy rule and HIPAA security rule, conducting a risk analysis, documenting policies and procedures, training the workforce, honoring patient rights, executing business associate agreements, and maintaining evidence of health plan compliance or health care provider obligations as applicable. Organizations must also retain documentation and follow established incident response and breach notification procedures.