Are You a Covered Entity Under HIPAA? Quick Compliance Checklist

Covered Entity Definition

If you are a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions (such as billing), you are a covered entity under HIPAA. Your obligations center on safeguarding Protected Health Information (PHI), including electronic PHI (ePHI), across your operations.

Quick self-check

• Health plans: group health plans, HMOs, insurers, and employer-sponsored self-insured plans qualify.
• Health care providers: any provider (from solo practices to telehealth) who bills or checks eligibility electronically is covered.
• Clearinghouses: entities that translate nonstandard health data to standard formats are covered.
• Hybrid entities: organizations with both covered and non-covered components must formally designate their health care components.
• Business associates: vendors are not covered entities, but they must sign Business Associate Agreements and comply with applicable safeguards.

Protected Health Information essentials

• PHI is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate.
• PHI includes demographic data combined with health status, care, or payment details; ePHI is the electronic form of PHI.
• De-identified data is not PHI; education records under FERPA and certain employment records are generally excluded.

Conduct Risk Assessments

The HIPAA Security Rule requires an ongoing risk analysis as part of your Administrative Safeguards. Perform risk assessments regularly to identify threats, gauge likelihood and impact, and document risk management decisions that drive your security program and compliance audits.

Practical steps

• Inventory systems, vendors, and workflows that create, receive, maintain, or transmit ePHI.
• Map data flows end-to-end (collection, storage, transmission, and disposal) to locate exposure points.
• Identify vulnerabilities (e.g., weak access controls, unpatched systems, unsecured endpoints) and credible threats.
• Rate likelihood and impact, assign risk levels, and prioritize remediation with clear owners and timelines.
• Document methodology, findings, and corrective actions; review at least annually and upon significant changes.

Appoint a Privacy Officer

Designate a HIPAA Privacy Officer to oversee privacy compliance and, where distinct, a Security Officer to run your security program. Clear Privacy Officer Responsibilities align policy, training, incident handling, and Breach Notification Requirements across your organization.

Core duties

• Develop, approve, and maintain privacy policies and procedures consistent with the Privacy Rule.
• Oversee workforce training, acknowledgments, and sanctions for violations.
• Manage patient rights requests (access, amendments, restrictions, confidential communications).
• Coordinate investigations, risk assessments, and breach analyses with the Security Officer.
• Lead internal compliance audits and report metrics to leadership.

Establish Business Associate Agreements

Before sharing PHI with vendors (e.g., EHR hosts, billing services, cloud providers, email and e-fax platforms), execute Business Associate Agreements that bind them to HIPAA obligations and the HIPAA Security Rule.

What strong BAAs include

• Permitted and required uses/disclosures of PHI, with minimum necessary standards.
• Administrative Safeguards, physical and technical safeguards, and documentation obligations.
• Breach Notification Requirements: prompt reporting timelines, content, and cooperation duties.
• Subcontractor flow-down: all downstream vendors handling PHI must sign equivalent terms.
• Right to audit, incident cooperation, data return/destruction, and termination for cause.

Implement Security Measures

Apply risk-based controls across Administrative, Physical, and Technical Safeguards to protect ePHI. Your security measures should be proportional to your risks, environment, and resources but comprehensive enough to withstand scrutiny during compliance audits.

Administrative Safeguards

• Access governance: role-based access, authorization processes, and periodic access reviews.
• Security management: risk analysis, risk management plan, sanction policy, and activity reviews.
• Workforce security: background checks as appropriate, onboarding/offboarding, and training.
• Contingency planning: data backups, disaster recovery, and emergency mode operations.
• Vendor management: due diligence, BAAs, and ongoing monitoring of business associates.

Physical Safeguards

• Facility access controls, visitor logs, and secured areas for servers and networking gear.
• Workstation security: screen positioning, privacy filters, and automatic lock policies.
• Device and media controls: encryption, secure disposal, and tracking of portable devices.

Technical Safeguards

• Access controls: unique user IDs, multi-factor authentication, and least-privilege permissions.
• Audit controls: centralized logging, immutable logs where feasible, and regular log reviews.
• Integrity controls: change monitoring, anti-malware, and code-signing or hashing where applicable.
• Transmission security: TLS for data in transit; strong encryption for data at rest.
• Automatic logoff and session management for shared or kiosk workstations.

Provide Notice of Privacy Practices

Give individuals a clear Notice of Privacy Practices that explains how you use and disclose PHI, their rights, and your duties. Make it available at the first service encounter, post it prominently in physical locations, and publish it online if you have a website.

Execution essentials

• Obtain and retain acknowledgment of receipt when feasible for direct treatment providers.
• Keep the notice current; display the effective date and replace older versions as policies change.
• Offer alternative formats or language access when needed to ensure comprehension.

Maintain Documentation and Training

Maintain written policies, procedures, risk analyses, incident logs, BAAs, and training records for at least six years from the date of creation or last effective date. Train all workforce members on job-relevant privacy and security requirements and document completion.

Operational must-haves

• Centralized repository for policies, BAA inventory, and breach/incident documentation.
• Annual training refreshers, role-specific modules, and tracking of attestations.
• Scheduled internal compliance audits with corrective action follow-up and executive reporting.
• Version control for policies and the Notice of Privacy Practices to prove continuous compliance.

By confirming your status as a covered entity under HIPAA and working this quick compliance checklist—risk assessments, governance, BAAs, security controls, notices, and rigorous documentation—you create a defensible program that protects patients and your organization.

FAQs

What entities qualify as covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically in standard transactions. Many organizations are hybrid entities and must designate their health care components; vendors that handle PHI on behalf of a covered entity are business associates and require Business Associate Agreements.

How often must covered entities perform risk assessments?

Perform a comprehensive risk analysis at least annually and whenever you introduce significant changes—such as new systems, major workflow updates, mergers, or new vendors. Treat risk management as continuous: reassess after security incidents and verify remediation during compliance audits.

What are the key responsibilities of a HIPAA Privacy Officer?

The Privacy Officer develops and maintains privacy policies, oversees workforce training and sanctions, manages patient rights requests, coordinates investigations and breach assessments with the Security Officer, leads compliance audits, and reports program status and risks to leadership.

When must breach notifications be sent out?

For unsecured PHI breaches, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. If a breach affects 500 or more residents of a state or jurisdiction, notify prominent media in that area and report to HHS promptly; for fewer than 500 individuals, log and report to HHS annually according to Breach Notification Requirements.