Are You a HIPAA Covered Entity? Decision Tool, Requirements, and Examples

Are you a HIPAA covered entity? If you create, receive, maintain, or transmit Protected Health Information (PHI), the answer determines which federal rules you must follow and how you protect patient data. This guide explains the decision tool, entity types, and core compliance duties.

HIPAA’s Administrative Simplification provisions hinge on whether you conduct Electronic Health Transactions and on your organizational role. Below, you’ll find clear criteria, practical examples, and the requirements under the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

Utilizing the Covered Entity Decision Tool

What the tool evaluates

The tool walks you through your role in health care and whether you conduct standard Electronic Health Transactions, such as claims, eligibility checks, enrollments, remittances, claim status, and prior authorizations. It then maps your answers to HIPAA covered entity categories.

How to use it effectively

• Identify your role: health care provider, health plan, or health care clearinghouse. If you are a vendor to these entities, you may be a business associate.
• Confirm whether you send or receive any HIPAA-standard transactions electronically—directly or through a vendor or billing service.
• Review the outcome: “covered entity,” “not a covered entity,” or “likely a business associate,” and note the next steps for compliance.

Interpreting results and edge cases

If you are a provider who never transmits standard transactions electronically, you may not be a covered entity under Administrative Simplification. Employers themselves are not covered entities, but their group health plans usually are. Some small, self-administered group health plans may fall outside coverage, depending on participation and administration details.

Moving from decision to action

When the tool indicates you’re covered, prioritize appointing a privacy and security official, performing a risk analysis, issuing a Notice of Privacy Practices, and executing business associate agreements. These steps align your program with the HIPAA Privacy Rule and foundational Security Safeguards.

Identifying Health Care Providers

Who qualifies

Health care providers include physicians, dentists, chiropractors, therapists, clinics, pharmacies, labs, and similar professionals or facilities. You become a HIPAA covered entity when, in connection with your services, you transmit any covered Electronic Health Transactions electronically.

Common covered examples

• A physician group submitting claims through a clearinghouse.
• A physical therapist verifying eligibility online before visits.
• A pharmacy receiving electronic prescribing and sending claims for payment.

Situations that may not trigger coverage

Cash-only practices that do not send claims, eligibility checks, or other standard transactions electronically may not be covered entities. Even then, you handle PHI and should apply strong privacy practices and Security Safeguards.

Defining Health Plans

What counts as a health plan

Health plans pay for or provide the cost of medical care. This category includes health insurers, HMOs, Medicare Advantage plans, Medicaid, Medicare prescription drug plans, employer-sponsored group health plans, dental and vision plans, and employee assistance programs that offer medical benefits.

Key nuances and examples

• Covered: a national insurer processing enrollments and claims electronically.
• Covered: an employer’s group health plan that handles eligibility and claim payments.
• Often not covered: workers’ compensation or auto insurers acting solely under those programs.
• Special case: some small, self-administered group health plans may not be covered, depending on size and administration specifics.

Understanding Health Care Clearinghouses

Core function and standards

Health care clearinghouses convert nonstandard health information into standard formats (and vice versa) for other entities. They must follow Health Care Clearinghouse Standards established under HIPAA Administrative Simplification for transactions and code sets.

Examples in practice

• A billing service translating a provider’s data into X12 transactions for payers.
• A switch network routing claims and remittances between providers and health plans.
• A repricing organization standardizing data as part of claims processing.

HIPAA Privacy Rule Requirements

Scope and permitted uses

The HIPAA Privacy Rule governs how you use and disclose PHI for treatment, payment, and health care operations, and when you must obtain an authorization. You must apply the minimum necessary standard to limit PHI to what’s needed for the purpose.

Individual rights and notices

• Provide a clear Notice of Privacy Practices describing your uses, disclosures, and rights.
• Honor rights of access, amendment, accounting of disclosures, and requested restrictions where applicable.
• Accommodate confidential communications, such as sending information to an alternate address.

Business associate management

Vendors that create, receive, maintain, or transmit PHI on your behalf are business associates. Execute business associate agreements that set privacy, Security Safeguards, and breach duties aligned with the Breach Notification Rule.

HIPAA Security Rule Compliance

Risk analysis and program governance

The Security Rule applies to electronic PHI (ePHI). Start with a comprehensive risk analysis, then implement risk management, assign a security official, and establish policies, procedures, and workforce training.

Administrative, physical, and technical safeguards

• Administrative: access management, workforce training, contingency planning, vendor oversight.
• Physical: facility access controls, workstation security, device/media protections.
• Technical: unique user IDs, role-based access, audit controls, integrity and transmission protections, encryption where appropriate.

Document decisions for addressable specifications and routinely reassess controls as systems, threats, and workflows evolve.

Breach Notification Obligations

What qualifies as a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. Conduct a four-factor risk assessment considering the PHI’s nature, who received it, whether it was actually acquired or viewed, and mitigation steps.

Who to notify and when

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Report to HHS, and if a breach affects 500 or more residents of a state or jurisdiction, notify prominent media as well. Smaller breaches are reported to HHS annually.

Practical scenarios

• Lost, unencrypted laptop containing ePHI: likely a notifiable breach requiring individual and HHS notice.
• Misdirected fax to a wrong provider who promptly deletes it and confirms no further disclosure: risk may be low after mitigation.

Summary

Determining “Are You a HIPAA Covered Entity?” turns on your role and whether you conduct standard electronic transactions. Providers, health plans, and clearinghouses that handle PHI must meet the HIPAA Privacy Rule, implement Security Safeguards under the Security Rule, and follow the Breach Notification Rule when incidents occur.

FAQs.

What criteria determine a HIPAA covered entity?

You are a covered entity if you are a health care provider, health plan, or health care clearinghouse that creates, receives, maintains, or transmits PHI and conducts standard Electronic Health Transactions electronically. The exact status depends on your role and transaction activity under Administrative Simplification.

How does the Covered Entity Decision Tool work?

The tool asks about your organizational role and whether you send or receive HIPAA-standard transactions like claims and eligibility checks. Based on your answers, it indicates whether you are likely a covered entity or a business associate and points to the next steps for compliance.

What are the HIPAA compliance requirements for covered entities?

Covered entities must follow the HIPAA Privacy Rule, implement administrative, physical, and technical Security Safeguards for ePHI under the Security Rule, manage business associates, and comply with the Breach Notification Rule after qualifying incidents. They must also provide required notices and honor individual rights.

What examples illustrate different types of covered entities?

Examples include a physician practice submitting electronic claims (provider), a regional HMO processing enrollments and claims (health plan), and a billing clearinghouse converting nonstandard data to standard formats (clearinghouse). Each handles PHI and must meet the applicable HIPAA requirements.