Are You a HIPAA Covered Entity? Definition Checklist and Risk Areas

Define HIPAA Covered Entities

If you create, receive, maintain, or transmit Protected Health Information (PHI) or Electronic Protected Health Information (ePHI) as part of standard health care transactions, you may be a HIPAA covered entity. In HIPAA, covered entities are limited to health plans, health care clearinghouses, and health care providers who conduct certain transactions electronically.

This guide helps you answer “Are You a HIPAA Covered Entity? Definition Checklist and Risk Areas” by clarifying each category and spotlighting where organizations commonly slip. Use the checklists to quickly self-screen, then dig deeper into the risk areas that regulators scrutinize.

Definition checklist

• Do you operate a health plan (e.g., group health plan, insurer, HMO, government program)?
• Do you provide health care and transmit eligibility, claims, referrals, or payment data electronically?
• Do you convert health data between standard and nonstandard formats for others (a clearinghouse function)?
• Do you maintain systems that store or route Electronic Protected Health Information (ePHI) tied to these transactions?
• Do you contract with vendors who handle PHI/ePHI on your behalf (business associates)?

Common risk areas

• Misclassifying your organization (e.g., assuming “cash-only” means not covered despite electronic transactions elsewhere).
• Overlooking ePHI stored in email, backups, or cloud tools used for billing or claims.
• Missing Business Associate Agreements (BAAs) with vendors that access PHI/ePHI.

Identify Health Plans

Health plans include insurers, HMOs, employer-sponsored group health plans, government health programs, and certain long-term care plans. If you administer benefits, pay claims, or determine eligibility, you likely function as a covered health plan for HIPAA purposes.

Quick checklist

• You sponsor or administer a group health plan (fully insured or self-funded).
• You process enrollment/disenrollment, premium payments, eligibility, claim status, or coordination of benefits.
• Your plan shares PHI/ePHI with third-party administrators (TPAs), pharmacy benefit managers, or wellness vendors.

Risk areas for health plans

• Confusing the employer with the plan: the group health plan is the covered entity; the employer needs firewalls to avoid improper access to PHI.
• TPA oversight gaps: weak vendor monitoring, no BAA, or unclear breach notification paths.
• Data minimization failures: sending more PHI than the minimum necessary for a transaction.

Recognize Health Care Providers

Health care providers are covered entities only if they transmit health information electronically in connection with standard transactions (e.g., claims, eligibility, referrals). This includes physicians, dentists, therapists, clinics, hospitals, pharmacies, labs, and telehealth practices.

Quick checklist

• You submit claims or eligibility inquiries electronically (directly or through a billing service).
• You use an EHR or portal that sends or receives standardized transaction data.
• You store or transmit ePHI related to billing, scheduling, ordering, or prescribing.

Risk areas for providers

• Believing that “paper-only” or “cash-only” eliminates coverage while other electronic transactions occur (e.g., e-prescribing).
• Shadow IT: consumer apps, texting, or email that inadvertently store ePHI.
• Insufficient Workforce Security: inconsistent onboarding/offboarding, access reviews, or role-based access controls.

Understand Health Care Clearinghouses

Health care clearinghouses convert nonstandard health information to standard formats and vice versa. Examples include billing services that normalize claim data, repricing companies, and community health information systems that translate data for multiple trading partners.

Quick checklist

• You receive nonstandard health data from a provider/plan and return standard transactions (or the reverse).
• You routinely map, validate, or reformat claim, payment, or eligibility data for others.
• You maintain systems that store large volumes of ePHI for translation or routing.

Risk areas for clearinghouses

• High data concentration without strong encryption, auditing, or segmentation.
• Complex subcontractor chains with unclear BAAs and security requirements.
• Insufficient monitoring of data transformations leading to privacy disclosures.

Explain Hybrid Entities

A hybrid entity is a single legal entity that performs both HIPAA-covered and non-covered functions. You must formally designate your health care components and apply HIPAA to those components and their shared support units that handle PHI/ePHI.

How to structure a hybrid entity

• Document health care components (e.g., campus clinic, pharmacy, employee health plan).
• Establish safeguards to prevent improper PHI flow to non-covered components.
• Define BAAs for vendors supporting the designated components.
• Apply the HIPAA Security Rule to ePHI within health care components and shared services.

Risk areas for hybrid entities

• Vague or outdated component designations that don’t match actual operations.
• Shared IT and HR services without access controls separating PHI from non-covered units.
• Training gaps where non-covered staff can view PHI due to cross-functional workflows.

Clarify Business Associates

Business associates (BAs) are not covered entities, but they perform services for you that involve PHI/ePHI—such as EHR hosting, cloud storage, billing, claims processing, analytics, and transcription. BAs must sign a BAA and comply with the HIPAA Security Rule and applicable Privacy Rule provisions.

BA essentials

• Execute a written BAA defining permitted uses/disclosures and breach notification duties.
• Require your BA to conduct a Risk Assessment and implement safeguards for ePHI.
• Flow down obligations to subcontractors that access PHI/ePHI.

Risk areas involving BAs

• Using vendors with “view-only” or incidental access and assuming no BAA is needed.
• Unclear data residency, backup, and recovery responsibilities for ePHI.
• Insufficient vetting of security controls, audit logs, and incident response capabilities.

Outline Risk Analysis Requirements

The HIPAA Security Rule requires covered entities and BAs to perform an accurate and thorough risk analysis of ePHI. You must identify where ePHI lives, evaluate threats and vulnerabilities, determine likelihood and impact, and implement risk management measures with documented follow-through.

Core elements you need

• Inventory of systems, applications, devices, integrations, and vendors that create, receive, maintain, or transmit ePHI.
• Risk Assessment methodology covering threats, vulnerabilities, existing controls, likelihood, impact, and risk levels.
• Risk management plan mapping remediation actions, owners, timelines, and verification steps.
• Security Official accountable for the program, reporting, and governance.
• Administrative safeguards: policies, training, contingency planning, Sanction Policy, and Workforce Security controls.
• Technical safeguards: access control, authentication, encryption, audit logging, integrity, and transmission security.
• Physical safeguards: facility access, device/media controls, and secure disposal.
• Ongoing activities: periodic reassessments, vendor oversight, incident response, and breach notification workflows.

Quick-start checklist

• Map all data flows of ePHI across people, processes, apps, and vendors.
• Evaluate top risks (e.g., lost devices, unauthorized access, misdirected email, cloud misconfiguration).
• Prioritize fixes that reduce likelihood or impact—begin with access, encryption, and logging.
• Document your Sanction Policy and enforce it consistently.
• Assign and empower your Security Official to track remediation and training.
• Repeat the Risk Assessment at least annually or when major changes occur.

Conclusion

To determine if you are a HIPAA covered entity, confirm whether you are a health plan, health care provider engaging in electronic transactions, or a clearinghouse. If you operate mixed functions, use the hybrid model; if vendors handle PHI/ePHI, manage them as business associates. Then anchor compliance with a living Risk Assessment program aligned to the HIPAA Security Rule, clear accountability, and focused safeguards.

FAQs

What entities are considered covered under HIPAA?

HIPAA covers health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions. These entities handle PHI and ePHI and must implement required Privacy and Security Rule safeguards.

How does a hybrid entity affect HIPAA compliance?

A hybrid entity designates its health care components and applies HIPAA only to those components (and any shared services handling PHI/ePHI). You must formally document the designation, separate access, train staff accordingly, manage BAAs, and apply Security Rule controls to ePHI within the designated components.

What are the key risk management requirements for covered entities?

You need an accurate, thorough Risk Assessment; a written risk management plan; a named Security Official; administrative, technical, and physical safeguards; a Sanction Policy; Workforce Security controls; vendor oversight for BAs; and ongoing monitoring, training, incident response, and breach notification processes.

What role do business associates play under HIPAA?

Business associates perform services for covered entities that involve PHI/ePHI. They must sign BAAs, comply with the HIPAA Security Rule and relevant Privacy Rule provisions, conduct their own Risk Assessment, protect ePHI with appropriate safeguards, and notify the covered entity of incidents and breaches.