Are You a HIPAA Covered Entity? Examples, Checklist, and Compliance Tips

Determining whether you are a HIPAA Covered Entity is the first step to protecting Protected Health Information (PHI) and meeting the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. Use this guide to identify your status, see real-world examples, and apply practical checklists and compliance tips.

Identifying Healthcare Providers

You are a covered healthcare provider if you furnish, bill, or are paid for healthcare and you transmit health information electronically in connection with standard transactions (for example, claims, eligibility checks, referrals, or remittance advice). In practice, most modern providers meet this threshold.

Common examples

• Physician and dental practices, clinics, hospitals, ambulatory centers, and pharmacies.
• Therapists, chiropractors, optometrists, labs, radiology centers, and home health agencies.
• Telehealth practices that submit electronic claims or eligibility inquiries.

Edge cases to review

• Cash-only practices that never conduct standard electronic transactions may not be covered entities, but their vendors can still be Business Associates.
• Employee or student health clinics can be covered if they bill health plans electronically; otherwise, they may fall outside HIPAA as providers (separate from any covered group health plan).
• Wellness or consumer apps are typically not covered unless acting for a covered entity as a Business Associate.

Quick provider checklist

• Do you send or receive electronic claims, eligibility, or referral authorizations?
• Do you store, transmit, or process PHI in EHRs, e-fax, e-prescribing, or patient portals?
• Do you use billing services or clearinghouses for standard transactions?

Recognizing Health Plans

Health plans are covered entities. These include insurers, HMOs, Medicare, Medicaid, and most employer-sponsored group health plans that provide or pay for medical care. The employer itself is not the covered entity—the plan is.

Included vs. excluded

• Included: Group health plans (fully insured or self-funded), prescription drug plans, dental/vision plans, and certain Employee Assistance Programs that provide medical care.
• Excluded: A group health plan with fewer than 50 participants that is self-administered by the employer (no third-party administrator).

Health plan checklist

• Do you sponsor or administer a group health plan that pays for medical care?
• Is a third-party administrator involved (making the plan subject to HIPAA)?
• Do plan operations involve PHI (claims, appeals, case management)?

Understanding Healthcare Clearinghouses

Healthcare clearinghouses are entities that process nonstandard health information they receive from another entity into a standard format—or the reverse. They enable providers and plans to exchange HIPAA-standard transactions.

Examples

• Medical billing services or repricing companies that convert formats.
• Switches and EDI gateways that translate nonstandard data to standard X12 transactions.
• Community health information organizations serving as intermediaries for standard transactions.

Clearinghouse checklist

• Do you translate, reformat, or route health data to or from HIPAA-standard transactions?
• Do you receive PHI solely to convert formats for providers or plans?
• Do you apply edits or validation to standard transaction content?

Conducting Risk Assessments

Once you confirm covered-entity status, perform a Risk Analysis under the HIPAA Security Rule. Your goal is to identify where ePHI exists, evaluate threats and vulnerabilities, and prioritize mitigations. Align privacy practices with the HIPAA Privacy Rule’s minimum necessary standard.

Practical steps

• Inventory systems and data: EHRs, email, cloud storage, backups, devices, and third parties.
• Map PHI flows: collection, use, transmission, storage, and disposal.
• Identify threats/vulnerabilities: access control gaps, misconfigurations, unsecured endpoints, and human error.
• Rate likelihood and impact, document residual risk, and define remediation plans with owners and dates.

Evidence to retain

• Methodology, asset inventory, data flow diagrams, and findings.
• Risk register with ratings, decisions, and implementation status.
• Management sign-off and review cadence.

Frequency and triggers

• Review at least annually and after major changes (new EHR, cloud migration, merger, or incident).
• Reassess when new threats emerge or when audits identify control gaps.

Implementing Safeguards

Apply Administrative, Physical, and Technical Safeguards under the HIPAA Security Rule. Use the risk analysis to select appropriate, reasonable, and documented controls. Where specifications are addressable, justify how you implement, compensate, or accept risk.

Administrative Safeguards

• Appoint a security official; establish policies, procedures, and workforce training.
• Manage access based on roles; enforce minimum necessary under the HIPAA Privacy Rule.
• Vendor management, incident response, and contingency planning (backup, disaster recovery, emergency mode operations).
• Ongoing security awareness, sanctions, and periodic evaluations.

Physical Safeguards

• Facility access controls and visitor management.
• Workstation security and screen privacy in clinical and remote settings.
• Device and media controls: encryption, tracking, secure disposal, and wipe procedures.

Technical Safeguards

• Unique user IDs, multi-factor authentication, and least-privilege access.
• Audit controls and centralized logging with alerting and retention.
• Integrity protections, secure configurations, and patch management.
• Transmission security: TLS for data in transit; strong encryption for data at rest where feasible.

Establishing Business Associate Agreements

A Business Associate is any vendor or subcontractor that creates, receives, maintains, or transmits PHI on your behalf. Before sharing PHI, you must execute a Business Associate Agreement (BAA) that binds the vendor to HIPAA obligations.

When you need a BAA

• EHR, billing, cloud hosting, backup, email, e-fax, texting, analytics, or MSP/MSSP services involving PHI.
• TPAs for group health plans, mailing/printing services, and data destruction vendors.
• Subcontractors of your Business Associates who handle PHI (downstream BAAs required).

What to include in a Business Associate Agreement

• Permitted uses and disclosures; minimum necessary application.
• Safeguards aligned to the HIPAA Security Rule and workforce training.
• Prompt incident and breach reporting, cooperation, and breach notification timelines.
• Subcontractor flow-down, access/accounting support, and right to audit.
• Return or secure destruction of PHI upon termination and remedies for noncompliance.

Common pitfalls

• Assuming a vendor “doesn’t see” PHI while it still stores or transmits it.
• Relying on marketing claims instead of a signed BAA and verified controls.
• Failing to inventory and review BAAs annually.

Preparing for Breach Notification

The Breach Notification Rule requires notice following a breach of unsecured PHI unless a documented risk assessment shows a low probability that PHI was compromised. Use a consistent four-factor analysis: nature of PHI, unauthorized person, whether PHI was actually acquired/viewed, and mitigation.

Step-by-step response plan

• Detect and contain: isolate affected systems, preserve logs, and stop further disclosure.
• Assess: perform the four-factor analysis, determine scope, and decide if notification is required.
• Coordinate: involve privacy/security officers, legal, leadership, and applicable Business Associates.
• Notify: send timely notices to individuals; for large incidents, notify HHS and sometimes media.
• Remediate: reset credentials, patch, improve controls, and retrain.
• Document: maintain risk assessments, decisions, notices, and corrective actions.

Timeline essentials

• Individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: within 60 days of discovery if 500+ individuals are affected; otherwise, log and report to HHS within 60 days after the end of the calendar year.
• Media: if a breach affects 500+ residents of a state or jurisdiction.
• Business Associates: notify the covered entity without unreasonable delay to enable timely notices.

Conclusion and next steps

If you are a provider, health plan, or clearinghouse—or you work with vendors handling PHI—you likely have HIPAA responsibilities. Confirm your status, complete a Risk Analysis, implement targeted safeguards, execute robust BAAs, and prepare a practiced breach response. These steps create a defensible, sustainable compliance program.

FAQs

What qualifies an organization as a HIPAA Covered Entity?

An organization is a HIPAA Covered Entity if it is a healthcare provider that conducts standard electronic transactions, a health plan that pays for medical care, or a healthcare clearinghouse that converts nonstandard data to standard formats (or vice versa). If you do not fit these categories but handle PHI for one of them, you may be a Business Associate.

How do HIPAA Business Associate Agreements work?

A Business Associate Agreement is a contract obligating a vendor that creates, receives, maintains, or transmits PHI to safeguard it, use it only as permitted, report incidents, flow down obligations to subcontractors, and return or destroy PHI at termination. You must have a signed BAA before sharing PHI and retain it as part of your compliance records.

What are the main safeguards required under HIPAA?

HIPAA requires Administrative, Physical, and Technical Safeguards. Administrative Safeguards include policies, training, risk analysis, and contingency planning. Physical Safeguards address facility and device protections. Technical Safeguards include access controls, audit logging, integrity protections, and transmission security. Apply the minimum necessary standard and document decisions.

What steps should be taken after a data breach involving PHI?

Contain the incident, preserve evidence, and analyze risk using the four factors. If notification is required, inform affected individuals without unreasonable delay (no later than 60 days), notify HHS as applicable, and provide media notice for large breaches. Coordinate with Business Associates, remediate root causes, and document all actions.