Are You a HIPAA Covered Entity Health Care Provider? Compliance Guide

Definition of Covered Entities

Under HIPAA’s Administrative Simplification provisions, a covered entity is one of three groups: health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with HIPAA-covered Transactions. If you fit any of these categories, HIPAA’s Privacy Rule, Security Rule, and Breach Notification Rule apply to you.

The three covered entity types

• Health plans: insurers, HMOs, employer health plans, and government programs that pay for health care.
• Health care clearinghouses: intermediaries that translate nonstandard data to standard transaction formats and back.
• Health care providers: individuals or organizations furnishing, billing, or being paid for health care who conduct standard electronic transactions.

Protected health information (PHI)

Protected Health Information is any individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or medium. Electronic PHI (ePHI) triggers specific safeguards under the Security Rule in addition to the Privacy Rule’s use and disclosure standards.

What counts as a HIPAA-covered transaction?

• Electronic claims submission and coordination of benefits.
• Eligibility and benefits inquiries and responses.
• Claim status requests and remittance advice.
• Referral certification and prior authorization transactions.
• Enrollment, disenrollment, and premium payment transactions for health plans.

If your organization sends any of the above electronically—directly, through a billing service, or via a clearinghouse—you are operating as a covered entity for HIPAA purposes.

Health Care Providers as Covered Entities

You are a HIPAA covered entity health care provider if you transmit any patient health information electronically in connection with standard transactions. It does not matter whether you outsource billing or use a vendor platform—the obligation attaches to you as the provider.

Common provider scenarios

• Typical medical and dental practices that submit electronic claims or check eligibility are covered.
• Telehealth practices using platforms that bill insurers electronically are covered.
• Paper-only, cash-only providers that never conduct standard electronic transactions may not be covered, though state privacy laws can still apply.
• Hospitals and integrated delivery systems are covered and may designate components if operating as hybrid entities.

If you are unsure, map your revenue cycle. If any step—claims, eligibility, authorizations, or remittances—is electronic and standardized, you should treat your practice as a covered entity and implement full HIPAA compliance.

Compliance Requirements for Covered Entities

Privacy Rule: govern uses and disclosures of PHI

• Use and disclose PHI only as permitted for treatment, payment, and health care operations, or as otherwise authorized by the individual or required by law.
• Apply the minimum necessary standard to routine disclosures and requests.
• Publish and provide a Notice of Privacy Practices and honor patient rights (access, amendments, restrictions, confidential communications, and an accounting of disclosures).
• Establish privacy policies and procedures, designate a privacy official, train your workforce, and apply sanctions for violations.

Security Rule: safeguard ePHI

• Perform a risk analysis and implement risk management to address administrative, physical, and technical safeguards.
• Implement access controls, authentication, and audit controls; maintain the integrity and availability of ePHI with secure backups and a contingency plan.
• Use encryption for data at rest and in transit where reasonable and appropriate to reduce breach risk.
• Document security policies, assign a security official, and align your Health Information Technology configurations with those policies.

Breach Notification Rule: respond to incidents

• Investigate suspected incidents and conduct a risk assessment to determine if PHI has been compromised.
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery; notify regulators and, for large incidents, the media as required.
• Maintain a breach log for smaller incidents and submit annually; document decisions and mitigation steps.
• If PHI was properly encrypted and the keys were not compromised, the data is generally treated as secured and notification may not be required.

Operational foundations

• Maintain written policies, workforce training, and routine audits; refresh training at hire and periodically thereafter.
• Inventory vendors and execute Business Associate Agreements (BAAs) before sharing PHI.
• Track disclosures, manage patient requests, and maintain documentation to demonstrate compliance.

Business Associates and Their Role

A business associate (BA) is any non-workforce person or company that creates, receives, maintains, or transmits PHI on your behalf. Examples include billing companies, EHR and patient portal vendors, cloud hosting providers, transcriptionists, and telehealth platforms.

Business Associate Agreements (BAAs)

• Define permitted PHI uses and disclosures and require safeguards aligned with the Security Rule.
• Require breach reporting, subcontractor flow-down, and return or destruction of PHI at termination.
• Permit audits and outline remediation, termination rights, and indemnification as appropriate.

Vendor due diligence

• Assess security practices, incident history, and compliance attestations before onboarding.
• Limit PHI sharing to the minimum necessary and monitor performance through periodic reviews.

Enforcement and Penalties

HIPAA is enforced primarily by the federal civil rights regulator through investigations, resolution agreements, corrective action plans, and Civil Monetary Penalties. State attorneys general may also bring actions, and criminal penalties can apply for certain knowing wrongful disclosures.

• Penalty tiers consider factors like the level of culpability, cooperation, mitigation, and the organization’s size and compliance history.
• Corrective action plans may impose multi-year monitoring, policy updates, training, and reporting obligations.
• Demonstrating a current risk analysis, responsive remediation, and strong recognized security practices can significantly reduce enforcement exposure.

Resources for HIPAA Compliance

• Authoritative guidance: consult official HIPAA rules, summaries, and audit protocols when building or updating your program.
• Frameworks and checklists: use structured risk management frameworks and role-based checklists to map controls to Privacy, Security, and Breach Notification Rule requirements.
• Training and awareness: deploy role-specific training, phishing simulations, and just‑in‑time reminders to sustain workforce compliance.
• Technology alignment: configure EHRs, portals, and cloud services with access controls, encryption, logging, and retention settings that match your policies.
• Incident readiness: maintain an incident response plan, breach decision matrix, contact templates, and a breach log to accelerate timely notifications.
• Ongoing governance: keep a compliance calendar for audits, risk analyses, policy reviews, and BAA renewals; document everything for accountability.

Conclusion

If you conduct standard electronic billing or related transactions, you are likely a HIPAA covered entity health care provider. Build your program around the Privacy Rule, Security Rule, and Breach Notification Rule, manage business associates diligently, and document your efforts. Doing so protects patients, strengthens operations, and lowers regulatory risk.

FAQs.

What defines a health care provider as a HIPAA covered entity?

You are a covered entity if you are a health care provider that transmits any health information electronically in connection with standard transactions (claims, eligibility, remittances, prior authorizations, and similar). Using a billing service or clearinghouse still counts, because the transactions are performed on your behalf.

What compliance requirements must covered health care providers follow?

You must meet HIPAA’s core rules: the Privacy Rule for permissible uses and disclosures and patient rights; the Security Rule for administrative, physical, and technical safeguards over ePHI; and the Breach Notification Rule for incident assessment and timely notifications. You also need written policies, workforce training, BAAs with vendors, documentation, and routine risk analyses.

How does HIPAA enforcement impact health care providers?

Enforcement can lead to corrective action plans, public resolution agreements, and Civil Monetary Penalties, with amounts tied to culpability and mitigating factors. Strong governance, prompt remediation, and well-documented security practices can reduce penalties and help resolve matters faster.

What resources are available for HIPAA compliance?

Leverage official regulatory materials, structured risk and security frameworks, practical checklists, workforce training tools, and your Health Information Technology vendors’ configuration guidance. Maintain an incident response playbook and a compliance calendar to keep reviews, audits, and BAA renewals on track.