Covered Entities Under HIPAA: Definition, Examples, and Compliance Requirements

Covered entities under HIPAA include health plans, certain health care providers, and health care clearinghouses that handle Protected Health Information (PHI). This guide explains the definition, provides practical examples, and outlines compliance requirements so you can manage PHI confidently and lawfully.

Health Plans as Covered Entities

Health plans are covered entities because they create, receive, maintain, and transmit PHI to pay for care and run plan operations. Plans include group health plans, health insurance issuers, HMOs, Medicare, Medicaid, and other government programs that pay for health care.

Core responsibilities

• Limit uses and disclosures of PHI to treatment, payment, and health care operations or as otherwise permitted by the Privacy Rule.
• Maintain a Notice of Privacy Practices and provide it to members upon enrollment and when materially revised.
• Implement a HIPAA Compliance Program that covers policies, workforce training, sanctions, and ongoing monitoring.
• Enter Business Associate Agreements (BAAs) with vendors that create or handle PHI on the plan’s behalf.
• Honor member rights (access, amendment, restrictions, confidential communications, and accounting of disclosures).

Examples

• Employer-sponsored group health plans and self-funded plans (the plan is the covered entity, not the employer).
• Dental, vision, prescription drug, and behavioral health plans when they pay for care.
• Medicare Advantage and Medicaid managed care organizations.

Health Care Providers Responsibilities

Health care providers are covered entities when they transmit health information electronically in connection with standard Electronic Health Transactions. This includes hospitals, clinics, physicians, dentists, pharmacies, laboratories, and telehealth providers.

Operational duties

• Adopt the minimum necessary standard and role-based access to limit PHI exposure.
• Deliver a Notice of Privacy Practices and obtain authorizations when required (for uses beyond Privacy Rule allowances).
• Secure ePHI under the Security Rule via risk analysis, access controls, audit logs, and transmission security.
• Maintain BAAs with billing firms, EHR vendors, cloud services, and other business associates.
• Prepare for Data Breach Notification with an incident response plan and timely individual notices when required.

Common pitfalls to avoid

• Unencrypted devices or unmonitored user accounts exposing ePHI.
• Over-sharing PHI beyond minimum necessary, especially in billing and referral workflows.
• Insufficient verification before disclosures to family members or third parties.

Role of Health Care Clearinghouses

Health care clearinghouses transform nonstandard health information into standard formats—and vice versa—under HIPAA’s Administrative Simplification provisions. They act as intermediaries between providers and health plans for Electronic Health Transactions.

What clearinghouses do

• Standardize claims, remittance advice, eligibility, claim status, referrals, and prior authorization transactions.
• Validate data, correct format errors, and route transactions to intended recipients.
• Protect PHI they receive or create during translation and routing activities.

Compliance focus

• Apply Security Rule safeguards to networks, applications, and transmission channels.
• Control internal workforce access and maintain robust audit trails for transaction processing.
• Execute BAAs with trading partners when they perform functions on the clearinghouse’s behalf.

HIPAA Privacy and Security Rules

The Privacy Rule governs how covered entities use and disclose PHI and grants patients rights over their information. The Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI).

Privacy Rule essentials

• Permits use/disclosure for treatment, payment, and health care operations; other uses require authorization or specific permission.
• Minimum necessary standard for most non-treatment disclosures.
• Notice of Privacy Practices, workforce training, and policies addressing permitted uses and sanctions.

Security Rule essentials

• Risk analysis and risk management tailored to your environment.
• Access controls, unique user IDs, automatic logoff, audit controls, and integrity protections.
• Transmission security (e.g., TLS), device/media controls, facility safeguards, and contingency planning.

Interplay with Electronic Health Transactions

• Transactions must follow national standards to reduce administrative burden and errors.
• Security protections apply end-to-end during transmission, processing, and storage.

Compliance Safeguards and Obligations

Effective HIPAA Compliance Programs integrate governance, technology, and workflows. Your goal is to embed Privacy Rule and Security Rule requirements into daily operations.

Program governance

• Designate privacy and security officers with authority to enforce policies.
• Conduct initial and periodic risk analyses; document risk treatment plans and residual risk.
• Maintain written policies, procedures, and sanctions; retain documentation for at least six years.

Technical and physical safeguards

• Encrypt ePHI at rest and in transit; manage keys securely.
• Implement multi-factor authentication, least-privilege access, and regular access reviews.
• Log and monitor system activity; investigate anomalies promptly.
• Harden endpoints, patch systems, and control removable media and mobile devices.

Workforce and vendor management

• Role-based training at hire and annually; document attendance and comprehension.
• Onboarding/offboarding processes to manage accounts and devices quickly.
• Due diligence, BAAs, and oversight for business associates; ensure downstream compliance.

Incident handling and Data Breach Notification

• Establish incident response procedures for detection, containment, investigation, and recovery.
• Assess risk to determine whether an impermissible use/disclosure constitutes a breach.
• Provide individual notices without unreasonable delay and within required timeframes; notify HHS and, when applicable, the media.

Patient Rights and Control over PHI

HIPAA empowers patients with clear rights that covered entities must support through accessible processes and timely responses.

• Right of access to inspect or obtain copies of PHI, including electronic copies of ePHI.
• Right to request amendments to inaccurate or incomplete information.
• Right to request restrictions and to receive confidential communications by alternative means or locations.
• Right to an accounting of certain disclosures outside treatment, payment, and operations.
• Right to receive a Notice of Privacy Practices and to file a complaint without retaliation.

Enforcement and Accountability Measures

The HHS Office for Civil Rights (OCR) enforces HIPAA through investigations, audits, and resolution agreements. Outcomes may include corrective action plans, monitoring, and tiered civil monetary penalties adjusted for inflation. The Department of Justice may bring criminal cases for intentional misuse of PHI.

Strong documentation is essential: maintain risk analyses, training logs, BAAs, incident records, breach assessments, and policy attestations. These materials demonstrate compliance during OCR inquiries and support continuous improvement.

Conclusion

Covered Entities Under HIPAA: Definition, Examples, and Compliance Requirements centers on three actors—health plans, providers, and clearinghouses—each bound by the Privacy Rule, Security Rule, and Administrative Simplification standards. By implementing robust safeguards, honoring patient rights, and preparing for breach response, you reduce risk, strengthen trust, and meet HIPAA obligations with confidence.

FAQs.

What qualifies as a covered entity under HIPAA?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions (such as claims, eligibility, or remittance). These organizations handle PHI and must follow the Privacy Rule, Security Rule, and related HIPAA requirements.

How do health care providers comply with HIPAA?

Providers comply by conducting a risk analysis, enforcing administrative, physical, and technical safeguards for ePHI, limiting uses and disclosures to what the Privacy Rule permits, training the workforce, issuing a Notice of Privacy Practices, executing BAAs with vendors, and following Data Breach Notification procedures when incidents occur.

What are the responsibilities of health plans under HIPAA?

Health plans must protect PHI, share it only as allowed by the Privacy Rule, maintain a HIPAA Compliance Program, provide members with privacy notices and access rights, manage vendor BAAs, secure Electronic Health Transactions, and investigate, document, and report breaches as required.

How does HIPAA protect patient information?

HIPAA protects PHI by setting privacy standards that restrict when information can be used or disclosed and by requiring security safeguards for electronic data. It also gives patients rights to access, amend, and control certain disclosures, and it mandates breach notifications and enforcement mechanisms for noncompliance.