Covered Entities Under HIPAA: Definitions, Obligations, and Best Practices Guide

Definition of Covered Entities

Covered entities under HIPAA are organizations directly regulated by the HIPAA Privacy, Security, and Breach Notification Rules. They include health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses. If you fall into one of these categories and handle Protected Health Information, you must meet all applicable regulatory requirements.

Protected Health Information (PHI) is individually identifiable health information that relates to a person’s health status, care, or payment and is created, received, maintained, or transmitted by a covered entity or its business associate. PHI can exist in any form—paper, verbal, or electronic—and drives your Privacy Rule Compliance and Security Rule Implementation responsibilities.

Some organizations are “hybrid entities” that perform both covered and non-covered functions; they must designate and firewall their health care components. Employers, schools, and life insurers are generally not covered entities, though they may interact with PHI under other laws or through Business Associate Agreements.

Health Care Providers

You are a covered health care provider if you transmit health information electronically in connection with standard transactions (for example, claims, eligibility inquiries, or referral authorizations). This includes physicians, dentists, hospitals, clinics, pharmacies, laboratories, therapists, and telehealth providers—regardless of size.

Using a billing service or clearinghouse to submit transactions on your behalf still counts as conducting electronic standard transactions. Cash-only practices can fall outside HIPAA coverage only if they never conduct covered transactions electronically; however, most modern operations interact electronically at some point, triggering compliance duties.

Health Plans

Health plans include health insurance issuers, HMOs, employer-sponsored group health plans, government programs such as Medicare and Medicaid, and certain long-term care and supplemental policies. Plan sponsors are not covered entities themselves, but they must implement firewalls and plan documents that limit access to PHI to plan administration functions.

If you operate a health plan, you must provide a Notice of Privacy Practices, honor member rights (access, amendments, and restrictions), apply the minimum necessary standard, and manage Business Associate Agreements for vendors that handle PHI.

Health Care Clearinghouses

Health care clearinghouses transform nonstandard health information into standard transaction formats and vice versa. Examples include billing or repricing services and health information networks that “translate” data for claims, remittance advice, or eligibility checks.

Because clearinghouses routinely create, receive, maintain, and transmit PHI, they are covered entities. Unlike pure “conduits” that simply transport data without routine access, clearinghouses actively process information and therefore must implement full Security Rule Implementation and Privacy Rule Compliance programs.

Obligations of Covered Entities

Privacy Rule Compliance

• Provide a clear Notice of Privacy Practices and designate a privacy official.
• Apply the minimum necessary standard and role-based access to PHI.
• Honor individual rights: timely access (generally within 30 days), amendments, confidential communications, and an accounting of certain disclosures.
• Maintain policies and procedures, sanction policies for violations, and retain documentation for at least six years.

Security Rule Implementation

• Implement administrative, physical, and technical safeguards tailored to your risks (for example, risk management plans, facility security, access controls, unique user IDs, audit logs, and integrity controls).
• Use encryption where reasonable and appropriate, manage endpoints and mobile devices, and apply multi-factor authentication for sensitive access.
• Establish contingency plans: data backup, disaster recovery, and emergency mode operations.

Breach Notification Procedures

• Maintain incident response processes to detect, assess, and document suspected breaches.
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery; report to regulators and, when applicable, to the media for large breaches.
• Record smaller breaches and submit the annual report as required.

Workforce Training Mandates

• Train your workforce on privacy and security policies at onboarding and periodically thereafter; document completion and refresh after material changes or incidents.
• Limit PHI access based on job roles and monitor compliance through audits and technical monitoring.

Business Associate Agreements

Before a vendor handles PHI, execute Business Associate Agreements that define permitted uses and disclosures, require safeguards, mandate breach reporting, and flow down obligations to subcontractors. Review BAAs regularly and align them with your risk management program.

Business Associates

Business associates are persons or organizations that perform services for a covered entity involving PHI, such as billing companies, EHR and cloud providers, data analytics firms, consultants, law firms, and teleradiology networks. Subcontractors that handle PHI for a business associate are themselves business associates.

Business associates are directly liable for Security Rule compliance and certain Privacy Rule provisions. Your Business Associate Agreements should cover security controls, Breach Notification Procedures, right to audit, data return or destruction at termination, and clear allocation of responsibilities for incident response and corrective action.

Security Risk Analyses

Risk Analysis Requirements are the foundation of Security Rule Implementation. You must identify where PHI is created, received, maintained, or transmitted; inventory systems and data flows; and evaluate threats, vulnerabilities, likelihood, and potential impact to determine risk levels.

• Scope and data mapping: include EHRs, cloud platforms, endpoints, biomedical devices, backups, messaging, and remote/telehealth workflows.
• Assessment and scoring: pair threats with vulnerabilities, rate likelihood and impact, and document residual risk after existing controls.
• Risk management: prioritize remediation, assign owners and timelines, and verify completion through testing and monitoring.
• Lifecycle: review at least annually and whenever major changes occur (system upgrades, migrations, new facilities, or emerging threats).
• Evidence: retain analysis, decisions, and supporting documentation for regulatory review.

Conclusion

Covered Entities Under HIPAA—providers, health plans, and clearinghouses—must safeguard PHI through robust Privacy Rule Compliance, Security Rule Implementation, and disciplined Breach Notification Procedures. By executing strong Business Associate Agreements, performing thorough Security Risk Analyses, and meeting Workforce Training Mandates, you create a resilient compliance program that protects patients and your organization.

FAQs

What are the main types of covered entities under HIPAA?

The three covered entities are health care providers that conduct standard electronic transactions, health plans (including group health plans and government programs), and health care clearinghouses that convert data between nonstandard and standard formats.

How must covered entities safeguard protected health information?

You must implement administrative, physical, and technical safeguards, apply the minimum necessary standard, control access with role-based permissions, monitor activity with audit logs, encrypt data where appropriate, maintain contingency plans, and train your workforce—all tailored by a documented risk analysis.

What are the obligations related to business associate agreements?

Before a vendor handles PHI, you must sign a Business Associate Agreement that limits permitted uses and disclosures, requires appropriate safeguards and breach reporting, flows down obligations to subcontractors, allows oversight or audits, and ensures return or destruction of PHI at contract end.

How often should security risk analyses be performed?

Conduct a comprehensive security risk analysis at least annually and whenever significant changes occur—such as new systems, migrations to the cloud, telehealth expansions, or facility moves—to keep your safeguards effective and your risk management plan current.