Covered Entities Under HIPAA: Requirements, Examples, and Compliance Checklist

Health Plans as Covered Entities

Under HIPAA, health plans are covered entities because they pay for medical care and routinely handle protected health information (PHI). If you sponsor, administer, or insure benefits that cover the cost of healthcare, you likely operate as a health plan and must comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

Common examples include employer group health plans, individual and family plans, HMOs and PPOs, Medicare, Medicaid, CHIP, Medicare Advantage, and certain long-term care insurers. Government programs that pay for healthcare services also qualify. By contrast, life insurance, workers’ compensation, and disability income policies are generally not HIPAA health plans because they do not provide or pay for medical care in the same way.

Health plans create and receive PHI during enrollment, eligibility, claims adjudication, coordination of benefits, and case management. You must limit use and disclosure to permissible purposes, apply the “minimum necessary” standard, and ensure members can exercise rights such as access, amendment, and an accounting of disclosures.

Healthcare Providers and Their Roles

Healthcare providers are covered entities when they transmit health information electronically in connection with standard transactions (for example, claims, eligibility inquiries, or referrals). This applies regardless of size or specialty, so solo clinicians and large systems have identical baseline obligations.

Examples include physicians, clinics, hospitals, dental practices, pharmacies, laboratories, therapists, DME suppliers, and urgent care centers. In day-to-day operations, you use PHI for treatment, payment, and healthcare operations without authorization, but you must provide a Notice of Privacy Practices, respect patient preferences where required, and implement appropriate safeguards to protect data confidentiality, integrity, and availability.

Functions of Healthcare Clearinghouses

Healthcare clearinghouses transform data between nonstandard and standard formats so different systems can exchange information reliably. Typical services include claims “scrubbing,” repricing, and translating batch files into HIPAA-standard transactions (and vice versa) for providers and health plans.

Because clearinghouses routinely create, receive, and transmit PHI, they are covered entities. When acting for a provider or plan, they also function like a specialized vendor and must adhere to HIPAA’s requirements, including applying technical safeguards to EDI workflows and maintaining audit trails for data conversions.

Business Associates and HIPAA Applicability

Business associates are not covered entities by default, but HIPAA applies to them whenever they create, receive, maintain, or transmit PHI for a covered entity. If your organization provides services that involve PHI—such as billing, data hosting, legal review, IT support, analytics, transcription, document shredding, or accreditation—you are a business associate with direct HIPAA obligations.

Covered entities must execute Business Associate Agreements (BAAs) that define permitted uses and disclosures, require appropriate safeguards, and mandate breach reporting. Business associates must comply with the HIPAA Security Rule and key provisions of the HIPAA Privacy Rule, flow down obligations to their subcontractors, and cooperate in incident response and mitigation.

Compliance Requirements for Covered Entities

HIPAA compliance centers on three pillars: the HIPAA Privacy Rule (use and disclosure of PHI and patient rights), the HIPAA Security Rule (safeguards for electronic PHI), and the Breach Notification Rule (duties when PHI is compromised). Together, these establish a baseline program every covered entity and business associate must implement.

HIPAA Privacy Rule essentials

• Define permissible uses and disclosures for treatment, payment, and healthcare operations, plus required and authorized disclosures where applicable.
• Apply the minimum necessary standard to routine uses and disclosures and maintain role-based access limits.
• Publish and distribute a Notice of Privacy Practices and honor patient rights to access, amendment, and restrictions where required.
• Manage authorizations for non-routine uses (for example, most marketing) and maintain an accounting of certain disclosures.

HIPAA Security Rule essentials

You must protect electronic PHI with a risk-based program across administrative, physical, and technical safeguards.

• Administrative safeguards: risk analysis and risk management, assigned security official, workforce training, sanction policies, contingency and incident response planning, and business associate oversight.
• Physical safeguards: facility access controls, workstation use and security, device and media controls (including secure disposal and re-use processes).
• Technical safeguards: unique user IDs and access controls, audit controls and activity review, integrity protections, transmission security (for example, encryption in transit), and person/entity authentication.

Compliance Checklist

• Designate privacy and security officials; document governance and reporting lines.
• Complete an enterprise-wide risk analysis; implement and document risk mitigation plans.
• Publish a current Notice of Privacy Practices; apply minimum necessary and role-based access.
• Adopt, maintain, and periodically update written policies and procedures for the Privacy, Security, and Breach Notification Rules.
• Train your workforce initially and at least annually; maintain attendance and content records.
• Execute and manage BAAs; inventory vendors and validate their safeguards.
• Implement administrative, physical, and technical safeguards, including encryption, audit logging, and secure disposal.
• Establish incident response, complaint handling, and sanctions processes; test them regularly.
• Track disclosures where required; maintain documentation for at least six years.

Breach Notification Procedures

A breach is an impermissible use or disclosure of unsecured PHI that compromises its privacy or security. When an incident occurs, you must conduct a risk assessment considering the nature of the data, the unauthorized person, whether the PHI was actually acquired or viewed, and the extent of mitigation achieved.

Exceptions include unintentional, good-faith access by workforce members within scope and inadvertent disclosures between authorized persons within the same organization, provided the information is not further used or disclosed. If PHI is secured (for example, properly encrypted at rest and in transit), the incident may not be a reportable breach.

Required notifications and timelines

• Individuals: without unreasonable delay and no later than 60 calendar days after discovery, via written notice (and substitute notice if needed).
• U.S. Department of Health and Human Services (HHS): within 60 days if a breach affects 500 or more individuals; for fewer than 500, log and report to HHS no later than 60 days after the end of the calendar year.
• Media: notify prominent media outlets if 500 or more residents of a state or jurisdiction are affected.
• Business associates: must notify the affected covered entity without unreasonable delay so the covered entity can meet its obligations.

Notices must describe what happened, the types of information involved, steps individuals should take to protect themselves, what you are doing to mitigate harm and prevent recurrence, and how to contact you. Document all decisions and investigations to demonstrate due diligence.

Ensuring Ongoing HIPAA Compliance

HIPAA is not a one-time project; it is an ongoing program of governance, risk management, and monitoring. You should review your threat landscape regularly, refresh training, audit system activity, and keep vendor oversight current as technology and operations evolve.

• Establish a cadence for risk analysis, policy reviews, technical testing, and incident response drills.
• Prioritize data minimization, de-identification where feasible, and encryption and key management for ePHI.
• Use access governance (for example, joiner-mover-leaver processes) and periodic access certifications.
• Monitor logs and alerts, investigate anomalies promptly, and apply corrective actions with documented root-cause analysis.
• Plan for continuity with backups, disaster recovery testing, and validated restoration procedures.

Conclusion

Covered entities under HIPAA include health plans, healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses, while many vendors become business associates. By implementing administrative, physical, and technical safeguards and following clear breach notification procedures, you can protect protected health information, meet Privacy and Security Rule requirements, and sustain compliance over time.

FAQs

What entities are considered covered under HIPAA?

Covered entities are health plans, healthcare providers that transmit health information electronically in connection with standard transactions, and healthcare clearinghouses. Many vendors that handle PHI for these entities are business associates and must meet HIPAA obligations through BAAs and direct compliance with the Security Rule.

How do healthcare clearinghouses function under HIPAA?

Clearinghouses convert health information between nonstandard and HIPAA-standard transaction formats, such as translating raw billing files into standard claims. Because they routinely handle PHI, they are covered entities and must apply appropriate safeguards, maintain audit controls, and support accurate, secure data exchange for providers and health plans.

What are the compliance requirements for covered entities?

Covered entities must comply with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. Core requirements include a risk-based security program with administrative, physical, and technical safeguards; privacy policies and minimum necessary practices; workforce training; vendor management via BAAs; incident response and breach reporting; and thorough documentation of policies, decisions, and actions.

When must a breach notification be made?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering a breach of unsecured PHI. If 500 or more individuals are affected, you must also notify HHS within 60 days and local media for state- or jurisdiction-wide incidents; smaller breaches are reported to HHS no later than 60 days after the end of the calendar year.