Covered Entity Explained: HIPAA Definition, Applicability, and Risk Considerations

Understanding whether you are a “covered entity” is the starting point for HIPAA compliance. This guide explains the definition, when HIPAA applies, what risk analysis entails, required security measures, how to document compliance, breach notification duties, and how Business Associate Agreements (BAA) fit in.

Definition of Covered Entity

A covered entity is one of three types of organizations: health plans, health care clearinghouses, or health care providers that transmit health information electronically in connection with standard transactions (such as claims, eligibility, or referrals). If you bill insurers electronically or use standard EDI transactions, you likely qualify.

Protected Health Information (PHI) is individually identifiable health information in any form. Electronic Protected Health Information (ePHI) is the subset created, received, maintained, or transmitted electronically. The HIPAA Privacy Rule governs permissible uses and disclosures of PHI, while the HIPAA Security Rule sets requirements to safeguard ePHI.

Employment records held in your role as an employer and fully de-identified data are not PHI. If your organization performs both covered and non-covered functions, you may designate a health care component as a hybrid entity and apply HIPAA to that component.

Applicability of HIPAA to Covered Entities

HIPAA applies when you create, receive, maintain, or transmit PHI or ePHI. It covers clinical care, billing, eligibility checks, quality reporting, and many operational tasks that touch PHI. The minimum necessary standard limits access and disclosures to what is reasonably necessary for the purpose.

Organized health care arrangements (OHCAs) may share PHI for joint operations, but each participant remains responsible for its own compliance. Business associates that handle PHI on your behalf are also subject to HIPAA via contract and must sign a BAA before PHI is shared.

Data excluded from scope include de-identified information and certain educational records. More stringent state privacy laws may also apply alongside HIPAA, so you should account for them in your compliance program.

Risk Assessment Requirements

The HIPAA Security Rule requires an enterprise-wide Risk Analysis to identify threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI. You must inventory systems and data flows, evaluate likelihood and impact, assign risk levels, and document prioritized remediation.

Update your risk analysis at least annually and whenever you introduce significant changes—new EHR modules, telehealth platforms, cloud migrations, mergers, or after security incidents. Include third parties that create, receive, maintain, or transmit ePHI for you.

Common pitfalls include treating a checklist as a substitute for analysis, overlooking shadow IT or mobile devices, and failing to document risk acceptance decisions. Your output should drive a living risk management plan with clear owners and timelines.

Security Measures Implementation

Administrative safeguards include workforce training, role-based access, security awareness (including phishing), sanctions, incident response, contingency planning, and ongoing risk management. Make sure policies operationalize the minimum necessary standard across workflows.

Physical safeguards cover facility access controls, secure workstations, and device/media controls with secure disposal. Encrypt portable media or prohibit it where feasible, and maintain chain-of-custody for devices that store ePHI.

Technical safeguards should combine unique user IDs, multi-factor authentication, least-privilege, encryption in transit and at rest for ePHI, audit controls and log monitoring, integrity protections, automatic logoff, and transmission security. Pair these with patch management, endpoint protection, mobile device management, backups with restoration tests, and network segmentation.

Documentation of Compliance

Maintain written policies and procedures and retain documentation for at least six years from creation or last effective date. Keep evidence of governance, such as designation of privacy and security officers and management approvals of key policies.

Core records include your Risk Analysis, risk management plan, system inventories, training materials and rosters, access and audit logs, security incident and breach logs, Business Associate Agreements (BAA), contingency plans and test results, and sanctions taken when policies are violated.

Use version control and periodic reviews to show your program evolves with technology and risk. Hybrid entities should document the designated health care component and any shared services that support it.

Breach Notification Obligations

The Breach Notification Rule requires notice following a breach of unsecured PHI unless a documented four-factor assessment shows a low probability of compromise. Consider the nature and extent of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and the extent of mitigation.

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Notices must describe what happened (including dates), types of PHI involved, steps individuals should take, what you are doing to mitigate and prevent recurrence, and how to contact you.

For breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media and report to HHS within 60 days of discovery. For breaches affecting fewer than 500 individuals, log them and report to HHS within 60 days after the end of the calendar year. Encryption can qualify PHI as “secured,” reducing notification obligations when data are unreadable to unauthorized individuals.

Business Associate Agreements

A business associate is any person or entity that creates, receives, maintains, or transmits PHI for a covered entity, such as billing services, cloud providers, EHR vendors, TPAs, or telehealth platforms. You must execute a BAA before disclosing PHI to a business associate.

BAAs should define permitted uses and disclosures, require safeguards consistent with the HIPAA Security Rule, mandate breach and security incident reporting, flow obligations down to subcontractors, and allow termination for material breach. Limit access to the minimum necessary and verify that controls match the sensitivity of ePHI handled.

Perform due diligence on security posture, compliance history, and subcontracting arrangements. Monitor ongoing performance through reports, assessments, and contract reviews. Together, clear scoping, disciplined risk management, robust safeguards, thorough documentation, prompt breach handling, and strong BAAs form a resilient HIPAA compliance program.

FAQs

What is a covered entity under HIPAA?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions. Covered entities handle PHI and, when electronic, ePHI subject to the HIPAA Privacy Rule and HIPAA Security Rule.

How does HIPAA apply to business associates?

Business associates perform services involving PHI for covered entities and must sign Business Associate Agreements (BAA). BAAs bind them to safeguard ePHI, limit uses and disclosures, report breaches, and flow the same obligations to subcontractors.

What are the key risk assessment requirements for covered entities?

Conduct an enterprise-wide Risk Analysis to identify threats and vulnerabilities to ePHI, rate likelihood and impact, document results, and implement a risk management plan. Update it at least annually and when significant changes or incidents occur.

What are the breach notification obligations under HIPAA?

You must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI, include required content, and report to HHS—and to the media if 500 or more residents of a state or jurisdiction are affected. Smaller breaches are logged and reported annually under the Breach Notification Rule.