Covered Entity Under HIPAA: Definitive Guide with Examples and Risk Implications

Definition of Covered Entity

What “covered entity” means

A covered entity under HIPAA is any health plan, health care clearinghouse, or health care provider that transmits health information electronically in connection with a standard transaction. When you meet this definition, you must comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule for the protection of Protected Health Information (PHI).

The three covered entity types

• Health plans: Insurers, HMOs, Medicare, Medicaid, employer group health plans, government health benefit programs.
• Health care providers: Individuals and organizations—such as hospitals, clinics, physicians, dentists, pharmacies—that conduct standard electronic transactions (e.g., claims, eligibility checks, payment remittance) using Health Information Technology.
• Health care clearinghouses: Entities that transform nonstandard health data into standard formats or vice versa (e.g., billing services, repricers, value-added networks).

Hybrid entities and covered functions

Organizations that perform both covered and non-covered activities can designate themselves as hybrid entities. In that case, HIPAA applies only to their defined covered functions—the parts of the organization that perform health plan, provider, or clearinghouse activities. You must formally identify these covered functions, partition responsibilities, and restrict PHI access accordingly.

Who is not a covered entity

Not every organization that touches health-related data is covered by HIPAA. Life insurers, employers (acting as employers), workers’ compensation carriers, schools, and many consumer apps are not covered entities unless they separately qualify or act as business associates to a covered entity. However, these parties may still face other privacy or security obligations under different laws.

Examples of Covered Entities

Health plans

• Commercial health insurance carriers and HMOs.
• Self-insured employer group health plans and third-party administrators handling plan operations.
• Government programs such as Medicare, Medicaid, TRICARE, and state high-risk pools.

Health care providers (conducting standard electronic transactions)

• Hospitals, ambulatory surgery centers, urgent care centers.
• Physician practices, dental offices, behavioral health clinics.
• Pharmacies and mail-order dispensaries.
• Laboratories, imaging centers, durable medical equipment suppliers.

Health care clearinghouses

• Medical billing and coding service companies.
• Switches and repricers that standardize claims data.
• Entities converting data between nonstandard and HIPAA standard formats.

Hybrid entity examples

• Universities that operate a medical center or student health clinic.
• Municipalities that run public health or employee health clinics.
• Retail chains with in-store pharmacies alongside non-covered retail operations.

HIPAA Privacy Regulations

Privacy Rule basics

The Privacy Rule governs how covered entities may use and disclose PHI and grants individuals specific rights over their information. Your policies should align with HIPAA Compliance requirements, balancing care delivery with data protection.

Permitted uses and disclosures

• Treatment, payment, and health care operations (TPO): You may use and disclose PHI without patient authorization for core activities such as care coordination, claims, and quality improvement.
• Public interest and legal requirements: Certain disclosures are permitted or required (e.g., public health reporting, oversight, court orders).
• Authorizations: Uses outside permitted purposes generally require a valid, signed authorization.

Minimum necessary and de-identification

You must limit PHI uses, disclosures, and requests to the minimum necessary to achieve the purpose. When possible, use de-identified data; apply either the “Safe Harbor” method (removing specified identifiers) or expert determination to reduce risk.

Individual rights

• Access and obtain copies of their PHI (including electronic copies of ePHI).
• Request amendments and an accounting of certain disclosures.
• Request restrictions and receive confidential communications by alternative means.
• Receive a Notice of Privacy Practices describing your practices and rights.

HIPAA Security Standards

Security Rule scope and objectives

The Security Rule focuses on electronic PHI (ePHI). You must ensure the confidentiality, integrity, and availability of ePHI through administrative, physical, and technical safeguards that fit your size, complexity, risks, and Health Information Technology environment.

Administrative safeguards

• Conduct an accurate and thorough risk analysis and maintain a risk management plan.
• Assign security responsibility; implement workforce training and sanctions.
• Develop policies for incident response, contingency planning, and emergency operations.
• Execute business associate agreements (BAAs) with vendors handling PHI.

Physical safeguards

• Facility access controls, visitor management, and secure workstation/device placement.
• Device and media controls for disposal, reuse, and transport of PHI-bearing assets.
• Environmental protections and redundant power/cooling where appropriate.

Technical safeguards

• Unique user identification, strong authentication, and role-based access controls.
• Audit controls and activity logging; regular review of logs and alerts.
• Integrity controls and anti-malware; change management and patching.
• Transmission and storage protections—encryption is “addressable” but strongly recommended.

Breach Notification Requirements

What constitutes a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. You must presume a breach unless a documented risk assessment shows a low probability that the PHI was compromised under the Breach Notification Rule.

Risk assessment factors

• The nature and extent of PHI involved (types of identifiers and likelihood of re-identification).
• The unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which you mitigated the risk (e.g., prompt retrieval, effective encryption).

Notification timelines and recipients

• Affected individuals: Without unreasonable delay and no later than 60 calendar days after discovery.
• Media notice: If a breach involves 500 or more residents of a state or jurisdiction, notify prominent media outlets.
• Secretary of Health and Human Services: For breaches affecting 500+ individuals, notify without unreasonable delay; for fewer than 500, report no later than 60 days after the end of the calendar year.
• Content and method: Provide plain-language notice including what happened, types of PHI involved, protective steps individuals should take, your mitigation efforts, and contact information.

Business associates’ role

Business associates must notify the covered entity of a breach without unreasonable delay (no later than 60 days, or earlier if your BAA requires). Your incident response plan should define intake, coordination, and documentation steps across all parties.

Penalties for Non-Compliance

Civil penalties

HIPAA uses a tiered structure based on culpability, from lack of knowledge to willful neglect not corrected. Civil monetary penalties can range from hundreds to tens of thousands of dollars per violation, with annual caps per violation category. Enforcement actions often include corrective action plans and external monitoring.

Criminal penalties

Knowingly obtaining or disclosing PHI in violation of HIPAA can lead to criminal penalties. Penalties escalate for offenses committed under false pretenses or with intent to sell, transfer, or use PHI for personal gain or malicious harm.

Collateral risks

• Costly breach response, litigation exposure, and regulatory oversight.
• Operational disruption, reputational damage, and loss of patient trust.
• Contractual risk with payers and business associates, including indemnity disputes.

Risk Management Strategies

Governance and accountability

• Designate privacy and security officers with clear authority and reporting lines.
• Define and document your covered functions if you are a hybrid entity.
• Establish a HIPAA Compliance steering committee to oversee priorities and resources.

Risk analysis and risk treatment

• Perform an enterprise-wide risk analysis that inventories systems, data flows, and vendors handling PHI/ePHI.
• Prioritize risks, assign owners, and implement administrative, physical, and technical controls.
• Track remediation through a living risk management plan with measurable milestones.

Technical controls and Health Information Technology

• Adopt secure architectures: network segmentation, zero trust access, and least privilege.
• Implement multi-factor authentication, strong endpoint protection, and encryption for data at rest and in transit.
• Centralize logging and monitoring; use alerting and periodic access reviews.
• Harden EHRs and ancillary systems; maintain secure configurations and timely patching.

Third-party and business associate management

• Perform due diligence and security reviews before onboarding vendors.
• Execute BAAs that define permitted uses, safeguards, breach reporting, and audit rights.
• Continuously monitor vendor performance and require timely remediation of findings.

Training, policy, and culture

• Deliver role-based training and phishing simulations; reinforce the minimum necessary standard.
• Maintain current policies and procedures; document acknowledgments and sanctions.
• Embed privacy-by-design and security-by-design into daily workflows.

Incident response and continuity

• Create and test an incident response plan, including for ransomware and lost devices.
• Develop business continuity and disaster recovery plans with tested backups and recovery time objectives.
• Use tabletop exercises to validate coordination with business associates.

Key takeaways

Being a covered entity under HIPAA brings specific duties tied to the Privacy Rule, Security Rule, and Breach Notification Rule. By defining covered functions, executing risk-based safeguards, and managing vendors and workforce behavior, you can reduce breach likelihood, satisfy regulatory obligations, and protect patient trust.

FAQs

What entities qualify as covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions (such as claims or eligibility checks). If you fit one of these categories and transmit PHI electronically for standard transactions, HIPAA applies to you.

How do covered entities differ from business associates?

Covered entities deliver or pay for care; business associates provide services to covered entities that involve PHI (for example, EHR hosting, billing, cloud storage, consulting). Business associates must sign a BAA and comply with applicable HIPAA provisions, but the covered entity ultimately owns the patient relationship and many core compliance duties.

What are the penalty risks for covered entities?

Penalties range from lower-tier civil fines for unknowing violations to higher-tier penalties for willful neglect, plus potential criminal liability for egregious misconduct. Regulators may also impose corrective action plans, monitoring, and reporting—alongside breach response costs and reputational harm.

How must covered entities report a HIPAA breach?

After containing the incident and performing the four-factor risk assessment, notify affected individuals without unreasonable delay and no later than 60 days after discovery. If 500 or more residents of a state or jurisdiction are affected, notify prominent media and the Secretary of Health and Human Services promptly; for smaller breaches, report to the Secretary annually. Coordinate with business associates per your BAA.