Covered Individuals Under HIPAA: Official Definition and How They Differ from Covered Entities

Understanding who HIPAA protects and who must comply clarifies how your health information is handled. This guide explains “covered individuals,” contrasts them with covered entities, and outlines the rules that safeguard Protected Health Information and Electronic Protected Health Information.

Definition of Covered Individuals

HIPAA’s regulations use the term “individual” to mean the person who is the subject of health information. In practical use, “covered individuals” refers to people whose Protected Health Information (PHI) is protected under the HIPAA Privacy Rule and Security Rule.

Who is included

• Patients receiving care from a covered health care provider.
• Health plan enrollees, including dependents.
• Personal representatives (for example, a parent of a minor or the executor of an estate).
• Decedents: PHI remains protected for 50 years after death.

Employment records held by an employer are not PHI, even if they include health details. However, the same person’s medical records held by a provider or health plan are PHI.

What information is protected

PHI covers individually identifiable health information in any form. Electronic Protected Health Information (ePHI) is PHI created, received, stored, or transmitted electronically. Both are subject to health information confidentiality safeguards.

Overview of Covered Entities

Covered entities are organizations obligated to follow HIPAA. They include three categories, each with distinct operational roles but shared privacy and security duties.

• Health care providers who conduct standard electronic transactions (for example, claims, eligibility checks).
• Health plans (insurers, HMOs, employer-sponsored group health plans, Medicare, Medicaid).
• Health care clearinghouses that standardize health data formats.

Vendors that handle PHI on behalf of covered entities are business associates. They are not covered entities, but they must safeguard PHI via a Business Associate Agreement and HIPAA Security Rule controls.

Scope of HIPAA Protection

HIPAA protects PHI/ePHI when it is created, received, maintained, or transmitted by covered entities and their business associates. The HIPAA Privacy Rule governs when PHI may be used or disclosed; the HIPAA Security Rule requires safeguards for ePHI.

Permitted uses and disclosures

• Treatment, payment, and health care operations without authorization.
• Disclosures required by law and certain public interest purposes (for example, public health reporting).
• Minimum necessary standard for most uses and disclosures outside treatment.

PHI may be de-identified so it no longer identifies you. De-identified data is not subject to HIPAA, though ethical handling remains important.

What HIPAA does not cover

Data you enter into many consumer apps or devices may fall outside HIPAA unless the app is offered by, or on behalf of, a covered entity or business associate. In those cases, other privacy laws or app policies apply.

Responsibilities of Covered Entities

Covered Entity Compliance centers on preventing unauthorized access, ensuring proper use and disclosure, and honoring Patient Privacy Rights. Core duties include the following.

• Provide a Notice of Privacy Practices that explains uses of PHI and your rights.
• Limit PHI uses and disclosures to the minimum necessary, where applicable.
• Implement administrative, physical, and technical safeguards for ePHI under the HIPAA Security Rule.
• Conduct risk analyses, manage risks, and maintain written policies and procedures.
• Train the workforce, apply sanctions for violations, and monitor access with audit logs.
• Execute Business Associate Agreements with vendors that handle PHI.
• Respond to access and amendment requests within required timeframes and document decisions.
• Investigate incidents and provide breach notifications when required.

Privacy Rights of Covered Individuals

HIPAA gives you actionable Patient Privacy Rights that help you control your information while supporting safe, coordinated care.

• Right of access: obtain copies of your PHI—paper or electronic—within set timeframes; request transmission to a third party.
• Right to request an amendment to correct or clarify records.
• Right to request restrictions on certain uses and disclosures, including limiting disclosure to a health plan when you pay a provider in full out of pocket.
• Right to confidential communications (for example, contacting you at a specific address or phone number).
• Right to an accounting of certain disclosures.
• Right to receive and review the Notice of Privacy Practices and to file complaints without retaliation.
• Right to be notified of breaches affecting your unsecured PHI.

Distinction Between Covered Individuals and Covered Entities

Covered individuals are the people whose PHI is protected. Covered entities are the organizations that collect, use, disclose, and secure that PHI. Your role is to exercise your rights; their role is to comply with HIPAA’s rules and safeguard information.

• Rights versus obligations: you hold privacy rights; entities must implement and document compliance.
• Control versus accountability: you can request access, amendments, and restrictions; entities must evaluate, honor, or lawfully deny requests and keep records.
• Examples: a hospital (covered entity) must verify identity and apply access controls; you (covered individual) may request your ePHI via a patient portal.

HIPAA Compliance Requirements

Effective HIPAA compliance blends policy, technology, and oversight to maintain health information confidentiality across its lifecycle.

Program foundations

• Perform regular risk analyses and manage identified risks to ePHI.
• Maintain documented policies, procedures, and a sanctions process.
• Designate privacy and security officials and conduct ongoing workforce training.
• Use access controls, unique user IDs, authentication, and role-based permissions.
• Encrypt ePHI in transit and at rest where feasible and maintain secure device management.
• Monitor systems with audit logs, alerts, and periodic access reviews.
• Establish incident response and timely breach notification processes.

Operational best practices

• Apply the minimum necessary principle and least-privilege access.
• Vet vendors, sign Business Associate Agreements, and verify downstream safeguards.
• Use de-identification or limited data sets with appropriate agreements when sharing data.
• Retain records as required and securely dispose of media containing PHI/ePHI.
• Account for applicable state privacy laws that may be more protective than HIPAA.

FAQs

Who qualifies as a covered individual under HIPAA?

A covered individual is any person whose PHI is created, received, maintained, or transmitted by a covered entity or its business associate. That includes patients, health plan members, and their personal representatives. Employment records held by an employer are not PHI, but the same person’s clinical records held by a provider or plan are protected.

What is the primary role of covered entities under HIPAA?

Their primary role is to deliver care or administer benefits while protecting PHI/ePHI. Covered entities must limit uses and disclosures, implement Privacy Rule and Security Rule safeguards, provide required notices, honor individual rights, manage vendors under Business Associate Agreements, and issue breach notifications when necessary.

How do covered individuals differ from covered entities?

Covered individuals are the people protected by HIPAA and hold privacy rights; covered entities are the organizations bound to comply. Individuals request access, corrections, and restrictions; entities implement policies, security controls, and compliance documentation and are accountable for violations.

What protections does HIPAA provide to covered individuals?

HIPAA provides confidentiality and security for PHI/ePHI, limits most uses and disclosures to defined purposes, requires the minimum necessary standard, and grants rights to access, amend, request restrictions, receive confidential communications, obtain an accounting of disclosures, and be notified of qualifying breaches.