Defining Covered Entities: A Deep Dive into HIPAA Regulations

Health Plans as Covered Entities

Who qualifies as a health plan

Under HIPAA’s Administrative Simplification provisions, health plans are covered entities that finance or pay for medical care. This includes individual and group health insurers, HMOs, Medicare, Medicaid, Medicare Advantage and Part D sponsors, employer group health plans, and certain government programs that pay for health care.

Some programs that pay benefits but not for “medical care” (such as life insurance) are not health plans under HIPAA. Hybrid organizations may designate health care components to limit HIPAA’s scope to their plan operations.

Core privacy and security obligations

Health plans must safeguard Protected Health Information (PHI) under the HIPAA Privacy Rule and protect Electronic Protected Health Information (ePHI) under the Security Rule. Key duties include limiting uses and disclosures to treatment, payment, and health care operations, honoring the minimum necessary standard, and providing a Notice of Privacy Practices to beneficiaries.

Plans also need robust vendor oversight through Business Associate Agreements, access controls for plan staff, and breach response processes that meet the Breach Notification Rule’s timelines and content requirements.

Health Care Providers and Their Responsibilities

When a provider is a covered entity

A health care provider becomes a covered entity when it transmits health information electronically in connection with a HIPAA standard transaction. This captures physicians, hospitals, clinics, dentists, pharmacies, telehealth practices, and many allied health professionals engaged in billing or eligibility checks.

Practical responsibilities in care settings

• Provide and post the Notice of Privacy Practices and obtain acknowledgments when appropriate.
• Use and disclose PHI for treatment, payment, and health care operations, with authorizations for uses beyond HIPAA allowances.
• Apply the minimum necessary standard to routine operations, implement role-based access, and maintain audit logs for ePHI.
• Train the workforce, sanction violations, and maintain policies, procedures, and documentation required by the Privacy and Security Rules.

Role of Health Care Clearinghouses

What clearinghouses do

Health care clearinghouses convert nonstandard health information from another entity into standard formats—or vice versa. They sit at the data “switch,” normalizing claims, eligibility, remittance, and other Standard Transactions to meet Administrative Simplification requirements.

HIPAA implications

Clearinghouses are covered entities, even when they also serve as business associates. They must safeguard PHI and ePHI, restrict uses and disclosures to what HIPAA permits, and maintain technical controls such as transmission security, integrity protections, and authentication across their translation and routing services.

HIPAA Covered Transactions

Standard Transactions at a glance

Administrative Simplification mandates uniform formats and code sets so systems can exchange data consistently. Common Standard Transactions include:

• Health care claim or encounter
• Eligibility inquiry and response
• Claim status inquiry and response
• Referral certification and authorization
• Health plan enrollment and disenrollment
• Premium payment
• Coordination of benefits
• Electronic remittance advice

Pharmacy and other sectors use recognized standards to support these transactions, helping reduce administrative friction and error rates while strengthening privacy and security controls for ePHI in transit.

Compliance Requirements for Covered Entities

Privacy Rule essentials

• Define permissible uses and disclosures, honoring patient rights to access, amend, and obtain an accounting of disclosures.
• Issue and maintain an accurate Notice of Privacy Practices that explains uses, rights, and complaint processes.
• Apply minimum necessary to operational disclosures and implement safeguards for conversations, paper records, and digital systems.

Security Rule safeguards for ePHI

• Administrative: risk analysis and risk management, workforce training, sanctions, vendor oversight, and contingency planning.
• Physical: facility access controls, workstation security, device and media controls, and secure disposal.
• Technical: unique user IDs, access controls, encryption in transit and at rest where reasonable and appropriate, integrity checks, and audit controls.

Breach Notification and ongoing governance

• Perform a four-factor risk assessment to determine if an incident is a reportable breach; notify affected individuals, HHS, and, when required, the media.
• Maintain policies, procedures, and documentation; review at reasonable intervals; and address changes in technology, threats, and operations.
• Leverage recognized security practices and continuous monitoring to strengthen resilience and demonstrate diligence during oversight.

Distinction Between Covered Entities and Business Associates

How roles differ

Covered entities directly deliver or pay for care and control primary HIPAA obligations for PHI. Business associates perform functions or services on a covered entity’s behalf that involve PHI—such as billing, claims processing, cloud hosting, analytics, or e-prescribing support. Subcontractors handling PHI for a business associate are also business associates.

Business Associate Agreements

Before sharing PHI, covered entities must execute Business Associate Agreements that define permitted uses and disclosures, safeguard requirements for ePHI, reporting of incidents, and termination provisions. Business associates are directly liable for Security Rule compliance and specific Privacy Rule provisions, including using PHI only as allowed by the agreement and law.

Enforcement and Penalties under HIPAA

Who enforces and how

The HHS Office for Civil Rights (OCR) enforces HIPAA through investigations, audits, and complaint reviews, while the Department of Justice handles criminal violations. State attorneys general may also bring civil actions on behalf of residents.

Penalty framework

HIPAA uses tiered civil monetary penalties that scale with culpability—from lack of knowledge to willful neglect—and are adjusted periodically for inflation. Remedies often include resolution agreements and corrective action plans requiring risk remediation, policy updates, workforce training, and monitoring.

Common triggers and mitigation

• Unsecured ePHI (lost devices, misdirected emails, or weak access controls).
• Overbroad disclosures that ignore the minimum necessary standard.
• Insufficient risk analysis, outdated policies, or poor vendor oversight.
• Delayed or incomplete breach notifications.

Conclusion

Covered entities—health plans, providers, and clearinghouses—anchor HIPAA’s privacy, security, and Administrative Simplification goals. By mastering Standard Transactions, rigorously safeguarding PHI and ePHI, and governing vendors through sound Business Associate Agreements, you reduce risk, support compliant health care operations, and sustain patient trust.

FAQs

What entities qualify as covered entities under HIPAA?

The three covered entity types are health plans, health care providers that transmit health information electronically in a HIPAA standard transaction, and health care clearinghouses. Each bears direct obligations under the HIPAA Privacy, Security, and Breach Notification Rules.

How do covered entities handle protected health information?

Covered entities use and disclose PHI for treatment, payment, and health care operations, apply the minimum necessary standard, protect ePHI with administrative, physical, and technical safeguards, and honor patient rights such as access and amendment. They also maintain policies, training, audits, and breach response processes.

What is the role of clearinghouses in HIPAA compliance?

Clearinghouses translate and route health information between parties, converting nonstandard formats to Standard Transactions and vice versa. As covered entities, they must implement strong privacy and security controls and limit uses and disclosures as HIPAA permits.

How do business associates differ from covered entities?

Business associates provide services to a covered entity that involve PHI but do not deliver or pay for care directly. They must sign Business Associate Agreements, follow the Security Rule, and comply with specified Privacy Rule provisions. Covered entities remain responsible for vendor oversight and ensuring uses align with HIPAA and the agreement.