Guide to HIPAA Covered Entities: Three Categories and Compliance Duties

Health Care Providers

Health care providers are covered entities when they transmit health information electronically in connection with standard transactions. If you bill insurers, check eligibility, or send referrals electronically, you likely fall within HIPAA’s scope even as a small clinic, solo practitioner, or telehealth service.

Examples include physicians, dentists, chiropractors, hospitals, ambulatory surgery centers, laboratories, pharmacies, mental health professionals, and home health agencies. When you perform these activities, you handle Protected Health Information (PHI) and must meet all applicable Privacy Rule and Security Rule obligations.

Key obligations for providers

• Limit uses and disclosures to treatment, payment, and operations unless an authorization or another permitted basis applies.
• Honor individual rights, including access, amendments, and an accounting of disclosures.
• Execute business associate agreements with vendors that create, receive, maintain, or transmit PHI on your behalf.
• Implement administrative and technical safeguards for electronic PHI (ePHI).

Health Plans

Health plans include group and individual health insurers, HMOs, employer-sponsored plans providing medical benefits, and public programs such as Medicare, Medicaid, and military health coverage. If you pay for medical care, you are generally a covered entity under HIPAA.

Plan administrators must protect PHI when handling enrollment, premium billing, utilization review, and claims adjudication. If you are an employer plan sponsor, maintain a firewall between employment records and plan PHI and ensure only the plan function receives PHI under strict “minimum necessary” standards.

Key obligations for plans

• Distribute a clear Notice of Privacy Practices explaining permissible uses of PHI and member rights.
• Apply role-based access, audit capabilities, and retention policies suited to claims and member data.
• Manage vendors (e.g., TPAs, PBMs) through business associate agreements and ongoing oversight.

Health Care Clearinghouses

Health care clearinghouses process nonstandard health information into standard transaction formats—or the reverse. If your organization converts claims, remittance advice, eligibility inquiries, or encounter data between formats, you may be a clearinghouse.

Common examples are medical billing services that standardize files, repricing companies, and value-added networks or switches that translate EDI. Even when you do not directly treat patients, you still handle PHI and must implement robust controls across intake, conversion, and transmission workflows.

Operational focus areas

• Format translation accuracy and validation to prevent data integrity failures.
• Segregation of client datasets, strong authentication, and transaction-level logging.
• Rapid incident detection and coordination with trading partners if errors expose PHI.

Administrative Safeguards

Administrative safeguards are the foundation of your HIPAA Security Rule program. Start with a formal Risk Analysis to identify where ePHI resides, the threats it faces, and the likelihood and impact of those threats. Use the results to drive a documented risk management plan with prioritized controls.

Core administrative controls

• Workforce security and sanction policies aligned to defined job roles.
• Information access management and the “minimum necessary” standard.
• Security awareness training, phishing resistance, and periodic refresher exercises.
• Incident response procedures with clear triage, escalation, and post-incident reviews.
• Contingency planning: data backup, disaster recovery, and emergency mode operations.
• Regular evaluations to verify that safeguards remain effective as your environment changes.

Administrative safeguards should integrate with Technical Safeguards such as unique user IDs, multifactor authentication, encryption in transit and at rest, integrity controls, and audit logging. Together they create layered protection for ePHI across systems and vendors.

Privacy Policies and Procedures

Your Privacy Rule policies define how PHI is used, disclosed, and protected in daily operations. Document purpose-based access, minimum necessary rules, and approval paths for nonroutine disclosures. Ensure your workforce can locate and follow these procedures at the point of need.

Essential privacy artifacts

• Notice of Privacy Practices that explains your uses of PHI, individual rights, and how to submit complaints.
• Authorization processes for uses and disclosures not otherwise permitted by HIPAA.
• Procedures for individual rights: access, amendments, restrictions, confidential communications, and accounting of disclosures.
• Data lifecycle rules for retention, disposal, and secure media handling, including de-identification where appropriate.

Workforce Training and Privacy Officer Appointment

Designate a Privacy Officer to oversee Privacy Rule compliance and a Security Official to manage the Security Rule. In smaller organizations, one qualified person may fulfill both roles if conflicts are managed and duties are clearly defined.

Train all workforce members on privacy policies, administrative safeguards, and their job-specific responsibilities before they access PHI and periodically thereafter. Keep detailed training records, including dates, curricula, attendees, and any follow-up actions or sanctions.

Effective training practices

• Role-based modules for front desk, clinical staff, billing, IT, and leadership.
• Scenario-based exercises covering unauthorized access, misdirected communications, and social engineering.
• Reinforcement through quick-reference guides and secure-by-default workflows.

Breach Reporting and Documentation

The Breach Notification Rule requires prompt Data Breach Notification to affected individuals when unsecured PHI is compromised. Conduct a four-factor risk assessment considering the data type, unauthorized person, whether PHI was actually acquired or viewed, and the extent of mitigation.

Notification timelines and content

• Notify individuals without unreasonable delay and no later than 60 calendar days after discovery.
• Report breaches to HHS; for incidents affecting 500 or more residents of a state or jurisdiction, also notify prominent media.
• Include in notices: a description of the breach, the types of PHI involved, steps individuals should take, mitigation measures you are taking, and contact information.

Documentation and continuous improvement

• Maintain incident logs, investigation records, risk assessments, and notification evidence for at least six years.
• Capture root causes and corrective actions; update policies, technical controls, and training accordingly.
• Test your incident response plan and coordinate with business associates to ensure timely, accurate reporting.

Conclusion

HIPAA covered entities fall into three categories—health care providers, health plans, and health care clearinghouses—but all share core duties: safeguard PHI through risk-based administrative and technical safeguards, follow clear privacy policies, train your workforce, and execute timely, well-documented breach response. By embedding these practices into daily operations, you reduce risk and demonstrate accountable compliance.

FAQs.

How many categories of covered entities are there under HIPAA?

There are three categories of HIPAA covered entities: health care providers, health plans, and health care clearinghouses. Each handles PHI differently but must comply with the Privacy, Security, and Breach Notification Rules.

What are the compliance duties of HIPAA covered entities?

Covered entities must implement Administrative Safeguards and relevant Technical Safeguards, maintain Privacy Policies and Procedures (including a Notice of Privacy Practices), appoint a Privacy Officer and Security Official, train the workforce, manage business associates, conduct ongoing Risk Analysis and risk management, and perform timely Data Breach Notification with thorough documentation.

Which organizations qualify as health care clearinghouses?

Organizations that convert nonstandard health data to standard formats—or the reverse—qualify as clearinghouses. Typical examples include billing services performing EDI translation, repricing companies, and value-added networks or switches that standardize transactions while handling PHI.