Guide to HIPAA Covered Entities: Three Types, Scope, and Compliance Obligations

This guide to HIPAA covered entities explains the three types, how their scope is defined, and the key compliance obligations you must meet under the Privacy Rule, Security Rule, and Breach Notification Rule. Throughout, we focus on protecting Protected Health Information (PHI) and managing vendors with a solid Business Associate Agreement.

Types of HIPAA Covered Entities

Under HIPAA, “covered entities” fall into three categories. You are a covered entity if you perform the described functions and handle PHI in regulated ways.

• Health care providers that transmit health information electronically in connection with standard transactions (for example, claims, eligibility, or referrals).
• Health plans that provide or pay the cost of medical care, including insurers, HMOs, government programs, and employer-sponsored group health plans.
• Health care clearinghouses that translate nonstandard health data into standard formats (and vice versa) for billing and related transactions.

Business associates are not covered entities, but they are directly regulated when they create, receive, maintain, or transmit PHI for a covered entity. In those cases, you must execute a Business Associate Agreement and ensure appropriate safeguards are in place.

Health Care Providers Overview

You qualify as a covered entity health care provider if you furnish care and conduct standard electronic transactions. This includes hospitals, physicians, clinics, dentists, pharmacies, labs, psychologists, chiropractors, and many others.

Provider status hinges on transmitting standardized electronic transactions—not on the size of your practice. If you only use paper and never conduct standard transactions electronically, HIPAA’s covered entity requirements may not apply, though state privacy laws still might. When covered, you must follow the Privacy Rule’s use-and-disclosure limits, issue a Notice of Privacy Practices, honor access and amendment rights, and apply minimum necessary standards to PHI.

Health Plans Characteristics

Health plans include individual and group plans that provide or pay the cost of medical care. Examples include health insurers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans. The plan—not the employer—is the covered entity, but employers acting as plan sponsors must limit and separate access to PHI and update plan documents to reflect required safeguards.

Health plans must comply with the Privacy Rule and Security Rule, provide a Notice of Privacy Practices to members, manage enrollment and claims data appropriately, and execute Business Associate Agreements with vendors that handle PHI. Some narrowly defined small, self-administered arrangements may fall outside the covered entity definition, but most health plans are covered.

Role of Health Care Clearinghouses

Health care clearinghouses convert nonstandard health information they receive from another entity into a standard format (or the reverse). Examples include billing services, repricing firms, and EDI networks that standardize claims, remittance advice, or eligibility data.

Clearinghouses are covered entities when they process PHI for their own clients, and they may also act as business associates to providers or plans. They must implement the Security Rule’s Administrative Safeguards, Physical Safeguards, and Technical Safeguards and handle disclosures under the Privacy Rule.

Compliance Obligations for Covered Entities

Privacy Rule essentials

• Use and disclose PHI only as permitted (treatment, payment, and health care operations) or as otherwise allowed by law; obtain valid authorizations for other uses.
• Apply the minimum necessary standard to routine uses and disclosures.
• Provide a clear Notice of Privacy Practices and designate a privacy official.
• Honor individual rights: access (generally within 30 days, with limited extension), amendments, restrictions, confidential communications, and an accounting of disclosures where required.

Security Rule essentials

Conduct a comprehensive risk analysis, implement risk management, and document decisions. The Security Rule is technology-neutral but requires the following safeguard categories for electronic PHI (ePHI):

• Administrative Safeguards: risk analysis and risk management, workforce training and sanctions, information access management, security incident procedures, contingency planning, and vendor oversight.
• Physical Safeguards: facility access controls, workstation safeguards, and device/media controls (secure disposal, reuse, and transport).
• Technical Safeguards: unique user IDs and access controls, audit controls and logging, integrity protections, authentication, and transmission security (for example, encryption in transit).

Good practices include encryption at rest where feasible, multi-factor authentication, timely patching, continuous monitoring, and role-based access with regular reviews.

Breach Notification Rule

• Assess incidents to determine if there is a low probability that PHI was compromised; document your analysis.
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery. Report to the regulator and, for larger incidents, to the media as required. Maintain annual logs for smaller breaches.

Program governance and documentation

• Maintain policies, procedures, and required documentation for six years from creation or last effective date.
• Train your workforce on the Privacy Rule, Security Rule, and incident response; refresh training regularly and upon material changes.
• Inventory systems and vendors that handle PHI; limit access, review audit logs, and test contingency plans.

Importance of Business Associate Agreements

When a BAA is required

You must execute a Business Associate Agreement before a vendor creates, receives, maintains, or transmits PHI on your behalf. Common business associates include cloud service providers, EHR vendors, billing and coding firms, transcription services, data analytics providers, law firms, and consulting companies.

What a BAA should cover

• Permitted and required uses/disclosures of PHI and prohibition on unauthorized uses.
• Obligation to implement the Security Rule’s safeguards and to report incidents and breaches promptly.
• Flow-down requirements to subcontractors handling PHI.
• Right to terminate for material breach and requirements to return or securely destroy PHI at termination if feasible.
• Restrictions on marketing, sale of PHI, and use for non-permitted analytics unless expressly authorized.

Remember: signing a BAA does not transfer your HIPAA responsibilities. You must still vet vendors, verify safeguards, and monitor performance.

Enforcement and Penalties under HIPAA

How enforcement works

The U.S. Department of Health and Human Services Office for Civil Rights investigates complaints, breach reports, and compliance reviews. State attorneys general may also bring civil actions, and the Department of Justice can pursue criminal violations.

Penalty tiers and outcomes

HIPAA features a four-tier civil penalty structure ranging from violations a covered entity did not know and could not reasonably have known about to willful neglect not corrected. Outcomes include corrective action plans, monitoring, and monetary settlements. Penalty amounts scale with factors such as the nature and extent of the violation, harm caused, history of noncompliance, and timeliness of remediation.

Common pitfalls

• Failure to perform an enterprise-wide risk analysis and manage identified risks.
• Missing or inadequate Business Associate Agreements.
• Impermissible disclosures, including mishandled email, fax, or lost/stolen devices without effective safeguards.
• Insufficient audit logging, access reviews, or workforce training.

Conclusion

Understanding the three covered entity types—and how the Privacy Rule, Security Rule, and Business Associate Agreement requirements fit together—lets you build a practical, right-sized compliance program. Focus on risk analysis, documented safeguards, workforce readiness, and disciplined vendor management to protect PHI and reduce enforcement risk.

FAQs

What are the three types of HIPAA covered entities?

The three types are health care providers that conduct standard electronic transactions, health plans that provide or pay the cost of medical care, and health care clearinghouses that convert health data between nonstandard and standard formats. Each handles Protected Health Information and must comply with applicable Privacy Rule, Security Rule, and breach notification requirements.

How do HIPAA rules apply to business associates?

Business associates are directly regulated when they create, receive, maintain, or transmit PHI for a covered entity. They must implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards under the Security Rule, follow applicable Privacy Rule provisions in their contracts, and report incidents and breaches. A signed Business Associate Agreement is required and must flow down to subcontractors.

What compliance measures must covered entities implement?

At a minimum: conduct and update a risk analysis; implement risk-based Security Rule safeguards; apply Privacy Rule standards (minimum necessary, authorizations, and individual rights); train the workforce; execute and manage Business Associate Agreements; maintain policies and documentation for six years; and follow breach notification timelines, typically no later than 60 days after discovery for notifiable incidents.