HIPAA Compliance Explained: The Three Covered Entity Categories and Obligations

HIPAA compliance centers on protecting Protected Health Information (PHI) while enabling efficient care and payment operations. This guide explains the three covered entity categories and their core obligations under the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule so you can understand what HIPAA requires and how to implement it in practice.

Covered Entity Categories Overview

HIPAA applies to “covered entities,” which fall into three categories: health care providers, health plans, and health care clearinghouses. If you operate in one of these categories and handle PHI or electronic PHI (ePHI), you must meet HIPAA’s administrative, technical, and physical requirements.

• Health care providers that conduct standard electronic transactions such as claims, eligibility checks, or referrals.
• Health plans, including individual and group plans, insurers, and government programs that pay for medical care.
• Health care clearinghouses that translate nonstandard health information into standardized formats and vice versa.

Business associates are not covered entities, but when they create, receive, maintain, or transmit PHI on behalf of a covered entity, they must comply with HIPAA through a Business Associate Agreement. Some organizations are “hybrid entities,” designating only their health care components as subject to HIPAA.

Health Care Providers Definition

A health care provider is covered by HIPAA if it furnishes, bills, or is paid for health care and transmits health information in electronic form for a HIPAA standard transaction. This includes physicians, clinics, dentists, psychologists, pharmacies, laboratories, hospitals, nursing homes, home health agencies, and telehealth providers when they conduct electronic billing or related transactions.

Key points for providers include verifying when electronic transactions trigger HIPAA, limiting PHI use and disclosure to the minimum necessary, and training workforce members who access PHI. Providers must also give individuals access to their medical records and maintain required documentation for at least six years.

Health Plans Description

Health plans are covered entities because they pay for medical care and routinely handle PHI. This category includes commercial health insurance issuers, HMOs, employer-sponsored group health plans (including self-funded plans), Medicare, Medicaid, TRICARE, and state health benefits programs.

Plans such as life, disability, and workers’ compensation are generally outside HIPAA’s definition of a health plan. Covered health plans must issue a Notice of Privacy Practices, restrict PHI uses and disclosures, execute Business Associate Agreements with vendors, and safeguard ePHI consistent with the HIPAA Security Rule.

Health Care Clearinghouses Role

Health care clearinghouses transform health information between nonstandard and standard formats to support billing and payment. Examples include medical billing services, repricing companies, and value-added networks that translate claims, remittance advices, eligibility requests, and other transactions.

Clearinghouses are covered entities for the PHI they process. They must implement Security Rule controls for ePHI, limit workforce access, and ensure that any onward disclosures follow the HIPAA Privacy Rule. When a clearinghouse provides services to a provider or plan, it may also act as a business associate and must meet those obligations as well.

HIPAA Obligations for Covered Entities

Privacy Rule requirements

• Provide a clear Notice of Privacy Practices and follow permissible uses and disclosures of PHI for treatment, payment, and health care operations.
• Apply the minimum necessary standard to non-treatment disclosures and limit workforce access to role-based needs.
• Honor individual rights: access to records, request for amendments, receive an accounting of certain disclosures, and request restrictions and confidential communications.
• Execute and manage Business Associate Agreements with vendors that handle PHI on your behalf.

Security Rule requirements

• Perform a risk analysis of ePHI, implement risk management, and assign privacy and security officials.
• Adopt policies, procedures, workforce training, and sanctions; review information system activity and manage access.
• Implement appropriate Administrative Safeguards, Physical Safeguards, and Technical Safeguards tailored to your risks and environment.

Documentation, training, and retention

• Maintain written policies and procedures, and document decisions—especially for addressable controls.
• Train the workforce initially and periodically; keep training and incident records.
• Retain required documentation for at least six years from creation or last effective date.

Security Rule Safeguards

The HIPAA Security Rule protects ePHI through three safeguard categories. Some implementation specifications are “required,” while others are “addressable,” meaning you must implement them or document an equivalent alternative based on risk.

Administrative Safeguards

• Risk analysis and risk management to identify threats and apply appropriate controls.
• Assigned security responsibility, workforce security, and role-based access management.
• Security awareness and training, including phishing and social engineering education.
• Contingency planning: data backup, disaster recovery, and emergency mode operations.
• Information system activity review, vendor oversight, and periodic evaluations.

Physical Safeguards

• Facility access controls and visitor management to protect areas where ePHI is stored.
• Workstation use and security standards for offices, nursing stations, and remote work.
• Device and media controls, including secure disposal, reuse procedures, and media tracking.

Technical Safeguards

• Access controls with unique user IDs, emergency access procedures, and automatic logoff.
• Encryption at rest and in transit where reasonable and appropriate to protect ePHI.
• Audit controls and activity logging to detect inappropriate access or use.
• Integrity protections and authentication to prevent unauthorized alteration of ePHI.
• Transmission security to protect data exchanged with patients, providers, and plans.

Breach Notification Requirements

The Breach Notification Rule requires covered entities to notify affected individuals, and in some cases regulators and the media, after a breach of unsecured PHI. A breach is an impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy, unless a documented risk assessment shows a low probability of compromise.

Four-factor risk assessment

• Type and sensitivity of PHI involved.
• Who used the PHI or to whom it was disclosed.
• Whether PHI was actually viewed or acquired.
• Extent to which the risk has been mitigated.

Timelines and notifications

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media and the regulator within 60 days.
• For fewer than 500 individuals, log the incidents and report to the regulator within 60 days of the end of the calendar year.
• Business associates must notify the covered entity without unreasonable delay.

Content and safe harbor

• Notices must describe what happened, the PHI involved, steps individuals should take, actions you are taking, and contact information.
• Encrypted PHI meeting strong cryptographic standards qualifies for a “safe harbor,” meaning notification is not required if the encryption keys were not compromised.

In practice, you minimize breach risk by hardening access controls, encrypting devices and transmissions, monitoring for anomalies, and maintaining an incident response plan. Doing so strengthens HIPAA compliance and builds trust with patients and members.

FAQs

What are the three categories of covered entities under HIPAA?

The three categories are health care providers that conduct standard electronic transactions, health plans that pay for medical care, and health care clearinghouses that convert health data between nonstandard and standard formats.

What obligations do covered entities have under HIPAA?

Covered entities must follow the HIPAA Privacy Rule to control PHI uses and disclosures and honor individual rights, implement the HIPAA Security Rule’s Administrative Safeguards, Physical Safeguards, and Technical Safeguards for ePHI, and comply with the Breach Notification Rule’s assessment and notice requirements after incidents. They also must train their workforce, manage Business Associate Agreements, and maintain documentation.

How do health care clearinghouses comply with HIPAA?

Clearinghouses comply by limiting workforce access to PHI, implementing Security Rule safeguards for ePHI, translating transactions securely, and disclosing PHI only as permitted by the Privacy Rule or authorized by individuals. When acting for a provider or plan, they also meet business associate obligations and incident reporting timelines.