HIPAA Coverage Checklist: Health Plans, Providers, Clearinghouses, and Business Associates

This HIPAA coverage checklist helps you quickly determine who must comply, what activities trigger obligations, and where common exemptions apply. Use it to map Protected Health Information (PHI) flows, validate Covered Entity Definitions, and decide when Business Associate Agreements are required.

Each section explains the HIPAA Compliance Requirements that matter most, from Electronic Health Information Transmission by providers to Subcontractor HIPAA Obligations that flow down through contracts.

Health Plans Covered by HIPAA

What counts as a “health plan”

Under HIPAA, a health plan is any individual or group plan that provides or pays the cost of medical care. If you administer benefits or reimburse health care, you are likely a covered health plan and must safeguard PHI.

Examples of covered health plans

• Health insurance issuers and HMOs (individual and group products).
• Employer-sponsored group health plans, including self-funded plans managed by third-party administrators.
• Government programs that pay for health care, such as Medicare (including Medicare Advantage and Part D plans) and Medicaid.
• Prescription drug benefit programs and other medical benefit arrangements that pay for covered services.

Health Plan Exemptions (to the extent they provide only excepted benefits)

• Workers’ compensation, liability insurance, and automobile medical payment coverage.
• Accident-only or disability income policies and credit-only insurance.
• Coverage for on-site medical clinics offered solely by an employer.
• Limited-scope dental or vision, fixed indemnity, or disease-specific policies when offered separately and not coordinated with a medical plan.
• A group health plan with fewer than 50 participants that is self-administered by the employer that established it.

Tip: Health Savings Accounts (HSAs) and most plan sponsors are not covered entities by themselves, but the underlying group health plan typically is.

Health Care Providers and Electronic Transmission

When a provider becomes a covered entity

A health care provider is a HIPAA covered entity if it transmits any health information electronically in connection with a standard transaction. This Electronic Health Information Transmission trigger is the threshold for HIPAA’s Privacy, Security, and Breach Notification Rules.

Transactions that trigger coverage

• Claims and encounters (e.g., claims submission and coordination of benefits).
• Eligibility inquiries and responses.
• Claim status requests and remittance advice.
• Referral authorizations and prior authorizations.
• E-prescribing transactions with plans or pharmacy benefit managers.

What does not trigger coverage by itself

• Paper claims, postal mail, telephone calls, or fax, standing alone.
• Electronic activities unrelated to HIPAA’s standard transactions (e.g., scheduling emails that never include PHI).

Once a provider meets the electronic-transmission trigger, HIPAA applies to all PHI the provider maintains or transmits, not only to the transmitted data.

Role of Health Care Clearinghouses

What clearinghouses do

Health care clearinghouses convert nonstandard health information they receive from another entity into a standard format—or the reverse—for billing, eligibility, remittance, and related transactions. Examples include claims “switches,” repricers, and billing service hubs.

Coverage and responsibilities

• Clearinghouses are HIPAA covered entities in their own right, even when they act as intermediaries.
• They must implement Security Rule safeguards for electronic PHI and restrict uses and disclosures to what is necessary to perform their processing functions.
• When they perform services for a plan or provider, they typically also operate under a Business Associate Agreement.

Business Associates and Their Functions

Who is a business associate

A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity, or provides specified services to a covered entity that involve PHI. The label follows the function, not the job title.

Common business associate functions

• Claims processing, billing, collections, utilization review, and quality analytics.
• IT hosting, cloud storage, data backup, email or messaging platforms that store PHI, and EHR vendors.
• Legal, actuarial, consulting, accreditation, and accounting services when PHI is accessed.
• Health Information Exchanges, e-prescribing gateways, and patient communication services that handle PHI.
• Shredding, scanning, and document management vendors that receive PHI.

Who is not a business associate

• A covered entity’s workforce members (employees, volunteers, trainees).
• Vendors that never create, receive, maintain, or transmit PHI.
• Consumer apps chosen by individuals that receive information at the individual’s direction and not on behalf of a covered entity.

Business Associate Agreements Requirements

Core contractual elements

• Define permitted and required uses and disclosures of PHI; prohibit uses not expressly allowed.
• Require administrative, physical, and technical safeguards for electronic PHI consistent with the Security Rule.
• Mandate breach and security incident reporting without unreasonable delay and within applicable time frames.
• Flow down the same restrictions and safeguards to subcontractors that handle PHI.
• Support individual rights: access, amendment, and accounting of disclosures when the BA holds the PHI.
• Require minimum necessary practices and prohibit the sale or marketing of PHI except as permitted by HIPAA.
• Allow HHS access to relevant records to determine compliance.
• Provide for return or destruction of PHI at termination, if feasible, and authorize termination for material breach.

Well-drafted Business Associate Agreements turn regulatory duties into clear, auditable performance obligations you can manage.

Exceptions to Covered Entity Status

Entities generally not covered

• Employers in their capacity as employers (benefits administration must be segregated and limited to plan functions).
• Life insurers and most property and casualty insurers (unless they operate a covered health plan line of business).
• Schools and school districts, law enforcement, and many municipal agencies, unless they operate a covered provider or plan component.
• Personal health record vendors engaged directly by consumers, acting solely at the consumer’s request.

Records that are not PHI

• Education records covered by FERPA and certain treatment records of students.
• Employment records a covered entity maintains in its role as an employer.

Hybrid entities and health care components

Organizations that perform both covered and non-covered activities may designate “health care components.” HIPAA applies to those components and their PHI, while firewalls and policies separate non-covered functions.

Compliance of Subcontractors and Workforce Members

Subcontractor HIPAA Obligations

Subcontractors of business associates that create, receive, maintain, or transmit PHI are business associates too. They are directly liable for Security Rule compliance, certain Privacy Rule provisions, and breach notifications, and they must sign BAAs with the upstream business associate.

Workforce expectations and enforcement

• Train workforce members on policies, minimum necessary standards, and incident reporting.
• Conduct risk analyses, manage access through role-based controls, and use encryption where appropriate.
• Apply sanctions for violations and maintain documentation to demonstrate ongoing compliance.

Conclusion

To apply this HIPAA coverage checklist, identify your role (plan, provider, clearinghouse, or business associate), confirm any Health Plan Exemptions, and map every point where PHI is created, received, maintained, or transmitted. Then implement the required safeguards and ensure BAAs and subcontractor controls are in place so compliance remains consistent end to end.

FAQs.

Which entities are considered covered health plans under HIPAA?

Covered health plans include health insurance issuers and HMOs; employer group health plans (including self-funded plans); and government programs that pay for health care, such as Medicare, Medicare Advantage and Part D plans, and Medicaid. If a program pays for or reimburses medical care, it typically meets HIPAA’s health plan definition.

What functions classify a business associate under HIPAA?

An entity is a business associate when it creates, receives, maintains, or transmits PHI on behalf of a covered entity, or provides services like billing, claims processing, data analysis, legal, IT hosting, or accreditation that require PHI access. The need to handle PHI for regulated functions—not the contract label—determines BA status.

Are subcontractors required to follow HIPAA regulations?

Yes. Subcontractors of business associates that handle PHI are business associates themselves. They must sign Business Associate Agreements, implement Security Rule safeguards, follow applicable Privacy Rule provisions, and provide breach notifications through the chain without unreasonable delay.

Which health plans are excluded from HIPAA coverage?

Plans are excluded to the extent they provide only “excepted benefits,” such as workers’ compensation, liability and automobile medical payment coverage, accident-only or disability income policies, credit-only insurance, and employer on-site clinic coverage. Also excluded are limited-scope dental or vision, fixed indemnity, or disease-specific policies when offered separately, and a self-administered group health plan with fewer than 50 participants.