HIPAA Covered Entities (CE): Definition, Examples, and Compliance Requirements

Definition of Covered Entities

A HIPAA Covered Entity (CE) is any health plan, health care clearinghouse, or health care provider that transmits health information electronically in connection with HIPAA Standard Transactions, such as claims, eligibility checks, or payment remittances. Covered Entities must protect Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) under the HIPAA Privacy Rule and Security Rule.

The three CE categories

• Health plans: Insurers, HMOs, government programs (for example, Medicare, Medicaid), and employer-sponsored group health plans that provide medical benefits.
• Health care clearinghouses: Entities that translate nonstandard data to standard formats (or vice versa), including billing services and repricing organizations.
• Health care providers: Any provider—such as a physician, clinic, pharmacy, or hospital—who transmits health information electronically in a standard transaction.

PHI is individually identifiable health information in any form; ePHI is the PHI you create, receive, maintain, or transmit electronically. Hybrid organizations can be “hybrid entities” by designating health care components subject to HIPAA while segregating non-covered functions.

Examples of Covered Entities

Health care providers

• Hospitals, physician practices, ambulatory surgery centers, urgent care clinics, and federally qualified health centers that submit electronic claims.
• Pharmacies transmitting e-prescriptions or claims, dental and chiropractic offices that bill plans electronically, and telehealth providers conducting HIPAA Standard Transactions.

Health plans

• Commercial health insurers, HMOs, Medicare Advantage plans, Medicaid managed care plans, student health plans administered as group health plans, and employer group health plans.

Health care clearinghouses

• Medical billing services, claims clearinghouses, repricers, and value-added networks that convert data between nonstandard and standard EDI formats.

Common edge cases: a life insurer or workers’ compensation carrier is typically not a CE; a university that operates a health clinic may be a hybrid entity only for its health care components.

Compliance Requirements

Core HIPAA rules for Covered Entities

• Privacy Rule: Governs permissible uses and disclosures of PHI, minimum necessary standards, Notices of Privacy Practices, and patient rights (access, amendments, and accounting of disclosures).
• Security Rule: Requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI, supported by ongoing Risk Management.
• Breach Notification Rule: Mandates prompt assessment and notification to affected individuals, regulators, and in some cases the media after an impermissible use or disclosure of unsecured PHI.
• Transactions, Code Sets, and Identifiers: Requires standard formats for HIPAA Standard Transactions and use of national identifiers (for example, the NPI) to support interoperability.

Program fundamentals

• Designate Privacy and Security Officers, adopt written policies and procedures, and maintain documentation.
• Conduct a formal risk analysis, implement Risk Management plans, and monitor safeguards for effectiveness.
• Train your workforce, manage Business Associate Agreements (BAAs), and maintain incident response and sanction processes.

Privacy Safeguards Implementation

Operational privacy controls

• Minimum necessary: Limit PHI access and disclosures to what is reasonably necessary for the task; use role-based access and approval workflows.
• Use/disclosure governance: Define routine disclosures (TPO—treatment, payment, health care operations) and require patient authorization for non-routine uses.
• Notice of Privacy Practices: Provide and post an accurate NPP that explains how you use PHI and how individuals can exercise their rights.
• De-identification and limited data sets: Remove identifiers or use a data use agreement when appropriate to reduce privacy risk.

Patient rights enablement

• Offer timely access to records, amendments, and an accounting of disclosures.
• Honor restrictions and confidential communication requests when required, and document decisions consistently.

Risk Analysis and Management

Risk analysis essentials

• Inventory and data flows: Map systems, endpoints, applications, vendors, and where ePHI is created, received, maintained, or transmitted.
• Threats and vulnerabilities: Evaluate technical, physical, and administrative risks (for example, ransomware, lost devices, misconfigurations, insider threats).
• Risk evaluation: Rate likelihood and impact, prioritize a risk register, and document rationale for accepted, mitigated, or transferred risks.

Risk management in practice

• Implement layered safeguards: strong authentication (including MFA), encryption in transit and at rest, endpoint protection, network segmentation, backups, and tested recovery procedures.
• Harden systems with secure configurations, timely patching, audit logging, and monitoring for anomalous access to ePHI.
• Review risks at least annually and whenever you introduce new systems, locations, or integrations involving PHI or HIPAA Standard Transactions.

Staff Training and Awareness

• Provide onboarding training before PHI access, with annual refreshers and role-based deep dives for high-risk roles (billing, IT, front desk, telehealth).
• Cover Privacy Rule basics, Security Rule expectations, incident reporting, acceptable use, workstation security, remote work, and data handling.
• Reinforce awareness through simulations (for example, phishing), just-in-time reminders, and clear reporting channels for suspected incidents.
• Track attendance, comprehension, and sanctions; retain training records as part of your compliance documentation.

Business Associate Management

Business Associates (BAs) are vendors or partners who create, receive, maintain, or transmit PHI on your behalf—such as billing vendors, cloud providers handling ePHI, or analytics firms. You must have Business Associate Agreements that bind BAs (and their subcontractors) to Privacy Rule and Security Rule safeguards and breach reporting duties.

Lifecycle controls for vendors

• Identify and classify: Maintain an inventory of vendors touching PHI/ePHI and confirm which are BAs versus non-BAs.
• Due diligence: Assess security controls, privacy practices, incident history, and regulatory attestations before sharing PHI.
• BAAs: Execute BAAs before disclosure; require minimum necessary use, safeguard obligations, subcontractor flow-down, breach notification timelines, and termination/return-or-destruction terms.
• Ongoing oversight: Monitor performance, review attestations, and reassess risk when services or data flows change.
• Offboarding: On contract end, ensure PHI is returned or securely destroyed and access is revoked across systems.

Taken together, a clear definition of your Covered Entity scope, disciplined privacy safeguards, rigorous Risk Management, targeted training, and strong Business Associate oversight position you to meet HIPAA’s Privacy Rule and Security Rule requirements while protecting PHI and ePHI.

FAQs

What is a HIPAA covered entity?

A HIPAA covered entity is a health plan, health care clearinghouse, or health care provider that transmits health information electronically in connection with HIPAA Standard Transactions. Covered entities must comply with the HIPAA Privacy Rule and Security Rule to protect PHI and ePHI.

Which organizations are considered covered entities under HIPAA?

Covered entities include health plans (insurers, HMOs, government health programs, and group health plans), health care clearinghouses (for example, billing or repricing services that convert data formats), and health care providers who conduct standard electronic transactions such as claims, eligibility checks, or remittance advice.

What are the main compliance requirements for HIPAA covered entities?

Key requirements include implementing the Privacy Rule’s use/disclosure limits and patient rights; applying the Security Rule’s administrative, physical, and technical safeguards through formal Risk Management; complying with the Breach Notification Rule; training your workforce; managing Business Associate Agreements; and using standard formats for HIPAA Standard Transactions.

How do covered entities manage business associate compliance?

Covered entities identify vendors that handle PHI, perform due diligence, and execute Business Associate Agreements that require Privacy Rule and Security Rule safeguards, minimum necessary use, subcontractor flow-down, and timely breach notifications. They monitor BA performance, reassess risks when services change, and ensure PHI is returned or destroyed at contract end.