HIPAA Covered Entities Explained: Requirements, Obligations, and Common Compliance Risks

Definitions of Covered Entities

Who is a covered entity

Under HIPAA, you are a covered entity if you are a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions. Typical transactions include claims, eligibility inquiries, referrals, and prior authorizations.

PHI vs. ePHI

Protected Health Information (PHI) is individually identifiable health information in any form—paper, verbal, or digital. Electronic Protected Health Information (ePHI) refers specifically to PHI that is created, received, maintained, or transmitted electronically, and it triggers the HIPAA Security Rule safeguards.

Hybrid entities and organized arrangements

A hybrid entity is a single organization with both covered and non‑covered functions that formally designates its health care components. Many hospitals also participate in organized health care arrangements, enabling shared PHI for joint operations while retaining each participant’s independent compliance duties.

Privacy Rule Requirements

Permitted uses and disclosures

You may use or disclose PHI without authorization for treatment, payment, and health care operations, and for specific public‑interest purposes. Apply the minimum necessary standard to limit access and disclosures to what is reasonably needed.

Individual rights

Patients have rights to access and obtain copies of their PHI, request amendments, receive an accounting of certain disclosures, request restrictions, and choose confidential communications. You must have clear processes to verify identity, log requests, and respond within required timeframes.

Notice of Privacy Practices

Provide and post a Notice of Privacy Practices that explains how you use PHI, patient rights, and how to contact your privacy office. Keep versions current, distribute updates when material changes occur, and retain acknowledgments and prior versions for recordkeeping.

De‑identification and data minimization

Use de‑identification when feasible to reduce risk and compliance burden. Build workflows that minimize PHI collection, limit workforce access by role, and apply sanctions when policies are violated.

Security Rule Safeguards

Administrative Safeguards

Establish a security management process that includes risk analysis, risk management, sanction policies, and periodic evaluations. Designate a security official, conduct workforce training, manage vendor risk, and implement contingency and incident response plans.

Physical safeguards

Control facility access, protect workstations, and secure devices and media that store ePHI. Formalize media reuse and disposal, maintain visitor logs where appropriate, and document equipment inventories.

Technical Safeguards

Implement access controls (unique IDs, least privilege, MFA where appropriate), audit controls, integrity protections, and transmission security. Encrypt ePHI at rest and in transit based on risk, and continuously monitor logs for anomalous activity.

Program governance and updates

Review policies at least annually or after major changes, and align with HIPAA Security Rule Updates and current best practices. Use metrics and testing—such as tabletop exercises and vulnerability management—to verify that safeguards work as intended.

Breach Notification Obligations

Determining whether an incident is a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. Conduct a risk‑of‑compromise assessment considering the PHI’s sensitivity, who received it, whether it was actually viewed, and mitigation steps taken.

Who to notify and when

Notify affected individuals without unreasonable delay and no later than 60 days after discovery. Report to the Department of Health and Human Services as required, and if a breach affects 500 or more residents of a state or jurisdiction, notify prominent media outlets.

Required content and documentation

Notices must describe what happened, the types of PHI involved, steps individuals should take, what you are doing to mitigate harm, and how to contact you. Preserve investigation records, risk assessments, and corrective actions to demonstrate compliance with the Breach Notification Rule.

Business Associate Agreements

Who is a business associate

A business associate is any vendor or partner that creates, receives, maintains, or transmits PHI on your behalf. Examples include cloud and EHR providers, billing services, transcription vendors, and analytics firms.

What to include in a Business Associate Agreement (BAA)

A strong Business Associate Agreement (BAA) defines permitted uses and disclosures, requires safeguards for ePHI, mandates breach reporting, flows obligations to subcontractors, supports audits, and sets termination and return or destruction of PHI. Align BAAs with your risk profile and incident response plans.

Ongoing oversight

Due diligence does not end at signature. Perform risk‑based vendor assessments, review independent attestations when available, map data flows, test incident contacts, and ensure BAAs are updated when services or HIPAA Security Rule Updates change risk.

Risk Assessment Procedures

Scope and inventory

Start by inventorying systems, applications, devices, and third parties that create or store ePHI. Map where PHI enters, moves, is stored, and exits, including APIs, backups, and end‑user devices.

Threats, vulnerabilities, and controls

Identify threats (errors, insiders, ransomware, third‑party failures) and vulnerabilities (misconfigurations, weak authentication, unpatched software). Catalog existing administrative, physical, and technical controls and evaluate how effectively they reduce risk.

Risk scoring and remediation

Rate likelihood and impact to prioritize remediation. Build a plan of actions and milestones with owners, deadlines, and budget, and tie it to training, patching, encryption, and monitoring improvements.

Continuous monitoring

Reassess after significant changes, new systems, or incidents, and at least annually. Track metrics such as unresolved high risks, time to patch, access review completion, and phishing resilience to drive accountability.

Compliance Challenges and Penalties

Common compliance risks

• Shadow IT, unmanaged endpoints, and bring‑your‑own‑device expanding ePHI exposure.
• Incomplete access governance, stale user accounts, and inadequate audit logging.
• Insufficient encryption or key management for cloud storage and backups.
• Vendor sprawl without rigorous BAA terms or oversight.
• Gaps in training, especially for phishing, social engineering, and data handling.
• Legacy systems that cannot meet Technical Safeguards without compensating controls.

Penalties and enforcement

HIPAA uses tiered civil monetary penalties that scale with culpability and the organization’s response, from reasonable cause to willful neglect. Remedies often include corrective action plans and monitoring, and serious violations can lead to criminal liability, reputational harm, and litigation costs.

Conclusion

Covered entities that master Privacy Rule obligations, implement layered Security Rule safeguards, execute robust BAAs, and run disciplined risk assessments dramatically reduce exposure. Treat compliance as an ongoing program with clear ownership, measurement, and continuous improvement.

FAQs.

What qualifies an organization as a HIPAA covered entity?

You qualify if you are a health plan, a health care clearinghouse, or a health care provider who electronically transmits standardized transactions (such as claims or eligibility checks). These roles trigger HIPAA duties whenever you create, receive, maintain, or transmit PHI.

What are the key responsibilities of covered entities under HIPAA?

You must protect PHI and ePHI through policies, training, and safeguards; limit uses and disclosures to permitted purposes; honor individual rights; conduct risk analyses; implement Administrative Safeguards and Technical Safeguards; maintain documentation; and follow the Breach Notification Rule when incidents occur.

How do business associate agreements impact covered entities?

BAAs contractually bind vendors to protect PHI, report incidents, and pass obligations to subcontractors. They reduce risk by clarifying roles, but they do not transfer your accountability—you remain responsible for selecting, overseeing, and updating vendors and agreements.

What are the consequences of HIPAA non-compliance for covered entities?

Consequences include tiered civil penalties, potential criminal charges for egregious misuse, corrective action plans with monitoring, costly notifications, operational disruption, and reputational damage. Proactive governance and continuous improvement are the best defense.