HIPAA Covered Entities Explained: The Three Types, Responsibilities, and Requirements

HIPAA covered entities are organizations that create, receive, maintain, or transmit Protected Health Information (PHI) in regulated ways. They must follow the HIPAA Privacy Rule, the HIPAA Security Rule, and breach notification requirements.

PHI includes identifiable health data in any form, while Electronic Protected Health Information (ePHI) is PHI created, stored, or transmitted electronically. Understanding which entities are covered—and what that means in practice—helps you manage risk, safeguard data, and meet compliance obligations.

Health Care Providers

You are a HIPAA covered entity as a provider if you transmit health information electronically in connection with standard transactions (for example, submitting claims or eligibility checks). This includes individual and institutional providers across care settings.

• Examples: physicians, clinics, hospitals, dentists, chiropractors, psychologists, pharmacies, laboratories, nursing homes, and telehealth providers.
• In scope: any provider that bills electronically or uses clearinghouses for HIPAA standard transactions.
• Considerations: hybrid entities (such as universities with clinics) must designate health-care components that handle PHI and apply requirements to those components.

If you never conduct HIPAA standard transactions electronically, you may not be a covered provider under HIPAA—even if you deliver health services—though state privacy laws can still apply.

Health Plans

Health plans are covered entities that provide or pay the cost of medical care. If you operate or administer benefits, you likely fall within this category and must protect PHI associated with enrollment, claims, utilization review, and coordination of benefits.

• Included: health insurance issuers, HMOs, employer-sponsored group health plans, Medicare, Medicaid, Medicare Advantage, and prescription drug plans.
• Sometimes included: certain Employee Assistance Programs (EAPs), Flexible Spending Accounts (FSAs), and Health Reimbursement Arrangements (HRAs) when they pay for care.
• Not included: life insurers, workers’ compensation carriers, auto liability insurers, or employers in their role as employers (though they may receive limited PHI as plan sponsors under strict conditions).

Group health plans must establish firewalls between plan administration and employment functions to prevent improper access to PHI.

Health Care Clearinghouses

Health care clearinghouses transform nonstandard health data they receive from another entity into standard formats (or vice versa). If you convert, reformat, or reprice transactions, you may be a clearinghouse.

• Examples: billing services, repricing companies, community health management information systems, and EDI gateways.
• Dual roles: clearinghouses often act as business associates when serving providers or plans, but they remain covered entities for the PHI they process.

Clearinghouses must secure PHI throughout data translation, routing, and storage processes, including when operating as intermediaries for multiple trading partners.

Privacy Rule Responsibilities

The HIPAA Privacy Rule governs when and how you may use or disclose PHI and the rights individuals have over their information. It applies to PHI in any medium—paper, verbal, or electronic.

Permitted uses and disclosures

• Treatment, payment, and health care operations (TPO) without authorization, subject to the minimum necessary standard for payment and operations.
• Public interest and legal disclosures (for example, certain public health or law enforcement purposes) as specifically allowed.
• All other uses/disclosures require a valid, written authorization.

Individual rights

• Access and obtain copies of PHI, generally within set timeframes.
• Request amendments to inaccurate or incomplete PHI.
• Receive an accounting of certain disclosures.
• Request restrictions and confidential communications when feasible.

Organizational duties

• Provide a Notice of Privacy Practices explaining your uses/disclosures and individual rights.
• Designate a privacy official, implement policies and procedures, train your workforce, and apply sanctions for violations.
• Apply the minimum necessary standard, verify requestors, and document decisions and authorizations.
• Mitigate known harmful effects of improper uses/disclosures and maintain required records for retention periods.

Security Rule Responsibilities

The HIPAA Security Rule requires you to protect the confidentiality, integrity, and availability of ePHI. It is risk-based and scalable, allowing you to tailor safeguards to your size, complexity, technology, and threats.

Administrative Safeguards

• Risk analysis and risk management with documented remediation plans.
• Assign a security official; establish policies, procedures, and workforce training.
• Information access management, workforce clearances, and sanctions.
• Contingency planning (data backup, disaster recovery, emergency mode operations) and periodic evaluations.
• Business associate oversight to ensure appropriate protections for ePHI.

Physical Safeguards

• Facility access controls and contingency operations.
• Workstation use and security standards for on-site and remote work.
• Device and media controls, including inventory, secure disposal, and reuse procedures.

Technical Safeguards

• Access controls (unique user IDs, emergency access, automatic logoff) and role-based access.
• Audit controls to log and monitor activity across systems holding ePHI.
• Integrity protections and person or entity authentication.
• Transmission security (for example, encryption in transit) and encryption at rest as appropriate based on risk.

Security documentation must reflect your current environment; review and update it as systems, vendors, and threats evolve.

Breach Notification Procedures

A breach is generally an impermissible use or disclosure of unsecured PHI that compromises privacy or security. You must perform a risk assessment considering factors like the nature of the data, the unauthorized person, whether PHI was actually acquired/viewed, and the extent of mitigation.

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery, using first-class mail or agreed electronic means.
• For breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media outlets.
• Notify the federal health authority: for 500 or more individuals, without unreasonable delay and no later than 60 days; for fewer than 500, log and report annually.
• Include in notices: a brief description of the breach, types of information involved, steps individuals should take, your corrective actions, and contact methods.
• Business associates must notify the covered entity promptly with details sufficient for individual notices.
• Law enforcement delay may apply if disclosure would impede an investigation, documented as required.

Business Associate Agreements

A business associate (BA) is a person or entity that performs functions or services for you that involve PHI. Before sharing PHI with a BA, you must execute a Business Associate Agreement (BAA) defining permitted uses and safeguards.

Required BAA elements

• Permitted and required uses/disclosures of PHI by the BA and a prohibition on uses beyond the agreement or law.
• Safeguards for PHI and ePHI consistent with the HIPAA Security Rule, including incident response and reporting of breaches and security events.
• Obligations to ensure subcontractors agree to the same restrictions and safeguards.
• Provisions enabling access, amendment, and accounting of disclosures to support individual rights.
• Return or destruction of PHI at termination where feasible and termination rights for material breach.
• Documentation, cooperation with investigations, and allocation of responsibilities for breach notifications.

Business associates are directly liable for certain HIPAA violations. Vet their security program, verify insurance coverage as appropriate, and monitor performance throughout the relationship.

Conclusion

HIPAA covered entities—health care providers, health plans, and health care clearinghouses—must safeguard PHI and ePHI through clear Privacy Rule practices, robust Security Rule controls, timely breach notifications, and well-crafted BAAs. A risk-based, documented approach turns compliance into a reliable, repeatable process.

FAQs

What are the three types of HIPAA covered entities?

The three types are health care providers that conduct standard electronic transactions, health plans that provide or pay for care, and health care clearinghouses that convert data between nonstandard and standard transaction formats.

What responsibilities do covered entities have under the Privacy Rule?

Covered entities must limit uses and disclosures to what the HIPAA Privacy Rule permits, apply the minimum necessary standard, provide a Notice of Privacy Practices, honor individual rights (access, amendment, accounting, restrictions), train their workforce, and maintain policies, procedures, and documentation.

How do covered entities handle breach notifications?

They assess whether an impermissible use/disclosure of unsecured PHI constitutes a breach and, if so, notify affected individuals without unreasonable delay and within 60 days, notify the federal health authority (immediately for 500+ individuals; annually for smaller incidents), and notify media if 500+ residents of a state are affected. Business associates must promptly inform the covered entity with the details needed for notices.