HIPAA Covered Entities Explained: Who Qualifies and What They Must Do

HIPAA covered entities are the organizations at the core of protecting patients’ protected health information (PHI). This guide explains who qualifies, how each category operates, and what you must do to comply with the HIPAA Privacy Rule and HIPAA Security Rule.

Health Plans and Their Roles

Health plans include insurers, HMOs, employer-sponsored group health plans, and government programs such as Medicare and Medicaid. As covered entities, their primary roles involve paying claims, managing benefits, coordinating care, and performing utilization review—each activity requiring careful handling of protected health information (PHI).

Health plans must limit uses and disclosures to treatment, payment, and health care operations unless an authorization applies. They provide a Notice of Privacy Practices to enrollees, maintain business associate agreements (BAAs) with vendors that handle PHI, and implement administrative safeguards and technical safeguards to protect electronic PHI (ePHI). Plan sponsors (employers) may access PHI only as permitted by plan documents and HIPAA.

Health Care Providers Overview

Health care providers—such as physicians, hospitals, pharmacies, dentists, labs, and clinics—are covered entities when they transmit health information electronically in connection with standard HIPAA transactions (for example, claims or eligibility checks). Most modern practices meet this threshold through electronic billing or clearinghouses.

Providers use and disclose PHI for treatment, payment, and operations, furnish a Notice of Privacy Practices to patients with a direct treatment relationship, and train their workforce on compliance policies. Under the HIPAA Security Rule, they safeguard ePHI through risk analysis, access controls, audit logging, and secure transmission.

Health Care Clearinghouses Function

Health care clearinghouses convert nonstandard health information they receive from another entity into standard formats (and vice versa). Typical examples include medical claims clearinghouses and repricing organizations. Although they are covered entities, clearinghouses often operate behind the scenes and do not interact with patients directly.

Because they receive PHI from multiple sources, clearinghouses apply rigorous technical safeguards and administrative safeguards, maintain BAAs where they act on behalf of other entities, and ensure data integrity across translation processes.

Defining Covered Entities

Under HIPAA, a covered entity is any (1) health plan, (2) health care clearinghouse, or (3) health care provider that transmits health information electronically in connection with a standard transaction. If your organization fits one of these categories and handles PHI in such transactions, you are a covered entity.

• Typical covered entities: hospitals, physician practices, pharmacies, labs, health insurers, HMOs, self-insured group health plans, and clearinghouses.
• Commonly not covered: life insurers, employers in their capacity as employers, schools, and workers’ compensation carriers (though they may receive PHI under specific disclosures or serve as business associates).

Complex structures may qualify as hybrid entities (where only designated health care components are subject to HIPAA) or participate in organized health care arrangements to streamline certain Privacy Rule obligations.

Business Associates Responsibilities

Business associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity—for example, billing services, IT hosting providers, e-prescribing gateways, and analytics firms. Unlike conduits that merely transport data without routine access, business associates have defined HIPAA duties.

• Enter into BAAs that describe permitted uses/disclosures, require safeguards, and flow down obligations to subcontractors.
• Comply directly with the HIPAA Security Rule (including risk analysis, access control, and incident response) and key Privacy Rule provisions like the minimum necessary standard.
• Report breaches to the covered entity without unreasonable delay and support mitigation and documentation.
• Return or securely destroy PHI at contract end, where feasible.

Compliance Requirements for Covered Entities

Governance and accountability

• Designate a privacy official to oversee HIPAA Privacy Rule compliance and a security official to manage Security Rule controls.
• Adopt written compliance policies and procedures, train your workforce initially and periodically, and apply sanctions for violations.
• Execute and manage BAAs with all service providers that handle PHI.

HIPAA Privacy Rule essentials

• Use/disclose PHI for treatment, payment, and health care operations; obtain authorizations for marketing, most non-routine uses, and the sale of PHI.
• Apply the minimum necessary standard to routine disclosures and requests.
• Provide a clear Notice of Privacy Practices and honor individual rights (access, amendments, accounting of disclosures, restrictions, confidential communications).

HIPAA Security Rule fundamentals

• Administrative safeguards: conduct and document a risk analysis, implement risk management, assign security responsibility, manage workforce security, and plan for incidents and contingencies.
• Physical safeguards: control facility access, workstation security, and device/media handling (including disposal and reuse).
• Technical safeguards: unique user IDs, role-based access, audit controls, integrity protections, person or entity authentication, and transmission security (e.g., encryption in transit).

Breach readiness and documentation

• Maintain an incident response plan, assess suspected breaches using the low-probability-of-compromise test, and notify affected parties as required.
• Keep all HIPAA documentation (policies, risk analyses, training, BAAs) for at least six years from the date of creation or last effective date.

Enforcement and State Law Considerations

HIPAA is enforced primarily by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), with the Department of Justice handling criminal cases. OCR investigates complaints and breaches, conducts audits, and can impose tiered civil monetary penalties or require corrective action plans with ongoing monitoring.

State attorneys general may bring civil actions for HIPAA violations. HIPAA sets a federal baseline; more stringent state privacy laws (for example, rules governing mental health, HIV, genetic data, or minors) are not preempted and must also be followed. Although HIPAA does not create a private right of action, individuals may pursue remedies under state law for related harms.

Summary

To comply, confirm whether you are a health plan, provider, or clearinghouse; map all PHI flows; implement administrative safeguards and technical safeguards; designate a privacy official and a security lead; adopt practical compliance policies; and manage your business associates. Done well, HIPAA compliance strengthens trust, reduces risk, and supports effective care and operations.

FAQs

What criteria define a covered entity under HIPAA?

You are a covered entity if you are a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard HIPAA transactions (such as claims, eligibility, or prior authorization). If you meet one of these categories and handle PHI in those transactions, HIPAA applies.

How do business associates differ from covered entities?

Covered entities deliver care, pay for care, or standardize transactions. Business associates are vendors that create, receive, maintain, or transmit PHI on behalf of a covered entity (or another business associate). They must sign a BAA, follow the HIPAA Security Rule, comply with applicable Privacy Rule provisions, and report breaches to the covered entity.

What are the main compliance requirements for covered entities?

Key requirements include designating a privacy official and security lead; implementing risk-based administrative safeguards, physical safeguards, and technical safeguards; maintaining written compliance policies; providing a Notice of Privacy Practices; honoring patient rights; applying minimum necessary; executing BAAs; training the workforce; preparing for breaches; and retaining documentation.

How does HIPAA enforcement impact covered entities?

OCR investigates complaints and breaches, can require corrective action, and may impose tiered civil penalties based on factors like culpability and harm. State attorneys general can also enforce HIPAA. Robust governance, documented risk management, and timely breach response reduce enforcement exposure and help demonstrate good-faith compliance.