HIPAA Covered Entities: The Three Types, Definitions, and Compliance Responsibilities

Health Care Providers

Definition and scope

Under HIPAA, a health care provider is a covered entity when it transmits health information electronically in connection with standard transactions, such as claims, eligibility checks, or referral authorizations. When you meet this threshold, HIPAA applies to your creation, receipt, maintenance, and transmission of Protected Health Information (PHI).

Common examples

Examples include hospitals, clinics, physicians, dentists, mental health professionals, laboratories, pharmacies, durable medical equipment suppliers, and telehealth practices. Ambulance services and home health agencies also qualify when they conduct standard electronic transactions.

Practical boundaries

Provider status attaches to the organization, not individual employees acting within the organization. A practice that is entirely cash-based and never performs HIPAA standard transactions may fall outside covered entity status; however, using a billing service or clearinghouse to submit electronic claims typically brings you within HIPAA’s scope.

Health Plans

Definition and scope

Health plans are entities that provide or pay for the cost of medical care, including insurers, HMOs, Medicare, Medicaid, Medicare Advantage and Part D plans, and most employer-sponsored group health plans. The plan is the covered entity—not the employer sponsoring the plan.

Operational considerations

If you administer a group health plan, you must keep plan PHI separate from employment records. Plan documents should restrict the plan sponsor’s access to PHI to activities required for plan administration and establish “firewalls” to prevent inappropriate use or disclosure.

Examples and exclusions

Examples include self-funded and fully insured group health plans, student health plans, and certain long-term care insurers. Some excepted benefits (such as certain limited-scope dental or vision benefits) may be outside HIPAA’s health plan definition, but always evaluate the specific plan design before assuming an exclusion.

Health Care Clearinghouses

Definition and role

Health care clearinghouses process nonstandard health information into standard formats, or the reverse. If your organization translates claims data, remittance advice, or eligibility data between formats or standards, you function as a clearinghouse and are a covered entity for that activity.

Examples and relationships

Examples include billing services, repricing companies, community health management information systems, and value-added networks or switches. Clearinghouses often also act as business associates to providers and plans, but they remain covered entities when performing clearinghouse functions.

Compliance Responsibilities

Governance and program foundations

• Designate a Privacy Officer to oversee Privacy Rule compliance and a Security Officer to lead Security Rule implementation.
• Adopt written policies and procedures, train your workforce, apply appropriate sanctions, and maintain complaint and mitigation processes.
• Conduct regular risk analyses, implement risk management plans, and review safeguards whenever technology or operations change.

Privacy Rule essentials

• Use and disclose PHI only as permitted or required, applying the minimum necessary standard where applicable.
• Provide a Notice of Privacy Practices and honor individual rights, including access to records, amendments, and an accounting of certain disclosures.
• Limit workforce access to PHI based on role and need-to-know, and monitor disclosures to reduce unnecessary exposure.

Security Rule: Administrative, Physical, and Technical Safeguards

• Administrative Safeguards: risk analysis, risk management, workforce training, contingency planning, and vendor oversight.
• Physical Safeguards: facility access controls, workstation security, and device and media controls for secure storage, reuse, and disposal.
• Technical Safeguards: unique user IDs, strong authentication, access controls, audit logging, integrity protections, and encryption for data in transit and at rest where reasonable and appropriate.

Breach Notification and incident response

• Establish incident intake, investigation, and documentation procedures to quickly identify potential breaches of unsecured PHI.
• Perform a risk assessment to determine whether there is a low probability that PHI has been compromised and, if not, notify affected individuals, regulators, and in some cases the media within required timeframes.

Vendors and Business Associate management

• Execute Business Associate Agreements (BAAs) with vendors that create, receive, maintain, or transmit PHI on your behalf, including cloud, EHR, and analytics providers.
• Flow down BAA obligations to subcontractors, verify safeguards, and monitor performance commensurate with the vendor’s risk profile.

Documentation and lifecycle controls

• Retain required documentation for the prescribed period and keep it current as systems and workflows evolve.
• Apply device inventory, secure configuration, change management, and decommissioning procedures to protect PHI throughout its lifecycle.

Hybrid and Affiliated Covered Entities

Hybrid entities

A hybrid entity is a single legal entity with both covered and non-covered functions (for example, a university with a medical center). You must formally designate your health care components and erect safeguards to prevent PHI from flowing to non-covered components except as permitted.

Affiliated covered entities

Affiliated covered entities are separate legal entities under common ownership or control that choose to designate themselves as a single covered entity. If you form an affiliation, you may share PHI among the affiliates for HIPAA purposes as if you were one entity, while maintaining coordinated policies, training, and safeguards across the group.

Business Associates

Definition and scope

Business associates are persons or organizations that perform functions or services for a covered entity involving PHI—such as claims processing, data analysis, IT hosting, cloud storage, e-discovery, or quality assurance. Subcontractors that handle PHI for a business associate are themselves business associates.

Business Associate Agreements

• Define permitted and required uses and disclosures of PHI and prohibit unauthorized uses.
• Require appropriate Administrative Safeguards, Physical Safeguards, and Technical Safeguards, breach reporting, and subcontractor flow-downs.
• Permit audits, require return or destruction of PHI at termination, and outline remedies for noncompliance.

Direct obligations

Business associates must comply with the Security Rule and key Privacy Rule provisions, including minimum necessary, and must notify covered entities of breaches. If you are a business associate, regulators can enforce HIPAA directly against you.

Enforcement and Penalties

How enforcement works

The U.S. Department of Health and Human Services enforces HIPAA through its Office for Civil Rights. Office for Civil Rights Enforcement includes complaint investigations, compliance reviews, and resolution agreements with corrective action plans and monitoring. The Department of Justice may pursue criminal cases for intentional misuse of PHI.

Civil and criminal penalties

HIPAA uses a tiered civil monetary penalty structure that considers the level of culpability, from reasonable cause to willful neglect. Penalties are assessed per violation with annual caps, are adjusted for inflation, and can be coupled with corrective actions. Criminal penalties may apply for knowingly obtaining or disclosing PHI without authorization, with increased penalties for false pretenses or intent to sell or use PHI for gain.

Program takeaways

Whether you are a provider, plan, or clearinghouse, success hinges on a risk-based program: strong leadership, right-sized safeguards, disciplined vendor management, and a reliable incident response. Treat PHI as an asset, align your operations to HIPAA’s principles, and update controls as technologies and care models evolve.

FAQs.

What are the three types of HIPAA covered entities?

The three types are health care providers, health plans, and health care clearinghouses. Each becomes a covered entity when it handles PHI in the context of HIPAA standard transactions or, for plans, when paying for or providing medical care.

How do hybrid entities differ from covered entities?

A hybrid entity is a single legal organization that performs both covered and non-covered functions. It must formally designate its health care components and isolate PHI so non-covered components cannot access it except as HIPAA allows, unlike a fully covered entity where the entire organization is subject to HIPAA.

What compliance responsibilities do HIPAA covered entities have?

They must implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards; designate a Privacy Officer and Security Officer; honor individual rights; manage vendors via Business Associate Agreements; maintain policies, training, and documentation; and follow breach notification and incident response requirements.