HIPAA Covered Entity Checklist: Identify Who’s Regulated Under the Privacy Rule

Use this HIPAA covered entity checklist to determine Privacy Rule Applicability and confirm whether your organization is regulated. You’ll see how PHI and ePHI flow, which roles the law covers, and what documentation and risk assessments you must maintain.

Define Covered Entities

Under HIPAA, covered entities are the organizations directly regulated by the Privacy Rule: health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in a standard transaction. If you create, receive, maintain, or transmit Protected Health Information (PHI)—including Electronic Protected Health Information (ePHI)—and meet one of these categories, you are a covered entity.

Privacy Rule Applicability extends to PHI in any format. De-identified data is outside scope, but re-identifiable data isn’t. Covered entities must limit uses and disclosures to permitted purposes, apply the minimum necessary standard, and provide individual rights (access, amendments, and accounting of certain disclosures).

• Checklist: Are you a health plan, clearinghouse, or a provider engaging in standard electronic transactions (claims, eligibility, payment, referrals, authorizations, enrollment/disenrollment)?
• Checklist: Do you create or maintain PHI/ePHI, even via a vendor?
• Checklist: Do you designate hybrid components if only part of your organization handles PHI?

Recognize Health Plans

Health plans finance or pay for medical care and include group health plans, health insurers, HMOs, Medicare, Medicaid, TRICARE, Medicare Advantage, prescription drug plans, and many employer-sponsored or self-insured plans. Church plans and government health programs that pay for care are also health plans under HIPAA.

Excepted benefits such as workers’ compensation, auto liability, property and casualty, life, or disability insurers are generally not HIPAA health plans. A small, self-administered group health plan with fewer than 50 participants may be excluded; however, once a third party administers the plan or the plan has 50 or more participants, HIPAA applies.

• Checklist: Do you pay for or reimburse healthcare services?
• Checklist: Are you administering enrollment, eligibility, or premium payment transactions electronically?
• Edge cases: Employer is not the covered entity—the employer’s group health plan is.

Identify Healthcare Clearinghouses

Healthcare clearinghouses transform nonstandard health information into standard formats (or the reverse). They often sit between providers/health plans and billing networks, normalizing claims, remittance, and other transaction data.

Examples include medical billing services that standardize claims, repricing companies, value-added networks or switches, and community health information systems converting data formats. Clearinghouses are covered entities even if they never interact with patients directly.

• Checklist: Do you translate/convert healthcare data formats for others?
• Checklist: Do you validate or edit standard transactions on behalf of trading partners?

Classify Healthcare Providers

Any provider of medical or health services—physicians, clinics, hospitals, pharmacies, labs, therapists, dentists—becomes a covered entity if they transmit health information electronically in connection with a standard transaction. The trigger is the transaction, not organization size.

Common qualifying activities include electronic claims submission, eligibility inquiries, claim status checks, payment/remittance advice, referrals, and prior authorizations. Telehealth and e-prescribing typically qualify. Once covered, the HIPAA Privacy Rule and the HIPAA Security Rule apply to PHI and ePHI handled by the provider.

• Checklist: Do you or your vendor send standard electronic transactions?
• Checklist: Do your front office or practice management systems interface with payers electronically?

Understand Business Associates

Business associates are not covered entities by category, but they perform services for or on behalf of a covered entity that involve PHI (or they receive PHI from a covered entity). Examples include EHR and cloud service providers, revenue cycle firms, attorneys, accountants, consultants, HIEs, and secure messaging/email vendors handling ePHI.

Covered entities must execute Business Associate Agreements that require business associates and their subcontractors to safeguard PHI, follow the HIPAA Security Rule, limit uses/disclosures, support individual rights where applicable, and report incidents under the Breach Notification Rule. BAAs should define permitted uses, minimum necessary, safeguards, and breach reporting timelines.

• Checklist: Do your vendors create, receive, maintain, or transmit PHI/ePHI?
• Checklist: Do you have executed Business Associate Agreements with all applicable vendors and their subcontractors?

Explain Risk Assessment Requirements

Security Rule risk analysis: You must assess risks to the confidentiality, integrity, and availability of ePHI across systems, devices, applications, and vendors. This includes identifying where ePHI resides and flows, evaluating threats and vulnerabilities, measuring likelihood/impact, and documenting risk levels.

Security Rule risk management: Implement and document administrative, physical, and technical safeguards to reduce risks to reasonable and appropriate levels. Administrative Safeguards include policies, workforce training, sanctions, contingency planning, and vendor oversight. Technical and physical measures include access controls, encryption, audit logs, secure disposal, facility controls, and device/media protections.

Breach Notification Rule assessment: When an incident occurs, evaluate whether there is a low probability that PHI has been compromised by considering the nature of PHI, the unauthorized recipient, whether it was actually viewed or acquired, and mitigation. If PHI was not unsecured (for example, data encrypted consistent with recognized standards), notification may not be required.

• Checklist: Maintain a current ePHI data map, risk register, and remediation plan.
• Checklist: Reassess at least annually and upon major changes (systems, vendors, locations).
• Checklist: Test incident response and document outcomes.

Outline Documentation Obligations

HIPAA requires written policies and procedures and proof that you follow them. Keep all documentation for at least six years from the date of creation or when last in effect (state law may require longer). Ensure your workforce can access current versions.

• Required records: Privacy Rule policies, Security Rule policies, and procedures covering Administrative Safeguards, access management, encryption, audit controls, device/media handling, and contingency/backup plans.
• Designations and notices: Privacy Officer and Security Officer assignments; Notice of Privacy Practices; any hybrid-entity or organized healthcare arrangement designations.
• Workforce and operations: training materials and completion logs; sanction and complaint records; role-based access matrices; vendor due diligence and Business Associate Agreements.
• Risk and incidents: risk analyses, risk management plans, security evaluations, penetration/vulnerability results, incident and breach investigation files, and Breach Notification Rule communications.
• Individual rights: procedures and logs for access, amendments, restrictions, confidential communications, and accounting of disclosures (for non–treatment, payment, healthcare operations).

Summary: Use this HIPAA Covered Entity Checklist to confirm your role, map PHI/ePHI, verify Privacy Rule Applicability, execute Business Associate Agreements, complete Security Rule risk analysis, and maintain six-year documentation. These steps align your operations with the Privacy, Security, and Breach Notification Rules.

FAQs.

What is a covered entity under HIPAA?

A covered entity is a health plan, healthcare clearinghouse, or a healthcare provider that transmits health information electronically in a standard transaction. These organizations must comply with the HIPAA Privacy Rule for PHI and the HIPAA Security Rule for ePHI, and they are subject to the Breach Notification Rule.

How do healthcare providers qualify as covered entities?

Providers qualify when they conduct standard electronic transactions, such as submitting claims, checking eligibility, receiving remittance advice, or requesting authorizations. The trigger is the electronic transaction—not the provider’s size—so even small practices typically qualify once they use billing systems or clearinghouses.

What are the documentation requirements for covered entities?

Covered entities must maintain written Privacy and Security Rule policies and procedures; designations of Privacy/Security Officers; workforce training and sanctions records; Business Associate Agreements; risk analyses and risk management plans; incident and breach files; and records supporting individual rights. Retain documentation for at least six years from creation or last effective date.

When must a covered entity notify individuals of a breach?

For breaches of unsecured PHI, notification to affected individuals must occur without unreasonable delay and no later than 60 calendar days after discovery. Notifications to HHS (and, for incidents affecting 500 or more residents of a state or jurisdiction, to prominent media) follow the Breach Notification Rule’s timelines.