HIPAA Covered Entity Decision Guide: Quick Checklist, Definitions, and Risks

This HIPAA Covered Entity Decision Guide helps you quickly determine whether your organization is a covered entity, understand key definitions, and recognize major risks. You will learn how Protected Health Information and Electronic Protected Health Information trigger obligations, and what steps reduce exposure under the Minimum Necessary Standard and Use and Disclosure Restrictions.

Use the quick checklist below, then review each section for detail and examples you can apply immediately.

Defining Covered Entities

Under HIPAA, a covered entity is one of three types of organizations: a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions (such as claims or eligibility checks). If you meet any one category, HIPAA’s Privacy, Security, and Breach Notification Rules apply to your handling of PHI and ePHI.

• Do you operate a health plan that pays for or provides medical care? If yes, you are a covered entity.
• Do you transform health data between nonstandard and standard formats for other parties? If yes, you may be a health care clearinghouse.
• Do you furnish, bill, or are paid for health care and send HIPAA-standard transactions electronically? If yes, you are a covered health care provider.

If you are not one of these, you are not a covered entity—but you may still be a business associate if you handle PHI for a covered entity. In either case, Use and Disclosure Restrictions and the Minimum Necessary Standard guide how information should be accessed and shared.

Identifying Health Plans

Health plans include group and individual health insurers, HMOs, employer-sponsored group health plans (including self-insured plans), government programs that pay for health care (such as Medicare and Medicaid), and certain long-term care insurers. These entities create, receive, maintain, or transmit PHI and ePHI when they administer benefits and pay claims.

Key obligations for health plans include Risk Analysis and Management for systems handling enrollment, claims, and appeals; Data Breach Reporting procedures; and vendor oversight. When a third-party administrator, broker, or benefits platform accesses plan PHI, the plan must have a Business Associate Agreement in place to define permitted uses, security safeguards, and breach notification duties.

Health plans must apply the Minimum Necessary Standard to routine operations and ensure Use and Disclosure Restrictions are followed—such as disclosing information without authorization for payment and health care operations, and obtaining authorizations for marketing or other restricted purposes.

Recognizing Health Care Providers

Health care providers are covered entities if they transmit health information electronically in standard HIPAA transactions. This includes hospitals, clinics, physicians, dentists, pharmacies, laboratories, behavioral health providers, and any organization or person that furnishes, bills, or is paid for health care in the normal course of business.

Providers store and transmit ePHI through EHRs, e-prescribing, patient portals, imaging systems, and revenue cycle tools. You must implement Risk Analysis and Management to address administrative, physical, and technical safeguards; apply the Minimum Necessary Standard to workforce access; and follow Use and Disclosure Restrictions for treatment, payment, and health care operations.

Common provider scenarios include granting role-based access, encrypting data at rest and in transit, auditing EHR logs, and coordinating with billing services or cloud platforms under a Business Associate Agreement.

Understanding Health Care Clearinghouses

Health care clearinghouses convert nonstandard data they receive from another entity into standard data elements or transactions, and the reverse. Examples include billing and repricing services, EDI gateways, and community health information networks that standardize formats like X12 for claims or eligibility transactions.

Because clearinghouses routinely handle high volumes of ePHI, they must maintain strong safeguards, perform ongoing Risk Analysis and Management, and adhere to Use and Disclosure Restrictions that limit information to defined purposes. When a clearinghouse performs services for a plan or provider, a Business Associate Agreement clarifies permitted uses, security controls, and Data Breach Reporting timelines.

Exploring Business Associates

Business associates are not covered entities by category; instead, they perform functions or services for a covered entity that involve PHI. Examples include revenue cycle vendors, cloud hosting providers, EHR and eRX platforms, data analytics firms, outsourced IT, call centers, and practice management services. Subcontractors that handle PHI for a business associate are also business associates.

Covered entities must execute a Business Associate Agreement with each vendor that accesses PHI or ePHI. The BAA establishes Use and Disclosure Restrictions, requires the Minimum Necessary Standard, mandates safeguard implementation, and sets Data Breach Reporting obligations (without unreasonable delay and within the required deadlines). Business associates are directly liable for meeting applicable HIPAA requirements and must flow down the same protections to subcontractors.

Exceptions to Covered Entity Status

Some organizations interact with health information but are not covered entities. Typical examples include:

• Employers in their role as employers (the employer is not a covered entity, though the employer’s group health plan is).
• Life, disability, and workers’ compensation insurers (though they may receive health information under separate laws).
• Schools and most student health records governed by FERPA rather than HIPAA, unless the school operates a separate HIPAA-covered clinic.
• Conduits that merely transport data—such as postal services or certain telecom carriers—without routine access to PHI.

Even when an organization is not a covered entity, it may still be a business associate if it creates, receives, maintains, or transmits PHI for a covered entity. In that case, a Business Associate Agreement and adherence to Use and Disclosure Restrictions still apply.

Managing HIPAA Risks

Effective compliance centers on Risk Analysis and Management. Start by cataloging systems, data flows, and vendors that create, receive, maintain, or transmit PHI and ePHI. Identify threats and vulnerabilities (for example, lost devices, misdirected email, insecure APIs, or excessive user privileges), evaluate likelihood and impact, and document a prioritized risk treatment plan with owners and timelines.

Implement layered safeguards: access controls and role-based permissions, unique user IDs and multi-factor authentication, encryption in transit and at rest, audit logging and log review, secure configuration and patching, endpoint protection, offsite and tested backups, and facility safeguards. Train your workforce routinely on the Minimum Necessary Standard, Use and Disclosure Restrictions, and phishing awareness.

Prepare for incidents with a defined response plan, including verification, containment, forensics, individual notification, and Data Breach Reporting within required time frames. Review Business Associate Agreements to ensure vendors will cooperate with investigations and notifications. Reassess risks after changes like new systems, mergers, or major integrations, and keep documentation current to demonstrate due diligence.

In summary, determine whether you are a health plan, provider, or clearinghouse; identify business associates and execute BAAs; apply Minimum Necessary and Use and Disclosure controls; and run continuous Risk Analysis and Management to reduce the likelihood and impact of breaches.

FAQs

What qualifies an organization as a HIPAA covered entity?

An organization is a covered entity if it is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in HIPAA-standard transactions. If you meet any one category, HIPAA’s Privacy, Security, and Breach Notification Rules apply to your handling of Protected Health Information and Electronic Protected Health Information.

How do business associates impact HIPAA compliance?

Business associates perform services for covered entities that involve PHI or ePHI. You must have a Business Associate Agreement with each vendor to set Use and Disclosure Restrictions, require the Minimum Necessary Standard, mandate safeguards, and define Data Breach Reporting duties. Business associates and their subcontractors are directly responsible for meeting applicable HIPAA requirements.

What are the common risks associated with covered entities?

Frequent risks include lost or stolen devices without encryption, phishing and credential theft, misconfiguration of cloud systems, improper access due to weak role design, unvetted vendors without BAAs, misdirected communications, and delayed or incomplete breach response. Strong Risk Analysis and Management and workforce training help reduce these exposures.

How should covered entities conduct risk analysis?

Perform an enterprise-wide inventory of systems and vendors that handle PHI and ePHI, map data flows, and identify threats and vulnerabilities. Assess likelihood and impact, document a risk register, and prioritize mitigation with clear owners and deadlines. Reassess after significant changes and at least annually to maintain continuous Risk Analysis and Management.