HIPAA Covered Entity Health Care Provider: Definition, Requirements, and Examples

Definition of Covered Entity

A HIPAA Covered Entity Health Care Provider is any individual or organization that furnishes, bills, or is paid for health care and transmits health information electronically in connection with a HIPAA-covered transaction. If you submit claims, check eligibility, obtain prior authorizations, or e-prescribe electronically, you meet the definition and must follow HIPAA.

Once you conduct a HIPAA-covered transaction, you assume obligations for both the Privacy Rule and the Security Rule. These apply to protected health information (PHI) and, for the Security Rule, specifically to electronic protected health information (ePHI) created, received, maintained, or transmitted by your practice.

Examples of HIPAA-covered transactions

• Electronic claims (e.g., to health plans or via a clearinghouse).
• Eligibility and benefits inquiries and responses.
• Referral and prior authorization requests.
• Claim status inquiries, remittance advice, and coordination of benefits.
• E-prescribing and related pharmacy transactions.

Vendors that handle PHI on your behalf (billing companies, EHR providers) are business associates, and you must have proper agreements with them. However, the duty to ensure covered health care provider compliance ultimately remains with you.

HIPAA Privacy Rule Compliance

Core obligations

• Use and disclose PHI only as permitted—for treatment, payment, and health care operations—or as required by law.
• Apply the minimum necessary standard to limit PHI to what is needed for the purpose.
• Provide a Notice of Privacy Practices (NPP) to patients with a direct treatment relationship and honor stated commitments.

Individual rights you must support

• Access to records in the requested format when feasible and within required time frames.
• Amendment requests, confidential communications, and requests for restrictions when appropriate.
• Accounting of certain non-routine disclosures.

Operational requirements

• Adopt written policies and procedures; document and retain them as required.
• Execute business associate agreements with vendors who handle PHI.
• Implement a sanctions process for workforce violations and maintain complaint processes.
• Ensure clear privacy officer designation to oversee policy development, incident handling, and compliance monitoring.

HIPAA Security Rule Safeguards

The Security Rule requires a risk-based program to protect electronic protected health information. Begin with a thorough security risk analysis, then implement and maintain administrative safeguards, physical safeguards, and technical safeguards appropriate to your risks.

Administrative safeguards

• Security management process: conduct a security risk analysis, implement risk management plans, and review regularly.
• Workforce security and information access management with role-based least-privilege access.
• Security awareness and training, including phishing defense and ongoing reminders.
• Security incident procedures and breach response, including timely investigation and mitigation.
• Contingency planning: data backup, disaster recovery, and emergency operations testing.

Physical safeguards

• Facility access controls and visitor management.
• Workstation use and security standards (screen locks, secure positioning).
• Device and media controls for encryption, disposal, reuse, and inventory tracking.

Technical safeguards

• Unique user IDs, strong authentication, and, where feasible, multi-factor authentication.
• Access controls and automatic logoff; encryption for data in transit and at rest when reasonable and appropriate.
• Audit controls and activity review to detect inappropriate access.
• Integrity controls to prevent and detect improper alteration of ePHI.
• Transmission security for remote access, telehealth, and interfaces with business associates.

Security is continuous: monitor for new threats, patch systems, validate backups, rehearse incident response, and record decisions showing how administrative safeguards map to identified risks.

Workforce Training and Responsibilities

Your “workforce” includes employees, volunteers, trainees, and others under your control. Provide workforce HIPAA training at onboarding and at regular intervals, tailored to job roles, and document completion and comprehension.

What effective training covers

• Privacy Rule basics, permitted uses/disclosures, and minimum necessary.
• Security Rule expectations: secure passwords, device handling, and reporting incidents.
• Real-world scenarios: telehealth etiquette, secure messaging, and phishing identification.

Everyday responsibilities

• Use only approved systems; avoid unencrypted email or personal cloud storage for PHI.
• Verify recipient identity before sharing PHI; double-check faxes and attachments.
• Lock screens, protect mobile devices, and report suspected breaches immediately.
• Follow role-based access and avoid sharing accounts or credentials.

Reinforce expectations with periodic reminders, simulated phishing, and a clear sanctions policy. Track metrics to demonstrate ongoing covered health care provider compliance.

Examples of Covered Health Care Providers

The following are typically covered when they engage in at least one HIPAA-covered transaction electronically (directly or through a clearinghouse):

• Hospitals, physician practices, ambulatory surgery centers, and urgent care clinics.
• Dentists, orthodontists, oral surgeons, and dental clinics.
• Pharmacies and pharmacy benefit interactions; e-prescribing providers.
• Clinical laboratories, imaging centers, and pathology groups.
• Chiropractors, physical and occupational therapists, speech-language pathologists.
• Behavioral health providers, psychologists, psychiatrists, and substance use treatment programs (with additional confidentiality rules where applicable).
• Home health agencies, hospices, DME suppliers, and ambulance services.
• Telehealth-only providers when they bill plans electronically or e-prescribe.

Providers that never conduct standard electronic transactions—such as cash-only practices that neither e-prescribe nor bill electronically—may not be covered entities. However, adopting e-prescribing or electronic claims generally triggers covered status.

Appointing Privacy and Security Officers

You must formally assign a privacy officer and a security official. In small practices, one person may serve both roles; larger organizations often separate them. The privacy officer designation should confer authority to develop policies, oversee complaints, and coordinate disclosures, while the security official leads the technical and risk management program.

Privacy officer responsibilities

• Maintain and update Privacy Rule policies, NPP, and procedures.
• Manage business associate agreements and monitor vendor compliance.
• Investigate incidents, manage breach notifications, and track complaints.
• Oversee workforce privacy training and sanctions for violations.

Security officer responsibilities

• Plan and execute the security risk analysis and ongoing risk management.
• Implement administrative safeguards, technical controls, and contingency plans.
• Coordinate system hardening, access management, and audit logging.
• Lead security incident response, lessons learned, and continuous improvement.

Document role descriptions, authority lines, and reporting cadence to leadership. Regular briefings that tie risk metrics to action plans keep compliance aligned with operational realities.

In summary, once you perform a HIPAA-covered transaction, you become a covered entity and must protect PHI through clear Privacy Rule practices and risk-based Security Rule controls. Strong governance, practical training, and disciplined execution are the backbone of covered health care provider compliance.

FAQs

What defines a health care provider as a HIPAA covered entity?

You are a HIPAA covered entity if you provide health care and transmit health information electronically in connection with a HIPAA-covered transaction, such as submitting electronic claims, checking eligibility, obtaining prior authorizations, or e-prescribing.

What are the key HIPAA Privacy and Security Rule requirements?

The Privacy Rule governs how you use and disclose PHI, enforces minimum necessary, requires an NPP, and gives patients rights to access, amendment, and accounting. The Security Rule requires a security risk analysis and implementation of administrative, physical, and technical safeguards to protect electronic protected health information.

Which health care providers are considered covered entities?

Hospitals, physician practices, dentists, pharmacies, labs, therapists, behavioral health providers, DME suppliers, ambulance services, and telehealth providers are covered when they conduct standard electronic transactions. Cash-only providers that do not e-prescribe or bill electronically may fall outside coverage until they adopt such transactions.

How should a covered entity train its workforce on HIPAA compliance?

Deliver role-based workforce HIPAA training at onboarding and periodically, covering Privacy Rule basics, Security Rule expectations, real-world scenarios, and incident reporting. Track completion, test understanding, reinforce with reminders and phishing simulations, and apply sanctions for violations to maintain accountability.