HIPAA Covered Entity Requirements: Checklist for Health Plans and Providers

Defining Covered Entities

You are a HIPAA covered entity if you are a health plan, a healthcare provider that transmits standard electronic transactions, or a healthcare clearinghouse. Each type handles Protected Health Information (PHI) and must meet defined compliance duties across privacy, security, and breach response.

Who qualifies

• Health plans: group health plans, insurers, HMOs, government programs that pay for care.
• Healthcare providers: hospitals, practices, pharmacies, labs, and others that conduct standard electronic billing or eligibility checks.
• Healthcare clearinghouses: entities that convert nonstandard data to standard formats and vice versa.

Structures and edge cases

• Hybrid entities designate health care components subject to HIPAA if the organization performs both covered and non-covered functions.
• Organized Health Care Arrangements (OHCAs) allow clinically integrated providers to share PHI for joint operations.
• Business associates are not covered entities but must follow contract terms and HIPAA when handling PHI on your behalf.

Health Plan Compliance

Health plans must implement Privacy Rule Compliance, Security Rule safeguards, and Breach Notification Requirements while coordinating with plan sponsors and vendors. Your responsibilities span governance, individual rights, and data sharing controls.

Core actions for health plans

• Publish and distribute a compliant Notice of Privacy Practices and apply the minimum necessary standard to routine disclosures.
• Honor member rights: access, amendments, restrictions, confidential communications, and an accounting of disclosures.
• Execute and manage Business Associate Agreements with TPAs, PBMs, brokers, and other vendors.
• Segregate plan sponsor access to PHI through plan document amendments and role-based controls.
• Maintain a breach response program with risk assessment, timely notices, and remediation.

Operational controls

• Implement risk-based Security Rule Administrative Safeguards, plus physical and technical protections for enrollment, claims, and utilization data.
• Use Data Standardization Processes and Electronic Data Interchange Standards for claims, eligibility, and remittance to reduce errors and exposure.
• Train workforce members annually and on role-specific privacy and security procedures.

Healthcare Provider Obligations

Providers that submit or receive standard electronic transactions must comply with HIPAA across clinical, billing, and administrative workflows. Embed compliance into intake, treatment, and revenue cycle processes.

Provider checklist

• Deliver a Notice of Privacy Practices, obtain valid authorizations when required, and apply minimum necessary to non-treatment uses.
• Enable patient rights: portal or process for access, amendments, and restrictions; verify identity before release.
• Implement role-based access, audit logs, secure messaging, and device safeguards in EHR and health IT systems.
• Sign and manage Business Associate Agreements for EHR hosting, telehealth, billing, transcription, and cloud services.
• Prepare and test incident response and breach notification procedures aligned to regulatory timelines.

Role of Healthcare Clearinghouses

Clearinghouses translate, edit, and route health data between providers and plans. When acting as a covered entity, they must protect PHI directly; when serving others, they are business associates subject to contract and HIPAA requirements.

Data transformation and standards

• Execute Data Standardization Processes that scrub, validate, and map data while preserving data integrity.
• Implement Electronic Data Interchange Standards (for example, eligibility, claims, remittances) and maintain transaction audit trails.
• Apply minimum necessary policies and strong de-identification when aggregating for analytics or testing.

Security and oversight

• Enforce end-to-end encryption, robust identity and access management, and continuous monitoring across translation pipelines.
• Report incidents to clients under contract terms and support coordinated breach notifications.

Business Associates and PHI Handling

Business associates create, receive, maintain, or transmit PHI for a covered entity. You must vet them, contract appropriately, and oversee their controls to ensure compliant PHI handling.

Business Associate Agreements essentials

• Define permitted uses/disclosures, require safeguards aligned to the Security Rule, and prohibit unauthorized secondary use.
• Mandate prompt incident reporting, cooperation on Breach Notification Requirements, and flow-down terms to subcontractors.
• Include right to audit, termination for cause, secure return or destruction of PHI, and documentation retention.

Oversight practices

• Risk-rank vendors, review security evidence, and validate role-based access to limit exposure.
• Track onboarding, BAA renewals, and remediation through a centralized vendor management process.

HIPAA Privacy Rule Compliance

The Privacy Rule governs when and how you may use or disclose PHI. It balances care delivery with patient control, applying administrative requirements and enforceable rights.

Permitted uses and authorizations

• Use/disclose PHI for treatment, payment, and health care operations without authorization; document other disclosures as required.
• Obtain written authorization for marketing, sale of PHI, many research uses, and most non-TPO purposes.
• Apply the minimum necessary standard to routine operations and external requests.

Individual rights and controls

• Provide access to a designated record set, process amendments, and supply an accounting of disclosures upon request.
• Accommodate reasonable requests for confidential communications and restrictions when feasible.
• Use de-identification or limited data sets with data use agreements to reduce privacy risk.

HIPAA Security Rule Safeguards

The Security Rule protects electronic PHI through administrative, physical, and technical safeguards. Build a risk-based program that is documented, tested, and continuously improved.

Security Rule Administrative Safeguards

• Conduct a risk analysis, implement risk management, assign a security officer, and establish sanction and workforce training policies.
• Manage access via role-based controls, authorization processes, and periodic access reviews.
• Establish security incident response, information system activity review, and contingency plans with backups and disaster recovery.

Physical and technical measures

• Secure facilities and workstations; protect and track devices and media through lifecycle and secure disposal.
• Implement authentication, encryption in transit and at rest, audit logging, integrity controls, and transmission security.
• Harden endpoints and cloud services, enforce MFA, and continuously monitor for anomalous activity.

Summary

To meet HIPAA Covered Entity Requirements, define your role, formalize Privacy Rule Compliance, operationalize Security Rule safeguards, manage Business Associate Agreements, and institutionalize breach readiness. Align daily workflows to policies, verify vendor controls, and keep documentation current.

FAQs.

What entities qualify as HIPAA covered entities?

Covered entities are health plans, healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses. Hybrid organizations may designate health care components, and organized arrangements can share PHI for joint operations. Business associates support these entities but are distinct and bound by contract and HIPAA obligations.

How do covered entities protect PHI under the Privacy Rule?

They implement policies reflecting minimum necessary use, provide a Notice of Privacy Practices, obtain authorizations for non-routine purposes, and uphold patient rights to access, amendments, restrictions, confidential communications, and an accounting of disclosures. They also manage Business Associate Agreements and monitor compliance across their workforce and vendors.

What are the responsibilities of healthcare clearinghouses?

Clearinghouses standardize, edit, and route health data, applying Data Standardization Processes and Electronic Data Interchange Standards while protecting PHI. They maintain security controls, limit use to permitted purposes, keep transaction logs, and report incidents to clients, functioning either as covered entities or business associates depending on the activity.

What penalties apply for non-compliance with HIPAA rules?

Penalties range from corrective action plans and monitoring to civil monetary penalties assessed per violation with tiered ranges and annual caps. In egregious cases, criminal penalties can apply for knowingly obtaining or disclosing PHI. Regulators may also require restitution, audits, and ongoing reporting until deficiencies are resolved.