HIPAA Covered Entity Requirements: Who Is Included, Exemptions, and Practical Compliance Steps

Understanding HIPAA covered entity requirements helps you decide whether HIPAA applies to your organization and how to comply. This guide explains who qualifies, common exemptions, and practical steps to meet the HIPAA Privacy Rule and HIPAA Security Rule while protecting Protected Health Information (PHI).

Use it to identify your status, map obligations, and implement right-sized controls, from Risk Assessment through Breach Notification, Workforce Training, and Compliance Documentation.

Definition of Covered Entities

Under HIPAA, a covered entity is one of three types of organizations that handle Protected Health Information in standard electronic transactions. The three categories are: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with a HIPAA standard transaction (for example, claims, eligibility, enrollment, payment, or referrals).

Covered entities must safeguard PHI and electronic PHI (ePHI) under the HIPAA Privacy Rule and HIPAA Security Rule. If you are uncertain, start by mapping your services and data flows against these categories and the transactions you perform.

Identifying Included Health Plans

Health plans finance or pay for medical care. If you administer or provide benefits that pay for healthcare services, you are likely a covered health plan. Common examples include:

• Health insurance issuers and HMOs.
• Employer-sponsored group health plans, including self-insured plans.
• Government programs that pay for healthcare (e.g., Medicare, Medicaid, and similar programs).
• Medicare Part D prescription drug plan sponsors and similar pharmacy benefit programs.
• Dental, vision, and other medical benefit plans that pay for care.

Important distinction: the employer itself is not the covered entity; the group health plan is. Plan sponsors must ensure the plan’s HIPAA compliance is maintained.

Recognizing Healthcare Providers

Healthcare providers are covered entities if they transmit health information electronically in connection with a standard HIPAA transaction—directly or through a vendor. This includes:

• Physicians, clinics, hospitals, and urgent care centers.
• Psychologists, dentists, chiropractors, physical and occupational therapists.
• Clinical laboratories, imaging centers, and pharmacies.
• Ambulance services, home health agencies, and telehealth providers.

Even if a billing company or clearinghouse submits claims on your behalf, you remain a covered healthcare provider when those standard transactions occur.

Understanding Healthcare Clearinghouses

Healthcare clearinghouses process nonstandard health information from another entity into standard formats (or the reverse). Typical functions include converting paper or proprietary claim formats into HIPAA-standard transactions, repricing claims, and routing data among plans and providers.

If your primary role is translating, formatting, or processing health information for others to conduct HIPAA transactions, you likely operate as a healthcare clearinghouse.

Exemptions from Covered Entity Status

Some organizations interact with health information but are not HIPAA covered entities. Common exemptions and edge cases include:

• Healthcare providers that do not conduct any standard electronic transactions (they use paper-only processes and do not delegate electronic submission).
• Small, self-administered employer group health plans with fewer than 50 participants; these plans are generally not covered entities.
• Employers in their role as employers (HR files are not PHI under HIPAA, though other laws may apply).
• Life, disability, and workers’ compensation insurers (they are not “health plans” under HIPAA).
• Schools and school districts where student health records are governed by FERPA rather than HIPAA.
• Consumer-directed personal health apps that receive information directly from individuals and not on behalf of a covered entity.
• Organizations handling only de-identified data, which is not PHI.

If an entity is not a covered entity but performs services for a covered entity involving PHI, it may be a business associate and still subject to HIPAA obligations via contract.

Essential Compliance Steps

Once you confirm covered entity status, apply these practical steps to meet HIPAA Covered Entity Requirements:

• Confirm scope: Identify systems, workflows, vendors, and staff that create, receive, maintain, or transmit PHI/ePHI.
• Assign leadership: Designate a Privacy Official and a Security Official; define accountability and escalation paths.
• Perform a Risk Assessment: Analyze threats and vulnerabilities to ePHI; document likelihood and impact; prioritize remediation.
• Develop and implement policies and procedures: Address the HIPAA Privacy Rule (uses/disclosures, minimum necessary, individual rights) and the HIPAA Security Rule (administrative, physical, technical safeguards).
• Implement safeguards: Access controls, authentication, audit logs, encryption, device and media controls, secure transmission, facility security, and vendor management.
• Workforce Training: Provide role-based training on privacy, security, and incident reporting; document completion and refresh annually or upon material changes.
• Individual rights and notices: Issue a Notice of Privacy Practices; support access, amendment, and accounting of disclosures.
• Incident response and Breach Notification: Maintain detection, containment, and assessment procedures; notify affected individuals (and other required parties) without unreasonable delay and within required timeframes.
• Compliance Documentation: Record your Risk Assessment, decisions, policies, training, BAAs, incident logs, and periodic reviews; update as operations change.
• Continuous monitoring: Conduct periodic audits, test controls, address gaps, and track corrective actions to closure.

Managing Business Associate Relationships

Business associates are vendors or partners that create, receive, maintain, or transmit PHI on your behalf (for example, billing services, cloud hosting, e-prescribing platforms, eFax, analytics, and transcription). Covered entities must establish and manage these relationships carefully.

• Execute Business Associate Agreements (BAAs): Specify permissible uses/disclosures, required safeguards (including Security Rule compliance), breach reporting, subcontractor flow-down, return/destroy requirements, and termination rights.
• Due diligence: Evaluate security practices, certifications, incident history, and subcontractor oversight before onboarding and periodically thereafter.
• Minimum necessary and data minimization: Share only the PHI needed for the service; prefer de-identified data where feasible.
• Operational controls: Define secure data exchange methods, access provisioning, logging, and offboarding processes.
• Monitoring and remediation: Track performance, review audit results, and enforce corrective actions or contract remedies when needed.

Strong vendor governance reduces breach risk, supports timely Breach Notification if needed, and strengthens overall HIPAA compliance.

FAQs.

What organizations are considered HIPAA covered entities?

Covered entities are health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in connection with standard HIPAA transactions. If you finance or pay for care, translate health data into standard formats, or provide care and use electronic claims or similar transactions, you likely qualify.

What exemptions exist for covered entity status?

Common exemptions include providers that never conduct standard electronic transactions, small self-administered group health plans with fewer than 50 participants, employers acting as employers, life and disability insurers, workers’ compensation carriers, and entities handling only de-identified data. Some schools are governed by FERPA rather than HIPAA.

How do covered entities comply with HIPAA requirements?

Determine scope, assign privacy and security leadership, conduct a Risk Assessment, implement safeguards aligned to the HIPAA Privacy Rule and HIPAA Security Rule, train your workforce, manage vendors via BAAs, maintain Breach Notification procedures, and keep thorough Compliance Documentation with periodic reviews and updates.

What is the role of business associates under HIPAA?

Business associates perform services involving PHI for covered entities and must protect that information. They sign BAAs committing to appropriate uses, security controls, subcontractor oversight, incident reporting, and Breach Notification support, ensuring PHI is safeguarded across your extended vendor ecosystem.