HIPAA Identifies Three Covered Entity Types: Definitions, Examples, and Compliance Checklist

Health Plans Defined

Under HIPAA, a health plan is any individual or group plan that provides or pays the cost of medical care. Health plans handle protected health information (PHI) to enroll members, adjudicate claims, and manage benefits, so they must follow the HIPAA Privacy Rule and HIPAA Security Rule.

Examples include commercial insurers, HMOs, Medicare, Medicaid, TRICARE, and self-insured employer group health plans. Plan sponsors often delegate operations to third parties, but the plan remains responsible for covered entity compliance and must ensure proper safeguards through contracts and oversight.

Common examples and nuances

• Major medical plans, Medicare Advantage, and Medicaid managed care organizations.
• Self-funded employer health plans administered by TPAs; the plan, not the employer, is the covered entity.
• Flexible spending and certain limited-scope plans may be health plans; confirm applicability before excluding.

Health Care Clearinghouses Explained

Health care clearinghouses translate health data between nonstandard and HIPAA standard formats. By converting claims, eligibility, and remittance data, clearinghouses enable compliant electronic health transactions across the ecosystem.

When performing clearinghouse functions, they are covered entities. The same organization may also act as a business associate to providers or plans for other services, but PHI they create or receive as a clearinghouse remains subject to HIPAA requirements.

Typical clearinghouse services

• EDI switching and routing of claims, eligibility inquiries, and prior authorizations.
• Format translation, code set validation, and edits for standard transactions.
• Repricing and remittance aggregation for plans and billing services.

Health Care Providers Overview

A health care provider is a covered entity if it transmits health information electronically in connection with a standard transaction. Most modern practices and facilities meet this threshold through electronic billing and related workflows.

Covered providers include hospitals, physician practices, clinics, dentists, pharmacies, laboratories, imaging centers, therapists, and DME suppliers. If a provider truly never conducts electronic health transactions—for example, never submits electronic claims or eligibility checks—it may fall outside HIPAA’s covered entity scope, though that is uncommon.

What counts as electronic health transactions

• Claims and encounters; eligibility and benefit inquiries; claim status; referrals and authorizations.
• Payment and remittance advice; coordination of benefits.
• Electronic prescribing and related data exchanges.

Provider examples

• A solo practitioner billing electronically through an EHR or clearinghouse.
• A pharmacy transmitting e-prescriptions and claims to PBMs and plans.
• A diagnostic lab sending electronic results and billing insurers.

Compliance Checklist for Covered Entities

Use this practical checklist to strengthen covered entity compliance across plans, clearinghouses, and providers. Tailor each item to your size, complexity, and technology footprint, and document decisions and responsible owners.

Governance and policies

• Designate a Privacy Officer and a Security Officer with defined authority and resources.
• Adopt written HIPAA Privacy Rule and HIPAA Security Rule policies and procedures.
• Maintain a record retention plan for HIPAA documentation, generally at least six years.

Privacy Rule practices

• Provide a Notice of Privacy Practices (as applicable) and honor individual rights requests.
• Apply the minimum necessary standard and track routine and non-routine disclosures.
• Establish authorization templates and verification procedures for disclosures.

Security Rule implementation

• Conduct an enterprise-wide risk assessment and document risk management decisions.
• Implement administrative safeguards, physical safeguards, and technical safeguards appropriate to risk.
• Control access with role-based permissions, multi-factor authentication, and session timeouts.
• Encrypt ePHI in transit and at rest where feasible; manage keys securely.

Workforce and vendors

• Deliver role-based training at hire and annually; document attendance and comprehension.
• Screen workforce and apply sanctions for violations; maintain acknowledgment of policies.
• Inventory vendors; execute and manage Business Associate Agreements; monitor performance.

Incident response and continuity

• Establish incident detection, escalation, containment, and post-incident review procedures.
• Maintain a breach assessment and notification process with decision logs.
• Develop contingency plans, backups, disaster recovery, and periodic restoration tests.

Monitoring and improvement

• Review system activity and audit logs routinely; investigate anomalies promptly.
• Track metrics, corrective actions, and management reviews; update the risk assessment at least annually or after major changes.

Risk Analysis and Security Safeguards

A risk assessment identifies where electronic PHI (ePHI) lives, the threats and vulnerabilities affecting it, and the likelihood and impact of harm. Documented results drive the selection of reasonable and appropriate safeguards under the HIPAA Security Rule.

Treat risk analysis as a living process. Revisit it after system changes, mergers, new vendors, or security incidents, and whenever new technologies (such as telehealth tools or mobile apps) enter your environment.

Risk analysis step-by-step

• Inventory assets handling ePHI: EHR, billing, patient portals, cloud services, endpoints, medical devices.
• Map data flows and storage locations; note integrations with clearinghouses and health plans.
• Identify threats (e.g., ransomware, insider misuse, misconfiguration) and vulnerabilities.
• Evaluate likelihood and impact; assign risk levels and prioritize remediation.
• Select controls, set timelines, name owners, and track completion; document residual risk.

Administrative, physical, and technical safeguards

• Administrative safeguards: policies, workforce training, risk management, vendor oversight, sanctions.
• Physical safeguards: facility access controls, device and media disposal, screen privacy, environmental protections.
• Technical safeguards: unique user IDs, MFA, encryption, audit controls, integrity checks, secure messaging.

Roles of Privacy and Security Officers

The Privacy Officer oversees PHI uses and disclosures, individual rights, policies, training, and complaint handling. The Security Officer leads risk assessment, safeguard selection, access and identity management, and technical oversight.

In small entities, one person may serve both roles; in larger entities, the roles are separate and coordinated. Both should brief leadership regularly, track corrective actions, and champion a culture of accountability and continuous improvement.

Core responsibilities

• Maintain policies and standards; align with business processes and technology.
• Coordinate audits, system activity reviews, and remediation plans.
• Manage vendor risk and Business Associate Agreements end-to-end.
• Lead incident response, breach analysis, and communications.
• Measure program maturity and report on covered entity compliance metrics.

System Activity Monitoring Procedures

HIPAA expects regular review of information system activity to detect inappropriate access or misuse of PHI. Effective monitoring combines clear procedures, reliable logs, and timely follow-up.

Define scope across EHRs, e-prescribing, identity providers, email, file storage, endpoint protection, network devices, and any platform that stores or transmits ePHI. Centralize logs where possible for correlation and alerting.

What to log and review

• User access to PHI (view, create, edit, export, print) with timestamps and source system.
• Failed logins, privilege changes, account provisioning/deprovisioning, and after-hours access.
• Large data exports, unusual query patterns, and access to VIP or restricted charts.
• Security events from endpoints, email security, and network intrusion tools.

Operational cadence

• Daily: triage high-severity alerts; spot-check VIP and terminated-user access.
• Weekly: review access outliers, bulk exports, and privileged account activity.
• Monthly: sample user access against job roles; reconcile with HR changes.
• Quarterly: test alert rules; update watchlists; assess vendor log coverage.

Response, documentation, and retention

• Use playbooks to investigate alerts, collect evidence, and decide on containment.
• Record findings, decisions, and corrective actions; escalate suspected breaches.
• Retain audit logs and monitoring records per policy to support investigations and compliance reviews.

Conclusion

HIPAA identifies three covered entity types—health plans, health care clearinghouses, and health care providers—and expects each to protect PHI through documented policies, risk assessment, safeguards, and monitoring. By following the checklist and procedures above, you build a defensible, right-sized program that reduces risk and strengthens trust.

FAQs.

What are the three types of HIPAA covered entities?

The three types are health plans, health care clearinghouses, and health care providers that conduct standard electronic health transactions. Each must safeguard protected health information under the HIPAA Privacy Rule and HIPAA Security Rule.

How do health care clearinghouses function under HIPAA?

Clearinghouses convert nonstandard health data into HIPAA standard transaction formats and route transactions such as claims, eligibility, and remittances. When performing these conversion services, they are covered entities and must apply appropriate administrative safeguards and other protections to the PHI they handle.

What steps must covered entities take to ensure HIPAA compliance?

Designate Privacy and Security Officers; adopt policies; train the workforce; perform an organization-wide risk assessment; implement administrative, physical, and technical safeguards; manage vendors and Business Associate Agreements; monitor system activity; maintain incident response and breach procedures; and document everything to demonstrate covered entity compliance.