HIPAA Privacy Rule Coverage: Checklist of Who Is In and Out

Covered Entities Definition

Under HIPAA Privacy Rule coverage, a covered entity is one of three types of organizations that handle Protected Health Information (PHI): health plans, health care clearinghouses, and health care providers that conduct standard Electronic Health Transactions (such as claims, eligibility checks, and prior authorizations). If you fit any of these categories, the Privacy Rule applies to you and your workforce.

Checklist: who is “in” as a covered entity

• Health plans: major medical, employer-sponsored group health plans, Medicare, Medicaid, HMOs, dental and vision plans, and certain government programs. Health Plan Compliance obligations attach to the plan itself, not the employer in its employment role.
• Health care providers: any provider (from solo practitioners to hospitals) that transmits health information electronically in connection with standardized transactions.
• Health care clearinghouses: entities that convert nonstandard health information into standard formats or vice versa (for example, billing data translation and format conversion services).

Covered entities must apply the minimum necessary standard, honor individual rights (access, amendments, and accounting of disclosures), and implement governance, policies, and safeguards appropriate to their risk profile.

Business Associates Overview

Business associates are persons or organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity, or that provide specified services where access to PHI is required. Subcontractors that handle PHI on a business associate’s behalf are also business associates. Their obligations are formalized through Business Associate Agreements.

Checklist: typical business associates

• Billing, coding, and claims processing vendors; revenue cycle management firms.
• Electronic health record platforms, data hosting, cloud storage, backup, and managed IT services that maintain ePHI.
• Third-party administrators (TPAs) for self-funded group health plans; utilization review and care management vendors.
• Consultants, auditors, attorneys, actuaries, and accreditation bodies when PHI access is part of the engagement.
• Health information exchanges, e-prescribing gateways, and data destruction/shredding services handling PHI.

A vendor that never needs PHI and is contractually barred from accessing it is generally not a business associate.

Exclusions from Coverage

Not every organization that touches health-related data falls under HIPAA. Entities outside the covered entity/business associate framework, or that handle information outside HIPAA’s scope, are “out.” Understanding Workforce Member Exclusions is key: employees, volunteers, trainees, and other persons whose conduct is under a covered entity’s direct control are part of the covered entity’s workforce—not separate business associates.

Checklist: who is “out”

• Employers in their capacity as employers (e.g., HR files, pre-employment drug tests); the group health plan may be covered, but the employer itself is not when acting in an employment role.
• Life insurers, workers’ compensation carriers, and automobile insurers (though they may lawfully receive records for their programs under specific rules).
• Schools and school districts when records are governed by FERPA; student health clinic records may be HIPAA-covered depending on structure.
• Law enforcement agencies, municipal offices, courts, and most public safety agencies not operating covered health care components.
• Direct-to-consumer apps, wearable manufacturers, and personal health record providers that operate independently of a covered entity.
• Providers that do not conduct standard Electronic Health Transactions (for example, strictly cash-only practices with no standard electronic claims or eligibility transactions).
• Researchers receiving only de-identified data; de-identified information is not PHI.

Hybrid Entities Designation

The Hybrid Entity Rule allows an organization with both covered and non-covered functions (for example, a university with a medical center or a city government with a public clinic) to formally designate specific “health care components.” Only those components—and shared services that support them—are subject to HIPAA. Firewalls must prevent inappropriate PHI sharing with non-covered components.

Hybrid entity designation checklist

• Identify all covered functions and define the health care components that perform them.
• Document the designation and describe shared services that require PHI access.
• Limit workforce access to PHI to those with a need to know; implement privacy and security “firewalls.”
• Use Business Associate Agreements when a non-covered component performs business associate activities for a covered component.
• Review and update the designation when services, structure, or systems change.

Compliance Requirements for Covered Entities

Once you determine HIPAA Privacy Rule coverage, you must operationalize compliance. This includes governance, policies, workforce training, and processes that honor individual rights and control disclosures.

Checklist: core requirements

• Designate a privacy official and a contact person to receive complaints and inquiries.
• Adopt written privacy policies and procedures; train your workforce and apply appropriate sanctions for violations.
• Issue and post a Notice of Privacy Practices (NPP); for health plans, provide the NPP at enrollment and upon material changes as part of Health Plan Compliance.
• Apply the minimum necessary standard and implement role-based access to PHI.
• Honor individual rights: timely access and copies, amendments, and accounting of disclosures where required.
• Coordinate privacy and security safeguards for ePHI (administrative, physical, and technical controls proportionate to risk).
• Maintain incident response and breach notification processes, including documentation and mitigation steps.
• Retain required records and decisions for the periods HIPAA mandates.

Written Agreements with Business Associates

Whenever a business associate or its subcontractor will create, receive, maintain, or transmit PHI on your behalf, you must execute a Business Associate Agreement (BAA). A BAA allocates responsibilities, extends HIPAA safeguards downstream, and enables oversight and termination for noncompliance.

Checklist: BAA essentials

• Define permitted and required uses/disclosures of PHI; incorporate minimum necessary.
• Require administrative, physical, and technical safeguards for ePHI and downstream compliance by subcontractors.
• Set breach and security incident notification duties, timing, and content expectations.
• Obligate cooperation with individual rights workflows (access, amendments, accountings) when the BA holds relevant PHI.
• Specify return or destruction of PHI at termination where feasible.
• Grant termination-for-cause rights if the BA materially breaches the BAA.
• Prohibit uses such as marketing or sale of PHI unless expressly authorized and compliant with HIPAA.

Protection of Health Information

PHI is individually identifiable health information held or transmitted by a covered entity or business associate, in any medium. ePHI refers to PHI in electronic form. HIPAA allows uses and disclosures for treatment, payment, and health care operations without authorization, but most other purposes require an authorization or a specific regulatory permission.

Safeguards and practical controls

• Apply administrative, physical, and technical safeguards; manage access, authentication, auditing, and transmission security for ePHI.
• Use encryption and endpoint protections consistent with your risk analysis and mitigation plan.
• De-identify data when full PHI is unnecessary; de-identified data may be used or disclosed outside HIPAA.
• Standardize Electronic Health Transactions to reduce error and exposure in routine exchanges.

Key takeaways

• If you are a health plan, a clearinghouse, or a provider conducting standard electronic transactions, you are “in.”
• Vendors that handle PHI on your behalf are business associates and require BAAs.
• Many entities—employers in their employment role, schools under FERPA, life/auto insurers—are “out,” subject to limited exceptions.
• Use the Hybrid Entity Rule to confine HIPAA obligations to designated components and control PHI flows.
• Build a privacy program that unites policies, training, safeguards, and Health Plan Compliance practices.

FAQs.

Which entities are covered under the HIPAA Privacy Rule?

The HIPAA Privacy Rule covers health plans, health care clearinghouses, and health care providers that conduct standard Electronic Health Transactions. If you are in one of these categories and create, receive, maintain, or transmit PHI, you are a covered entity for those activities.

What are the criteria for being a business associate?

You are a business associate if you create, receive, maintain, or transmit PHI on behalf of a covered entity or provide services (such as legal, IT, billing, claims, or data analysis) that require PHI access. Subcontractors that handle PHI on a BA’s behalf are business associates too and must comply via Business Associate Agreements.

How do hybrid entities affect HIPAA coverage?

A hybrid entity formally designates its HIPAA-covered health care components. Only those components—and shared services supporting them—must comply with the Privacy Rule. The organization must implement controls so PHI does not flow inappropriately to non-covered components, consistent with the Hybrid Entity Rule.

What are the compliance obligations for covered entities?

Covered entities must issue a Notice of Privacy Practices, implement policies and minimum necessary controls, train and oversee their workforce, secure ePHI, manage Business Associate Agreements, support individual rights (access, amendments, accountings), and operate incident response and breach notification processes as part of ongoing compliance.