HIPAA Privacy Rule Explained: Determining Covered Entity Status for Your Organization

If you create, receive, maintain, or transmit protected health information, you need clarity on whether HIPAA applies. This guide—HIPAA Privacy Rule Explained: Determining Covered Entity Status for Your Organization—walks you through who is covered, how to evaluate your status, and what compliance entails.

Covered Entities under HIPAA

Definition and scope

Under the HIPAA Privacy Rule, covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with HIPAA-covered transactions. Covered entities handle protected health information (PHI) and must safeguard it across paper, verbal, and electronic formats, including during electronic health information exchange.

Decision checkpoints

• Do you operate as a health plan, a health care clearinghouse, or a health care provider engaging in HIPAA-covered transactions?
• Do your workforce members create, receive, maintain, or transmit PHI as part of routine operations?
• Do you participate in electronic health information exchange or use standardized transactions for claims, eligibility, or payment?
• Are you part of a larger enterprise that could be a hybrid entity with a designated health care component?

Common HIPAA-covered transactions

• Claims submission and processing
• Eligibility and benefits inquiries
• Enrollment/disenrollment and coordination of benefits
• Claim status and prior authorization requests
• Payment and remittance advice

PHI essentials

PHI is individually identifiable information related to an individual’s health, care, or payment for care. De-identified information is not PHI, but re-identification risks must be controlled through appropriate technical and administrative safeguards.

Health Plans

Who qualifies

Health plans include individual and group health plans, health insurers, HMOs, employer-sponsored health plans, and government programs such as Medicare, Medicaid, and military or veterans’ health programs. If a plan conducts HIPAA-covered transactions electronically, it is a covered entity.

Employer plan considerations

Employers that sponsor group health plans are generally not covered entities themselves, but the plan is. Employers must separate employment records from plan PHI, restrict access to the plan’s health information, and ensure the plan adopts required administrative safeguards and vendor agreements.

Health Care Providers

Trigger for covered status

Any provider—such as physicians, dentists, pharmacies, laboratories, behavioral health professionals, DME suppliers, and telehealth practitioners—becomes a covered entity when it transmits health information electronically in connection with HIPAA-covered transactions. Most modern practices use electronic billing and eligibility checks, making coverage highly likely.

Edge cases

A provider that never conducts HIPAA-covered transactions electronically (for example, a fully cash-only practice with no electronic claims or eligibility checks) may not be a covered entity. However, participation in electronic health information exchange, e-billing, or e-prescribing typically brings the provider under HIPAA.

Health Care Clearinghouses

Role and examples

Clearinghouses process nonstandard health information they receive from another entity into a standard format—or vice versa. Examples include billing services, repricers, and community health information systems that translate transactions for claims, payments, and eligibility as part of electronic health information exchange.

Why they are covered

Because clearinghouses systematically handle PHI for standardized transactions, they are covered entities regardless of whether they serve providers, plans, or both.

Hybrid Entities

Definition and designation

A hybrid entity is a single legal organization that performs both HIPAA-covered and non-covered functions. It must formally designate at least one health care component—the part that performs covered functions—and apply Privacy and Security Rule protections to that component.

Practical implications

Universities, municipal governments, or retail companies with in-house clinics often qualify as hybrid entities. They should implement boundaries, workforce training, and technical safeguards to prevent improper access to PHI by non-covered divisions.

Business Associates

Who they are

Business associates are vendors or partners that perform services for a covered entity involving PHI—for example, EHR and cloud service providers, billing and coding companies, data analytics firms, TPAs for self-funded plans, and consultants. Subcontractors that handle PHI are also business associates.

Obligations

Business associates must execute business associate agreements, implement administrative and technical safeguards for PHI and ePHI, and follow breach notification requirements. While they are not covered entities, they are directly accountable for safeguarding PHI they handle.

Compliance Requirements

Privacy Rule essentials

Adopt policies and procedures governing uses and disclosures, apply the minimum necessary standard, issue a Notice of Privacy Practices where applicable, and honor individual rights such as access, amendment, and accounting of disclosures. Maintain role-based access and sanction policies.

Security Rule safeguards

Conduct a risk analysis and implement risk management. Establish administrative safeguards (governance, workforce training, contingency planning), physical safeguards (facility and device protections), and technical safeguards (access controls, encryption, integrity, and audit controls) to protect electronic PHI during storage and electronic health information exchange.

Breach response

Maintain an incident response process to identify, investigate, and document potential breaches. Provide breach notifications to affected individuals and, when required, to regulators and the media within prescribed timelines.

Vendor and data governance

Execute business associate agreements before a vendor receives PHI, verify downstream protections for subcontractors, and periodically assess vendor security. Keep records of training, policies, risk assessments, and mitigation activities.

Noncompliance penalties

HIPAA enforcement includes tiered civil monetary penalties tied to the level of culpability and corrective actions, as well as potential criminal liability for intentional misuse of PHI. Penalties can include fines, corrective action plans, and monitoring; repeat or willful violations face steeper noncompliance penalties.

Conclusion

If you function as a health plan, health care clearinghouse, or a provider that conducts HIPAA-covered transactions, you are likely a covered entity under the HIPAA Privacy Rule. Define your organizational boundaries, classify any health care component if you are a hybrid entity, formalize vendor relationships, and implement administrative and technical safeguards to protect PHI and sustain compliance.

FAQs

What defines a covered entity under HIPAA?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with HIPAA-covered transactions. These organizations handle protected health information and must meet the Privacy, Security, and Breach Notification Rules.

How can an organization determine if it is a covered entity?

Confirm whether you operate as a plan, clearinghouse, or provider engaged in standardized transactions such as claims, eligibility, payment, or prior authorization. Evaluate whether your workforce creates, receives, maintains, or transmits PHI and whether you participate in electronic health information exchange. If part of a larger enterprise, assess whether you should designate a health care component as a hybrid entity.

What are the compliance requirements for covered entities?

Covered entities must adopt Privacy Rule policies, honor patient rights, and apply the minimum necessary standard. They must perform a risk analysis and implement administrative safeguards, physical protections, and technical safeguards for ePHI, manage vendors through business associate agreements, and follow breach notification procedures.

What penalties apply for HIPAA noncompliance?

Enforcement actions may include tiered civil monetary penalties based on culpability, corrective action plans, and monitoring. Intentional or egregious misconduct can trigger criminal liability. Sustained compliance efforts reduce risk and potential noncompliance penalties.