HIPAA-Regulated Entities: The Four Groups, Definitions, and Compliance Requirements

Covered Entities Overview

The four groups at a glance

• Health care providers that conduct standard electronic transactions.
• Health plans that pay for or arrange the cost of medical care.
• Health care clearinghouses that standardize nonstandard health data.
• Business associates that handle Protected Health Information for the above.

What counts as Protected Health Information (PHI)

PHI is individually identifiable health information created, received, maintained, or transmitted by a HIPAA-regulated entity. It can exist in any form—oral, paper, or electronic (ePHI)—and links a person to past, present, or future health, care, or payment details.

De-identified data is not PHI, but most operational records that include identifiers are. You should inventory where PHI lives, who accesses it, and how it flows between systems and partners.

Key HIPAA rules that apply

The Privacy Rule governs permissible uses and disclosures of PHI, patient rights, and the Minimum Necessary Standard. The Security Rule requires safeguards for ePHI, beginning with a formal Risk Analysis and ongoing risk management. The Breach Notification Rule mandates notification after certain incidents involving unsecured PHI.

Health Care Providers

Who qualifies

Covered providers include physicians, hospitals, clinics, labs, pharmacies, dentists, therapists, and similar practitioners that transmit health information electronically in connection with standard transactions (e.g., claims, eligibility, referrals).

Provider compliance priorities

• Publish a clear Notice of Privacy Practices and honor individual rights (access, amendments, restrictions).
• Implement Security Rule controls: access management, audit logs, authentication, encryption, and secure transmission.
• Perform and document a Risk Analysis; remediate findings with a risk management plan.
• Apply the Minimum Necessary Standard to workforce roles and routine disclosures.
• Execute and manage each Business Associate Agreement (BAA) with vendors that touch PHI.
• Prepare for Breach Notification with an incident response plan and tested procedures.

Health Plans

Who qualifies

Health plans include health insurers, HMOs, government programs that pay for health care, employer-sponsored group health plans, and certain long-term care insurers. Plan activities around enrollment, eligibility, claims, and utilization review typically involve PHI.

Plan-specific compliance tips

• Segregate plan functions from the plan sponsor’s employment records, and limit plan sponsor access to PHI.
• Amend plan documents to reflect Privacy Rule restrictions and the Minimum Necessary Standard.
• Ensure third-party administrators and other vendors sign BAAs and meet Security Rule obligations.
• Maintain member rights processes for access requests, restrictions, and confidential communications.

Health Care Clearinghouses

Role and scope

Clearinghouses transform nonstandard health information into standard formats (and vice versa) for billing, claims, eligibility, and related transactions. Even when serving other entities, a clearinghouse is itself a covered entity.

Compliance focus areas

• Harden data translation platforms with Security Rule safeguards, including robust audit controls and transmission security.
• Conduct periodic Risk Analysis addressing mapping errors, data integrity, and interface risks.
• Limit personnel access by job function and enforce Minimum Necessary disclosures to customers and partners.

Business Associates

Definition and examples

A business associate is any person or organization that creates, receives, maintains, or transmits PHI for a covered entity—or for another business associate. Common examples include IT and cloud providers, EHR vendors, billing and coding firms, analytics providers, consultants, lawyers, and data destruction services.

Direct HIPAA obligations

Business associates must comply with the Security Rule for ePHI, applicable provisions of the Privacy Rule, and Breach Notification to covered entity clients. Subcontractors that handle PHI are also business associates and must meet the same standards.

Business Associate Agreement essentials

• Define permitted uses and disclosures of PHI and the Minimum Necessary Standard.
• Require Security Rule safeguards, a documented Risk Analysis, and workforce training.
• Mandate prompt incident and Breach Notification and cooperation in investigations.
• Flow down requirements to subcontractors and address PHI return or destruction at termination.

Hybrid Entities

When the designation applies

Hybrid entities are single legal entities with both covered and non-covered functions—such as universities, municipal governments, or retailers with on-site clinics. The entity designates its health care components and applies HIPAA to those components.

Practical steps

• Formally identify health care components and define boundaries for PHI access and sharing.
• Implement privacy “firewalls,” role-based access, and Security Rule safeguards within components.
• Train the workforce that supports covered functions and enforce sanctions for violations.
• Use BAAs for external vendors that handle PHI on behalf of the covered components.

Compliance Requirements for HIPAA Entities

Core program foundations

• Appoint privacy and security officials and establish written policies and procedures.
• Conduct a comprehensive Risk Analysis; prioritize and track risk remediation.
• Maintain documentation for decisions, safeguards, training, and incident handling.

Administrative, physical, and technical safeguards (Security Rule)

• Administrative: risk management, workforce training, contingency planning, vendor oversight.
• Physical: facility access controls, workstation/device security, secure disposal and media reuse.
• Technical: unique IDs, least-privilege access, encryption, audit logs, integrity and transmission security.

Privacy Rule operations and Minimum Necessary

• Define routine uses/disclosures and apply the Minimum Necessary Standard to each process.
• Honor individual rights: access to records (with timely response), amendments, and accounting of disclosures.
• Issue and maintain an accurate Notice of Privacy Practices and track authorizations.

Vendor management and BAAs

• Inventory vendors handling PHI and execute Business Associate Agreements before sharing PHI.
• Verify Security Rule compliance, including each vendor’s Risk Analysis, safeguards, and incident response.
• Flow down requirements to subcontractors and monitor performance over time.

Breach Notification readiness

• Define incident triage, forensic investigation, and risk-of-compromise assessment steps.
• Notify affected individuals without unreasonable delay and no later than 60 calendar days when a reportable breach occurs.
• Report to HHS and, for larger incidents, to media where required; log smaller breaches for annual reporting.

Ongoing monitoring and improvement

• Run periodic audits of access logs, minimum-necessary adherence, and vendor performance.
• Test contingency plans and security updates; retrain staff when risks or processes change.
• Use metrics and management reviews to drive continuous risk reduction.

In practice, you will stay compliant by aligning your Privacy Rule processes with Security Rule safeguards, proving diligence through Risk Analysis and documentation, managing BAAs tightly, and responding swiftly under the Breach Notification framework.

FAQs

What are the four entities covered by HIPAA?

HIPAA-regulated entities fall into four groups: health care providers, health plans, health care clearinghouses, and business associates. The first three are “covered entities,” while business associates are directly regulated when they handle PHI for covered entities or other business associates.

How do business associates relate to HIPAA compliance?

Business associates must implement Security Rule safeguards, follow applicable Privacy Rule requirements, and sign a Business Associate Agreement that limits PHI uses and disclosures. They must perform a Risk Analysis, train staff, manage subcontractors, and provide Breach Notification to their covered entity clients.

What compliance requirements apply to hybrid entities?

Hybrid entities must designate their health care components and apply the Privacy Rule, Security Rule, Minimum Necessary Standard, and Breach Notification obligations to those components. They must control PHI sharing across internal boundaries, train relevant staff, and use BAAs with external vendors handling PHI.

What is the role of health care clearinghouses under HIPAA?

Clearinghouses convert nonstandard health data into standard transactions (and the reverse) for billing and related activities. As covered entities, they must protect PHI under the Privacy Rule, implement Security Rule safeguards, complete a Risk Analysis, and follow Breach Notification requirements when incidents affect unsecured PHI.