How Many Covered Entity Categories Must Comply with HIPAA? Three Explained

Three covered entity categories must comply with HIPAA: health plans, healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses. This guide explains how each category fits within HIPAA’s Administrative Simplification framework and what the Privacy Rule, Security Rule, and Breach Notification Rule mean for you.

Health Plans Overview

Health plans are covered entities that pay for medical care, including health insurers, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and certain government programs. A limited exception applies to a self-administered group health plan with fewer than 50 participants; otherwise, health plans must comply with HIPAA.

Core responsibilities

• Issue a Notice of Privacy Practices and apply the Privacy Rule’s “minimum necessary” standard to routine uses and disclosures.
• Safeguard Electronic Protected Health Information (ePHI) under the Security Rule and maintain appropriate administrative, physical, and technical safeguards.
• Use Standard Transactions and code sets, unique identifiers (such as NPI), and comply with Administrative Simplification requirements.
• Provide individuals with rights to access, amend, and receive an accounting of certain disclosures.
• Manage vendors via business associate agreements and ensure timely breach notifications when required.

Special considerations for employer plans

If you sponsor a group health plan, you must wall off plan PHI from employment records, amend plan documents to limit employer access, and train personnel who handle plan information.

Healthcare Providers Requirements

Healthcare providers are covered entities when they transmit health information electronically in connection with a Standard Transaction (for example, claims, eligibility inquiries, referrals/authorizations, remittances). This includes hospitals, physicians, dentists, pharmacies, laboratories, and many allied professionals.

What compliance looks like in practice

• Post and distribute a Notice of Privacy Practices; use or disclose PHI for treatment, payment, and healthcare operations, applying the minimum necessary standard where it applies.
• Implement Security Rule safeguards for ePHI: risk analysis, access controls, audit logs, and contingency planning.
• Execute business associate agreements with EHR vendors, billing services, cloud providers, and other vendors that handle PHI.
• Adopt Standard Transactions or use a clearinghouse to convert nonstandard formats to HIPAA-compliant ones.

Small practice tip

HIPAA is scalable. Your safeguards should match your risks and resources, but you still need a documented risk analysis, written policies, and workforce training.

Healthcare Clearinghouses Role

A healthcare clearinghouse is a public or private entity that converts nonstandard health information it receives from another entity into Standard Transactions (or the reverse). Common examples include billing services, repricing companies, and “switches” that route claims data.

Why clearinghouses matter

• They enable Administrative Simplification by ensuring data conform to HIPAA transaction standards and code sets.
• They are covered entities in their own right and often also act as business associates; either way, they must protect PHI and ePHI.
• They reduce errors and rework by normalizing formats across trading partners, supporting faster, more accurate payments.

HIPAA Privacy Rule

The Privacy Rule governs how covered entities use and disclose Protected Health Information (PHI) in any form and grants individuals rights over their data. ePHI is PHI in electronic form and must be protected alongside paper and oral PHI.

Permitted uses and disclosures

• Treatment, payment, and healthcare operations without authorization, plus specific public interest purposes (for example, required by law, public health, health oversight).
• Authorizations are required for most other purposes, such as marketing or many disclosures to third parties.
• Apply the minimum necessary standard to routine uses and disclosures outside of treatment.

Individual rights

• Access and obtain copies of PHI, generally within set timeframes, with limited grounds for denial.
• Request amendments, restrictions, and alternative communications.
• Receive an accounting of certain disclosures and file complaints without retaliation.

Operational essentials

• Maintain policies, workforce training, and sanctions for violations.
• Execute business associate agreements before sharing PHI with vendors.
• Use de-identification or limited data sets where feasible to reduce privacy risk.

Security Standards

The Security Rule sets standards to ensure the confidentiality, integrity, and availability of ePHI. Safeguards are risk-based and include required and addressable specifications.

Administrative safeguards

• Risk analysis and ongoing risk management; periodic evaluations; workforce training and sanctions.
• Assigned security responsibility, information access management, and security incident response procedures.
• Business associate management and written policies and procedures.

Physical safeguards

• Facility access controls and device/media controls, including secure disposal and reuse procedures.
• Workstation use and security standards to prevent unauthorized viewing or access.

Technical safeguards

• Unique user identification, strong authentication, and role-based access controls.
• Audit controls and integrity protections for systems holding ePHI.
• Transmission security; encryption is addressable but strongly recommended for data at rest and in transit.

Breach Notification Rule

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. A risk assessment must consider the type of data, the recipient, whether the PHI was actually acquired or viewed, and the extent of mitigation.

Notification duties

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• Notify HHS; for breaches affecting 500 or more individuals, within 60 days of discovery; for fewer than 500, no later than 60 days after the end of the calendar year.
• Notify prominent media outlets if 500 or more residents of a state or jurisdiction are affected.

What the notice must include

• A description of what happened, the types of PHI involved, steps individuals should take, what you are doing to mitigate harm and prevent recurrence, and contact information.

Compliance Best Practices

Governance and risk

• Designate a Privacy Officer and Security Officer; set up a cross-functional compliance committee.
• Perform an enterprise-wide risk analysis; document and execute a risk management plan with deadlines and owners.

Policies, training, and vendor management

• Adopt clear, role-based policies for Privacy Rule and Security Rule requirements; refresh them annually.
• Provide initial and periodic workforce training; test comprehension and keep records.
• Inventory vendors; execute business associate agreements; verify safeguards and breach support obligations.

Technology and operations

• Harden systems with least-privilege access, MFA, patching, encryption, and secure backups tested for restoration.
• Enable logging and regular review of audit trails; monitor for anomalous access.
• Use Standard Transactions via certified systems or clearinghouses to meet Administrative Simplification goals.

Incident readiness

• Maintain an incident response plan, breach decision tree, and notification templates.
• Run tabletop exercises; track lessons learned and update safeguards.

Conclusion

In short, three covered entity categories—health plans, healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses—must comply with HIPAA. By aligning your Privacy Rule practices, Security Rule safeguards, Standard Transactions, and breach response, you can protect ePHI, meet Administrative Simplification requirements, and build trust with the people you serve.

FAQs

What are the three categories of covered entities under HIPAA?

The three HIPAA covered entity categories are health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in connection with an HHS-adopted Standard Transaction.

How does HIPAA define a healthcare clearinghouse?

A healthcare clearinghouse is an organization that processes or facilitates the processing of nonstandard health information it receives from another entity into Standard Transactions—or converts standard data back into nonstandard formats—while safeguarding PHI as a covered entity.

What compliance obligations do health plans have under HIPAA?

Health plans must follow the Privacy Rule (including minimum necessary and individual rights), implement Security Rule safeguards for ePHI, meet Administrative Simplification requirements such as Standard Transactions and unique identifiers, manage business associates, and provide breach notifications as required.