How to Use a HIPAA Covered Entity Decision Tool: Step-by-Step Guide

Covered Entity Decision Tool Overview

A HIPAA-covered entity decision tool helps you determine whether your organization is a covered entity under the HIPAA Rules. It guides you through a structured series of yes/no prompts to reach a clear covered entity determination: healthcare provider, health plan, healthcare clearinghouse, or not a covered entity.

Before you start, gather facts about how you operate and exchange data. You will answer questions about your role in care delivery or financing, whether you conduct standard electronic transactions, and how you handle protected health information. The tool’s logic mirrors HIPAA’s statutory and regulatory definitions so you can document your status with confidence.

• Your organizational role (provider, plan, clearinghouse, or other)
• Whether you send or receive standard electronic transactions (claims, eligibility, remittance)
• How you perform healthcare provider billing or claims administration
• Relationships with vendors and whether they transform data for others

Accessing the Tool on HHS Website

You can access the decision tool on the HHS website within the HIPAA guidance materials. Use the site’s search bar to look for “Covered Entity Decision Tool” and open the interactive questionnaire. The tool typically offers separate paths for providers, health plans, and clearinghouses.

1. Open the HHS website and search for the decision tool by name.
2. Read the landing page overview so you understand the definitions used.
3. Select the path that best matches your primary role (provider, plan, or clearinghouse).
4. Answer each prompt in order; avoid skipping questions so the logic remains accurate.
5. Save or print the final result to retain a record of your covered entity determination.

If your organization performs multiple functions, run the questionnaire for each function separately. This helps you evaluate whether you are a single covered entity, a hybrid entity with designated health care components, or not covered.

Assessing Healthcare Provider Status

Under HIPAA, a healthcare provider is covered only if it transmits health information electronically in connection with a standard transaction. The decision tool translates this into practical questions about your healthcare provider billing and other transactions.

Key questions the tool will ask

• Do you furnish medical, dental, behavioral health, pharmacy, or allied health services?
• Do you send or receive standard electronic transactions (for example, claims, eligibility inquiries, claim status, remittance advice, referrals/authorizations)?
• Do you submit transactions directly, through a vendor, or via a clearinghouse on your behalf?

How to answer confidently

• If you submit any standard electronic claims—even through a practice management system—you generally meet the trigger for coverage as a provider.
• If you only submit paper claims, accept cash, or never conduct standard electronic transactions, the tool may indicate you are not a covered entity as a provider.
• Using a vendor does not remove your status; the method of transmission still counts toward coverage.

Examples that typically indicate coverage include e-prescribing through standard networks, electronic eligibility checks, and electronic remittance processing tied to your billing workflow.

Evaluating Health Plan Criteria

The health plan definition focuses on entities that provide or pay the cost of medical care. The tool walks you through whether you operate or sponsor a plan and if you administer benefits that involve standard transactions.

Checklist for plans

• Are you an insurer, HMO, government program (e.g., Medicare, Medicaid), or another payer of medical care?
• Do you sponsor a group health plan for employees, including self-insured coverage with a third-party administrator?
• Do you send or receive standard electronic transactions for enrollment, premium payment, claims, or coordination of benefits?

Special situations to consider

• Small, self-administered plans may have limited applicability, but most employer group health plans using a TPA fall under HIPAA as health plans.
• Wellness or reimbursement programs that pay for medical care can meet the health plan definition, even if they are not traditional insurers.

If the tool concludes you are a health plan, you must comply with HIPAA privacy, security, breach notification, and transactions/identifier standards applicable to plans.

Determining Healthcare Clearinghouse Role

A healthcare clearinghouse conducts healthcare clearinghouse processing by transforming nonstandard health information into standard formats—or the reverse—for another entity. The decision tool focuses on how you handle data for others, not just for your own organization.

Is your organization a clearinghouse?

• Do you convert claims or related transactions between nonstandard and standard formats on behalf of providers or plans?
• Do you edit, normalize, or re-price transactions for multiple customers as part of a data translation service?
• Do you primarily serve as an intermediary between senders and receivers of standard transactions?

If you only process your own organization’s data and do not transform transactions for others, you are generally not a clearinghouse. In that case, you might be a provider or plan, and your vendors may be business associates rather than clearinghouses.

Understanding Decision Outcomes

At the end of the questionnaire, the tool presents a result based on your answers. Use the outcome to formalize your status and plan next steps.

Common outcomes

• You are a HIPAA-covered entity as a healthcare provider, health plan, or healthcare clearinghouse.
• You are not a covered entity; however, you may be a business associate if you handle PHI on behalf of a covered entity.
• You are a hybrid entity, meaning only designated health care components are subject to HIPAA.

What to do with the result

• Document your covered entity determination and retain supporting notes and screenshots from the tool.
• Map where protected health information flows, who touches it, and which standard transactions you conduct.
• Identify vendors that require business associate agreements and confirm their responsibilities.

Ensuring HIPAA Compliance

Once you confirm coverage, focus on HIPAA compliance requirements that match your role. This includes organizational governance, technical safeguards, workforce practices, and transaction standards.

Foundational requirements

• Designate privacy and security officials, and complete an enterprise-wide security risk analysis with documented remediation.
• Adopt written policies and procedures for minimum necessary use, access controls, and incident response.
• Execute business associate agreements with vendors that create, receive, maintain, or transmit PHI on your behalf.
• Train your workforce initially and periodically; track attestations and reinforce role-based practices.

Operational practices for PHI

• Safeguard protected health information with encryption, auditing, and secure messaging where appropriate.
• Support individuals’ rights (access, amendments, accounting of disclosures) and maintain a Notice of Privacy Practices if applicable.
• Maintain a breach notification process with timely assessment, documentation, and required notifications.
• Use standard transactions and identifiers for claims, eligibility, remittance, and related exchanges.

Conclusion

The covered entity decision tool gives you a fast, defensible way to confirm your status and plan next steps. By answering role-specific questions about transactions and data handling, you move from uncertainty to an actionable compliance roadmap aligned with HIPAA’s definitions and requirements.

FAQs

What is a HIPAA covered entity decision tool?

It is an interactive questionnaire that walks you through HIPAA definitions and standard transactions to determine whether you are a covered entity. The tool streamlines covered entity determination for healthcare providers, health plans, and healthcare clearinghouses.

How do I know if my organization is a covered entity?

You are a covered entity if you are a healthcare provider that conducts standard electronic transactions, a health plan that pays for medical care, or a healthcare clearinghouse that transforms data for others. If none apply, you may still be a business associate if you handle PHI for a covered entity.

What steps does the decision tool include?

Typical steps include selecting your role, answering questions about your services and standard electronic transactions, reviewing results for provider, plan, or clearinghouse status, and saving your outcome for documentation and next actions.

How do covered entities maintain HIPAA compliance?

They implement HIPAA compliance requirements such as risk analysis, policies, workforce training, access controls, business associate agreements, breach response, and standardized electronic transactions to safeguard protected health information.