PHR vs. Covered Entity Under HIPAA: Definitions, Examples, Compliance

Covered Entity Characteristics

Who qualifies as a covered entity

Under HIPAA, covered entities are health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. If you transmit claims, eligibility inquiries, or remittance advice electronically in the HIPAA formats, you fall within this scope.

Core attributes

• Create, receive, maintain, or transmit Protected Health Information (PHI) in any form.
• Use HIPAA-standard Electronic Transactions when billing, checking eligibility, or exchanging data.
• Issue Privacy Notices explaining uses/disclosures of PHI and individual rights.

Examples

• Health plans (group health plans, insurers, HMOs).
• Health care clearinghouses that translate nonstandard data into standard formats.
• Providers such as hospitals, physician practices, and pharmacies that conduct HIPAA Electronic Transactions.

Personal Health Record Overview

What a PHR is

A Personal Health Record (PHR) is a health record you control. It can compile information from your providers, devices, and self-entered data into one place you manage directly.

How a PHR differs from clinical systems

Unlike an electronic health record managed by a provider, a PHR centers on your choices—what to store, share, or delete. It may contain PHI, but HIPAA applies only when the PHR is provided by, or on behalf of, a covered entity.

Common content

• Demographics, medications, allergies, and immunizations.
• Lab results, visit summaries, device-generated vitals.
• Advance directives and care preferences you upload.

PHRs Offered by Covered Entities

Tethered or portal-based PHRs

When a provider or health plan offers a patient portal, it functions as a PHR tied to the clinical system. Because a covered entity operates it, HIPAA protections apply to the PHI inside.

Operational implications

• Privacy Notices must describe how PHI is used, disclosed, and your access rights.
• Security program must implement Administrative Safeguards, Technical Safeguards, and physical controls for the portal and its data flows.
• Vendors supporting the portal generally sign a Business Associate Agreement.

Illustrative examples

• A hospital’s portal where you view results and messages.
• A health plan’s member portal showing claims, authorizations, and benefits.

PHRs Offered by Non-Covered Entities

Direct-to-consumer PHRs

Some PHRs are offered by consumer technology companies directly to you, not on behalf of a provider or plan. These vendors are typically not covered entities and are not automatically bound by HIPAA.

When HIPAA still applies

If a non-covered vendor handles PHI on behalf of a covered entity—such as hosting a provider-branded PHR—it becomes a business associate and must comply with applicable HIPAA requirements under a Business Associate Agreement.

Good practices even when HIPAA doesn’t apply

• Publish clear, prominent Privacy Notices describing collection, use, sharing, and retention.
• Adopt strong Administrative and Technical Safeguards to protect health data.
• Offer user controls for data access, export, and deletion.

Compliance Requirements for Covered Entities

Privacy Rule fundamentals

• Use and disclose PHI only as permitted or required; apply the minimum necessary standard.
• Provide Privacy Notices and honor individual rights to access, amend, and receive an accounting of disclosures.
• Establish authorization processes for uses and disclosures beyond routine treatment, payment, and operations.

Security Rule safeguards

• Administrative Safeguards: risk analysis, risk management, workforce training, and contingency planning.
• Technical Safeguards: access controls, unique IDs, encryption, integrity, and transmission security.
• Physical controls: facility access, device/media controls, and workstation security.

Breach Notification Rule

Investigate incidents, assess risk to PHI, and notify affected individuals, regulators, and (when applicable) the media within required timeframes if a breach occurs. Maintain documentation of decisions and actions.

Electronic Transactions and identifiers

• Use standard Electronic Transactions (e.g., claims, eligibility, remittance) and adopted code sets.
• Adopt unique identifiers (such as the National Provider Identifier) and cooperate with health care clearinghouses as needed.

Compliance Requirements for PHR Vendors

When acting as a business associate

• Execute a Business Associate Agreement defining permitted PHI uses and disclosures.
• Implement Security Rule requirements and appropriate Administrative and Technical Safeguards.
• Report incidents and breaches to the covered entity and flow down obligations to subcontractors handling PHI.

When operating direct-to-consumer

• Publish concise, accurate Privacy Notices and obtain meaningful consent for data practices.
• Limit data collection, retention, and sharing to what is necessary for the service.
• Provide clear user controls for access, correction, export, and deletion.

Operational maturity

• Document data flows and maintain an asset inventory for systems storing PHI.
• Apply encryption in transit and at rest, strong authentication, logging, and monitoring.
• Test incident response plans and conduct periodic risk assessments.

Business Associate Agreements

What a BAA does

A Business Associate Agreement contracts the vendor’s HIPAA responsibilities when handling PHI for a covered entity. It specifies allowed uses, required safeguards, reporting, and termination obligations.

Key provisions to expect

• Permitted uses/disclosures and prohibition on secondary use without authorization.
• Implementation of Administrative and Technical Safeguards and breach notification duties.
• Subcontractor flow-down requirements and PHI return or destruction at termination.

When a BAA is and isn’t required

• Required: a PHR hosted, branded, or operated on behalf of a provider or plan.
• Not required: a consumer PHR independent of any covered entity relationship.

Summary

PHR vs. covered entity under HIPAA hinges on who offers the service and for whom. Covered entities—and their business associates—must safeguard PHI, follow the Privacy, Security, and Breach Notification Rules, use standard Electronic Transactions, and publish clear Privacy Notices. Standalone PHRs outside HIPAA should still earn trust with transparency and strong security.

FAQs

Is a PHR always considered a covered entity under HIPAA?

No. A PHR is not a covered entity just because it stores health data. It falls under HIPAA only when a covered entity offers it, or when a vendor operates it on behalf of a covered entity as a business associate.

What are the compliance obligations of covered entities under HIPAA?

Covered entities must protect Protected Health Information through Privacy Rule practices, Security Rule Administrative and Technical Safeguards (and physical controls), Breach Notification procedures, standard Electronic Transactions, and clear Privacy Notices. They also must execute Business Associate Agreements with applicable vendors.

How do Business Associate Agreements impact PHR vendors?

BAAs define what a PHR vendor may do with PHI, require specific safeguards, mandate incident and breach reporting, and flow HIPAA obligations to subcontractors. They make the vendor contractually accountable for HIPAA compliance when serving a covered entity.