The 3 HIPAA Covered Entities Explained for Health Care Benefits Teams

Health Plans Overview

What counts as a health plan

Under HIPAA, health plans include group health plans (such as employer-sponsored medical, certain HRAs and FSAs, and some EAPs that provide medical care), individual health insurance, HMOs, and government programs like Medicare and Medicaid. These entities pay for medical care and hold Protected Health Information (PHI) about enrollees.

The group health plan—not the employer—is the covered entity. A plan sponsor may receive limited PHI to administer the plan, but it must handle that data according to HIPAA rules and plan document provisions.

How health plans work with your team

• Exchange eligibility and enrollment data with employers and TPAs.
• Coordinate claims, payment, and remittance advice with providers and clearinghouses.
• Implement Administrative Simplification standards for transactions and code sets to support data standardization across partners.

Health Care Providers Overview

Who is a covered provider

Any provider that transmits health information electronically in connection with a standard HIPAA transaction is a covered entity. This includes physicians, hospitals, urgent care centers, labs, pharmacies, dentists, vision providers, and DME suppliers that submit claims or eligibility checks electronically.

Providers generate and use PHI at the point of care and interact with health plans and clearinghouses to get paid, verify coverage, and obtain authorizations.

Provider touchpoints for benefits teams

• Responding to eligibility and benefits inquiries for members during open enrollment and midyear events.
• Submitting claims and receiving remittances using standardized Transaction Code Sets.
• Working with your health information technology ecosystem (EHRs, practice management, and portals) to keep enrollment and coverage data synchronized.

Health Care Clearinghouses Overview

What clearinghouses do

Health care clearinghouses convert nonstandard health information into HIPAA-standard formats—and the reverse—so plans and providers can exchange data reliably. Common services include file translation (for example, 837 claims, 835 remittance), validation, compliance edits, and routing.

Clearinghouses are HIPAA covered entities when performing these functions. They may also act as business associates when providing additional services to plans or providers.

Why they matter to benefits operations

• Reduce rework and denials by enforcing data standardization and format integrity.
• Accelerate payment cycles with real-time acknowledgments and status updates.
• Improve interoperability across disparate health information technology platforms.

HIPAA Compliance Requirements

Privacy Rule essentials

• Use and disclose PHI only for treatment, payment, and health care operations—or with authorization or another permitted basis.
• Apply the minimum necessary standard and maintain an accurate Notice of Privacy Practices (for health plans).
• Honor individual rights: access, amend, receive an accounting of disclosures, request restrictions, and choose confidential communications.

Security Rule safeguards (for ePHI)

• Administrative: risk analysis, risk management, workforce training, sanction policies, and contingency planning.
• Physical: facility access controls, device/media protections, and workstation security.
• Technical: unique user IDs, access controls, audit logs, integrity protections, transmission security (encryption in transit), and authentication.

Breach Notification and vendor oversight

• Assess incidents involving PHI; notify affected individuals, regulators, and (when applicable) the media based on risk of compromise.
• Execute business associate agreements (BAAs) with vendors that create, receive, maintain, or transmit PHI on your behalf; monitor adherence.

Administrative Simplification standards

• Adopt standard electronic transactions and Transaction Code Sets to streamline operations.
• Use unique identifiers (such as NPI) to improve accuracy and interoperability across your health information technology stack.

Roles in Health Care Benefits

How each covered entity supports your members

• Health plans manage eligibility, benefits, networks, and payment; they communicate coverage to members and providers.
• Providers diagnose, treat, and document services; they submit standardized claims and respond to benefit inquiries.
• Clearinghouses enable clean data exchange, reducing errors that delay care or payment.

What your benefits team should coordinate

• Map PHI data flows among plans, TPAs, providers, and clearinghouses; confirm which parties are covered entities or business associates.
• Align enrollment timelines and file formats to minimize eligibility gaps and claim denials.
• Embed Privacy Rule and Security Rule controls in everyday processes: role-based access, minimum necessary disclosures, and secure file transfer.

Data Privacy and Security

Protecting PHI across the benefits lifecycle

Limit use and disclosure of PHI to specific purposes, restrict workforce access to the minimum necessary, and document decisions. When possible, use de-identified data, or a limited data set under a data use agreement, to reduce risk while supporting analytics and plan design.

Practical security controls

• Encrypt data in transit and at rest; require multi-factor authentication for systems handling ePHI.
• Maintain audit logs and review them regularly; investigate anomalies promptly.
• Perform periodic risk analyses and third-party assessments; close gaps with action plans.
• Establish clear incident response and breach notification procedures with vendors.

Transaction Standards and Processes

Core HIPAA transactions you encounter

• Eligibility and benefits: 270/271
• Claims: 837 (institutional, professional, dental)
• Claim status: 276/277
• Payment and remittance: 835
• Enrollment and disenrollment: 834
• Premium payment: 820
• Referral and authorization: 278

Code sets that drive consistency

• ICD-10-CM/PCS for diagnoses and inpatient procedures
• CPT and HCPCS for procedures and supplies
• NDC for drugs and CDT for dental services

Process flow and quality controls

• Prepare: validate member eligibility and benefits before care or claim submission.
• Transmit: use standard EDI formats; leverage clearinghouse edits to catch errors early.
• Acknowledge: monitor TA1/999/277 responses; correct and resubmit quickly to protect cash flow.
• Reconcile: match 835 remittances to claims; analyze denials and adjust upstream data.

Key takeaways for benefits teams

The three covered entities—health plans, health care providers, and health care clearinghouses—work together through Administrative Simplification to enable secure, standardized data exchange. By aligning processes to the Privacy Rule, Security Rule, and Transaction Code Sets, you reduce friction, safeguard PHI, and improve member experience.

FAQs.

What entities qualify as HIPAA covered entities?

HIPAA covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. Each must comply with the Privacy Rule, Security Rule, and Administrative Simplification requirements when creating, receiving, maintaining, or transmitting PHI.

How do health care clearinghouses support HIPAA compliance?

Clearinghouses convert and validate data between nonstandard formats and HIPAA-standard transactions, enforce Transaction Code Sets, and route files securely. By applying edits and acknowledgments, they improve data quality and interoperability, helping plans and providers meet Administrative Simplification and security objectives.

What are the responsibilities of health plans under HIPAA?

Health plans must protect PHI under the Privacy Rule, secure ePHI under the Security Rule, follow breach notification requirements, and use standard transactions and code sets. They issue a Notice of Privacy Practices, honor member rights, implement minimum necessary access, and manage BAAs with vendors that handle PHI.