The Three Covered Entity Types Under HIPAA: Compliance Checklist and Best Practices

HIPAA defines three covered entity categories that handle Protected Health Information (PHI): health care providers, health plans, and health care clearinghouses. If you operate in any of these roles and transmit health information electronically for standard transactions, you must meet specific privacy, security, and breach notification obligations. Use this focused compliance checklist and best practices guide to strengthen safeguards, reduce risk, and demonstrate accountability.

Health Care Providers Under HIPAA

Health care providers include hospitals, clinics, physicians, dentists, pharmacists, laboratories, and telehealth practices that transmit health information electronically in standard billing or eligibility transactions. When you meet this threshold, HIPAA applies to your organization’s creation, receipt, maintenance, and transmission of PHI and electronic PHI (ePHI).

Key Responsibilities

• Provide a clear Notice of Privacy Practices and honor patient rights to access, amendments, and accounting of disclosures.
• Apply the minimum necessary standard to routine uses and disclosures of PHI.
• Implement Administrative, Physical, and Technical Safeguards to protect ePHI under the Security Rule.
• Execute and manage a Business Associate Agreement (BAA) with each vendor that creates, receives, maintains, or transmits PHI on your behalf.
• Follow the Breach Notification Rule for incidents involving unsecured PHI.

Provider Compliance Checklist

• Confirm you conduct HIPAA standard transactions (e.g., claims, eligibility, remittance) electronically.
• Map where PHI/ePHI lives (EHR, portal, imaging, email, backups, mobile devices) and document data flows.
• Enable role-based access, multifactor authentication, encryption in transit and at rest, and audit logging for EHR and portals.
• Establish identity verification and secure messaging processes for telehealth and patient portals.
• Centralize BAAs, track renewals, and verify downstream subcontractor protections.

Health Plans and Their Responsibilities

Health plans include group health plans, health insurance issuers, HMOs, Medicare/Medicaid programs, and certain employer-sponsored plans. Plans often rely on third-party administrators (TPAs), pharmacy benefit managers (PBMs), and actuaries—relationships that require rigorous vendor oversight and BAAs.

Plan Compliance Priorities

• Designate privacy and security officials and maintain written policies, procedures, and sanctions.
• Distribute a Notice of Privacy Practices to members and apply the minimum necessary standard.
• Limit employer plan sponsor access to summary or de-identified data unless plan amendments and safeguards are in place.
• Execute BAAs with TPAs and other service providers, ensuring breach reporting and subcontractor flow-down clauses.
• Operate a documented Risk Management program tied to the Security Rule.

Plan Compliance Checklist

• Inventory plan data (claims, eligibility, appeals, case management) and identify all PHI touchpoints.
• Segment member databases and enforce least-privilege access for call center and care management teams.
• Monitor TPA performance, breach response readiness, and security control attestations.
• Maintain retention schedules and secure destruction for PHI in all formats.

Health Care Clearinghouses Explained

Health care clearinghouses convert nonstandard health information into standard transactions (and vice versa) for billing, eligibility, and remittance. They may never see patients directly, yet they handle large volumes of ePHI and are covered entities in their own right.

Clearinghouse Risk Profile

• High-volume PHI processing with complex routing and translation services.
• Heavy reliance on secure APIs, file transfer, and mapping tables that require strict change control.
• Dual roles are common—clearinghouses may also serve as business associates for specific services.

Clearinghouse Compliance Checklist

• Harden interfaces (SFTP/API), enforce strong cryptography, and maintain end-to-end transmission integrity.
• Version-control mapping logic and validate translations to prevent data corruption or misrouting.
• Maintain comprehensive audit trails for message intake, transformation, and delivery.
• Assess subcontractors that touch PHI and require BAAs with downstream entities.

Compliance Requirements for Covered Entities

All covered entities must comply with the Privacy Rule, Security Rule, and Breach Notification Rule. Practical compliance requires a documented program that ties policies to controls, testing, and governance.

Privacy Rule Essentials

• Define permissible uses and disclosures, apply minimum necessary, and manage patient rights.
• Standardize authorization forms and processes for nonroutine disclosures.
• Maintain policies, procedures, and training records; retain documentation for the required period.

Security Rule: Administrative Safeguards

• Conduct a risk analysis and implement Risk Management to reduce risks and vulnerabilities to a reasonable and appropriate level.
• Assign a security official, enforce workforce security and role-based access, and manage security awareness training.
• Establish contingency planning (backup, disaster recovery, emergency operations) and vendor management.

Security Rule: Physical Safeguards

• Control facility access, secure workstations, and protect devices and media throughout their lifecycle.
• Implement clean desk/device practices and secure media disposal and reuse procedures.

Security Rule: Technical Safeguards

• Implement unique user identification, multifactor authentication, automatic logoff, and encryption.
• Enable audit controls, integrity monitoring, and transmission security for all ePHI pathways.

Breach Notification Rule

• Maintain an incident response plan that identifies, contains, and investigates suspected breaches.
• Perform risk assessments for impermissible disclosures and notify affected individuals and regulators without unreasonable delay and within required timelines.
• Document decisions and remedial actions for every incident, including those deemed not a breach.

Business Associate Agreements Importance

A Business Associate Agreement is mandatory with any vendor or subcontractor that handles PHI for you. The BAA contractually requires safeguards, defines permitted uses/disclosures, and obligates timely breach reporting—extending HIPAA protections beyond your walls.

What Effective BAAs Should Cover

• Permitted and prohibited PHI uses and disclosures, including de-identification limits and minimum necessary.
• Administrative, Physical, and Technical Safeguards aligned to HIPAA Security Rule expectations.
• Incident detection, breach reporting timelines, cooperation, and evidence preservation.
• Subcontractor flow-down requirements and right-to-audit or assurance mechanisms.
• Return or secure destruction of PHI at contract end and clear termination-for-cause terms.

Vendor Oversight Best Practices

• Risk-tier vendors, require security questionnaires or independent attestations, and validate insurance coverage.
• Limit PHI shared to the minimum necessary; prefer de-identified data or limited data sets with data use agreements when feasible.
• Track BAAs centrally and review when services, systems, or laws change.

Conducting Risk Assessments

The Security Rule requires a thorough and accurate risk analysis and ongoing Risk Management. Treat this as a living program that updates with technology, process, and threat changes.

Practical Risk Analysis Steps

• Scope systems and workflows that create, receive, maintain, or transmit ePHI; inventory assets and data flows.
• Identify threats and vulnerabilities (e.g., phishing, misconfiguration, lost devices, third-party failures).
• Evaluate likelihood and impact, considering existing controls and known gaps.
• Prioritize risks and document a remediation plan with owners, budgets, and timelines.
• Track progress in a risk register and verify completion through testing and audits.

Frequency and Triggers

• Reassess at defined intervals (commonly annually) and whenever significant changes occur—new EHR modules, mergers, cloud migrations, or notable incidents.
• Use tabletop exercises to stress-test incident response and breach decision-making.

Implementing Training and Policies

Policies translate legal requirements into daily practice, and training makes them stick. Clear ownership, routine refreshers, and measurable outcomes are essential.

Policy and Procedure Essentials

• Document policies for access control, acceptable use, encryption, mobile/remote work, change management, contingency planning, and incident/breach response.
• Define sanctions for violations and an escalation path for privacy complaints.
• Align procedures with Administrative, Physical, and Technical Safeguards so staff know exactly what to do.

Training Program Best Practices

• Provide onboarding and periodic role-based training (e.g., clinical, revenue cycle, IT, call center).
• Run phishing simulations, privacy spot-checks, and secure handling drills for mail, fax, and portals.
• Capture attestations, track completion, and reinforce learning with just-in-time reminders in critical apps.

Monitoring and Continuous Improvement

• Audit access logs for inappropriate snooping and overbroad permissions.
• Review incidents and near-misses after action to refine controls and training.
• Update policies and BAAs when services, systems, or regulations evolve.

Conclusion

Covered entities—providers, plans, and clearinghouses—can meet HIPAA obligations by pairing clear policies with robust safeguards, disciplined vendor oversight, and a continuous Risk Management cadence. Use the checklists in this guide to harden controls, empower your workforce, and respond decisively under the Breach Notification Rule.

FAQs

What are the three types of covered entities under HIPAA?

The three covered entity types are health care providers that conduct standard electronic transactions, health plans (such as insurers, HMOs, and group health plans), and health care clearinghouses that translate nonstandard data to standard formats and vice versa.

How do business associate agreements protect PHI?

A Business Associate Agreement contractually requires vendors to safeguard PHI with appropriate Administrative, Physical, and Technical Safeguards, restricts how PHI may be used or disclosed, mandates prompt breach reporting, and extends these obligations to subcontractors—ensuring protections follow PHI wherever it goes.

What are the key compliance requirements for covered entities?

Key requirements include complying with the Privacy Rule, implementing Security Rule safeguards, conducting risk analysis and ongoing Risk Management, honoring patient rights, executing and managing BAAs, maintaining written policies and workforce training, and following the Breach Notification Rule for incidents involving unsecured PHI.

How often must risk assessments be conducted under HIPAA?

HIPAA requires a risk analysis and ongoing Risk Management but does not mandate a fixed interval. Regulators expect periodic reassessment and updates when significant changes occur; many organizations adopt an annual cycle, with interim reviews triggered by new systems, vendors, or incidents.