Under HIPAA, a Covered Entity (CE) Is Defined As: Explained

Under HIPAA, a covered entity is one of three types: health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. This guide explains each category and the Covered Entity Obligations that apply when you create, receive, maintain, or transmit Protected Health Information (PHI) under the HIPAA Privacy Rule and HIPAA Security Rule.

Health Plans

Health plans include individual and group plans that provide or pay the cost of medical care. If you operate or sponsor a plan that pays health benefits, that plan is typically a covered entity—distinct from the employer sponsoring it.

• Examples: commercial insurers and HMOs; government programs such as Medicare and Medicaid; TRICARE and certain VA health programs; self-funded employer group health plans.
• Common exclusions: products that are not health coverage (for example, life or disability insurance) are not health plans for HIPAA purposes.

Key point: the plan itself is the CE. Plan sponsors may receive PHI only for permitted plan administration and must implement safeguards required for those functions.

Health Care Providers

A provider is a covered entity when it transmits health information electronically in connection with a standard transaction (for example, claims, eligibility inquiries, referrals, prior authorizations, or remittance). Size, location, or tax status does not change this threshold.

• Examples: physicians, clinics, hospitals, dentists, pharmacies, laboratories, behavioral health practices, DME suppliers, and telehealth providers.
• If you never conduct standard electronic transactions, you may not be a CE; however, you may still be a business associate to another entity or be subject to state privacy laws.

Health Care Clearinghouses

Clearinghouses convert nonstandard health information into standard formats—or the reverse—on behalf of other organizations. If you translate, reformat, or reprice transactions to meet Transaction Standards, you are likely a clearinghouse and thus a CE.

• Examples: medical billing and switching services that translate data formats; repricing organizations; community health information systems that standardize transactions.
• Vendors that merely host or store data without translation are generally business associates rather than clearinghouses.

HIPAA Compliance Requirements

Program foundations

• Appoint privacy and security officials and adopt written policies and procedures aligned to the HIPAA Privacy Rule and HIPAA Security Rule.
• Conduct an enterprise-wide Risk Assessment of ePHI, prioritize risks, and implement risk management with documented remediation.
• Train your workforce initially and periodically; apply sanctions for violations; maintain a complaint and response process.
• Enter into business associate agreements (BAAs) with vendors that handle PHI on your behalf and verify their safeguards.
• Maintain required documentation and review it regularly through internal monitoring and Compliance Audits.

Transaction Standards and identifiers

Implement and verify use of Transaction Standards for claims, eligibility, enrollment, authorizations, and remittance, and ensure correct use of code sets and national identifiers (such as NPIs). Coordinate testing and conformance with trading partners and clearinghouses.

Contingency and incident readiness

Prepare for security incidents and outages with backups, disaster recovery, and emergency operations. Establish a breach response plan that includes investigation, risk assessment, mitigation, and required notifications.

Privacy and Security Standards

HIPAA Privacy Rule

The Privacy Rule governs uses and disclosures of PHI. You may use or disclose PHI for treatment, payment, and health care operations and as otherwise permitted or with authorization. Apply the minimum necessary standard and provide a Notice of Privacy Practices and individual rights (access, amendment, accounting, and more).

HIPAA Security Rule

The Security Rule protects ePHI through administrative, physical, and technical safeguards. Implement access controls, authentication, audit logs, transmission security, device and media protections, and appropriate encryption, guided by your documented risk analysis.

Breach notification

When unsecured PHI is compromised, evaluate the incident, document your analysis, mitigate harm, and deliver notifications to affected individuals and regulators within required timeframes. Your process should be rehearsed and integrated with vendors via BAAs.

Responsibilities of Covered Entities

Covered Entity Obligations day to day

• Limit PHI uses and disclosures and apply minimum necessary for routine operations.
• Honor individual rights promptly, including access, amendments, restrictions, confidential communications, and accounting of disclosures.
• Manage vendors through BAAs, due diligence, and oversight; ensure only necessary PHI is shared and monitor performance.
• Retain policies, risk assessments, training, and incident records for the required retention period (commonly six years).
• Perform periodic Compliance Audits and continuous risk management to verify safeguards remain effective.

Hybrid entities and organized arrangements

If your organization performs both covered and non-covered functions, designate a health care component and establish safeguards separating it from non-covered areas. In organized health care arrangements, coordinate shared notices, authorizations, and disclosures while maintaining appropriate boundaries.

Workforce and culture

Limit workforce access to PHI by role, reinforce privacy through training and reminders, and enforce policies consistently. Encourage reporting and promptly remediate issues to reduce risk.

Enforcement and Penalties

HIPAA is enforced primarily by the HHS Office for Civil Rights (OCR), which investigates complaints and breaches and conducts compliance reviews and audits. Resolutions often include corrective action plans, monitoring, and, when warranted, civil monetary penalties; the Department of Justice may pursue criminal cases.

Civil penalties are tiered by culpability and adjusted for inflation, with higher tiers for uncorrected willful neglect. Timely detection, documentation, and remediation—including thorough Risk Assessment and swift mitigation—can significantly reduce exposure.

Enforcement considers the nature and volume of PHI involved, duration and impact of the incident, prior history, and your cooperation. A mature program that aligns with Transaction Standards, the HIPAA Privacy Rule, and the HIPAA Security Rule is the best defense.

Summary

In short, HIPAA defines covered entities as health plans, health care clearinghouses, and qualifying health care providers. If you handle PHI, your success depends on risk-based safeguards, clear policies, ongoing training, vendor management, and disciplined monitoring and response.

FAQs

What entities qualify as covered entities under HIPAA?

Health plans and health care clearinghouses are covered entities by definition. Health care providers are covered entities when they transmit health information electronically in connection with standard transactions such as claims, eligibility inquiries, referrals, or remittance.

How must covered entities protect patient information?

Use the HIPAA Privacy Rule to govern PHI uses and disclosures and apply minimum necessary. Implement Security Rule safeguards for ePHI—access control, authentication, audit logging, encryption where appropriate, and physical protections—supported by documented Risk Assessment, training, BAAs, and tested incident response.

What are the penalties for non-compliance?

OCR can require corrective action and assess tiered civil penalties that scale with the level of negligence and harm; egregious, uncorrected violations can reach significant sums. The Department of Justice may bring criminal charges for intentional misuse or wrongful disclosure of PHI.

How do covered entities interact with business associates?

Covered entities must execute BAAs with vendors that handle PHI on their behalf, limit disclosures to what is necessary, and exercise appropriate oversight. Business associates have independent HIPAA obligations and are directly liable for certain violations; both parties coordinate security, Compliance Audits, and breach response.