Under HIPAA, What Counts as a Covered Entity? Practical Guide

Under HIPAA, a “covered entity” is any organization that must comply with federal rules for using, disclosing, and safeguarding Protected Health Information. In practice, that means three groups: health plans, healthcare providers that conduct HIPAA Covered Transactions electronically, and healthcare clearinghouses. This guide explains each category and the core obligations for Privacy Rule Compliance and Security Rule Standards.

Health Plans as Covered Entities

A health plan is any individual or group plan that pays for the cost of medical care. As covered entities, health plans create, receive, maintain, or transmit PHI and must meet all HIPAA requirements across enrollment, claims, and payment workflows.

Typical examples

• Health insurance issuers and HMOs.
• Government programs that pay for healthcare, such as Medicare, Medicaid, and CHIP.
• Employer-sponsored group health plans (including many HRAs and FSAs).
• Standalone dental, vision, and prescription drug plans when they finance care.
• Medicare Advantage and Part D plan sponsors.

Plan sponsors (employers) are not covered entities in that role; the group health plan itself is. Health plans routinely exchange Electronic Health Information via HIPAA Covered Transactions (enrollment, premium payment, remittance advice), so their compliance programs must tightly govern those data flows.

Healthcare Providers Subject to HIPAA

A healthcare provider becomes a covered entity when it transmits any health information in electronic form in connection with a HIPAA Covered Transaction. “Electronic” is broad—it includes EDI, portal uploads, clearinghouse submissions, and similar transmissions.

Examples of HIPAA-covered transactions

• Claims and encounter submissions.
• Eligibility and benefit inquiries and responses.
• Referral authorizations and prior approvals.
• Claim status requests and responses.
• Payment and remittance advice.
• Enrollment/disenrollment and premium payment (when the provider is involved).
• Coordination of benefits.

Who qualifies as a provider

• Hospitals, physician practices, clinics, and urgent care centers.
• Pharmacies, labs, imaging centers, and DME suppliers.
• Dentists, chiropractors, physical/occupational therapists, behavioral health professionals.
• Telehealth and virtual-care providers that submit electronic claims or eligibility checks.

Rarely, a provider that never conducts these transactions electronically may not be a covered entity. In modern practice, however, most providers transmit Electronic Health Information related to billing or eligibility and therefore fall under HIPAA.

Healthcare Clearinghouses Defined

Healthcare clearinghouses are public or private entities that transform nonstandard health information from another entity into standard data elements or standard transactions, or the reverse. Their role centers on Data Standardization for HIPAA Covered Transactions.

Core function

Clearinghouses translate, validate, and route Electronic Health Information so claims, eligibility, and payments flow reliably between providers and health plans. They may also scrub data, reprice claims, and manage acknowledgments.

Examples

• Claims and EDI “switches” that convert nonstandard billing formats to HIPAA standards.
• Repricing organizations that standardize data for contracted rates.
• Networks that normalize transactions across multiple trading partners.

Some Health Information Exchange organizations perform clearinghouse-like functions; others act as business associates. The determining factor is whether they standardize transaction data or otherwise handle PHI on behalf of a covered entity.

PHI Protection Requirements

What is PHI

Protected Health Information is individually identifiable health information related to a person’s past, present, or future health, care, or payment for care, created or received by a covered entity or its business associate. When PHI is created, received, maintained, or transmitted electronically, it is ePHI. Electronic Health Information that meets the HIPAA definition of PHI is therefore ePHI.

Permitted uses and disclosures

Covered entities may use and disclose PHI without authorization for Treatment, Payment, and Healthcare Operations, and for specific public-interest purposes (for example, public health reporting, health oversight, and limited law enforcement or judicial requests). Most other uses—such as marketing or sale of PHI—require a valid authorization.

Minimum necessary and de-identification

The Privacy Rule’s minimum necessary standard requires you to limit PHI uses and disclosures to what is reasonably needed. De-identified information is not PHI; you may de-identify via Safe Harbor (removing specified identifiers) or expert determination. Both approaches reduce risk while supporting analytics and Data Standardization goals.

Individual rights

• Receive a Notice of Privacy Practices and understand how PHI is used.
• Access and obtain copies of records, including designated record sets.
• Request amendments and an accounting of certain disclosures.
• Request restrictions and confidential communications when feasible.

HIPAA Compliance Obligations

Covered entities must implement a comprehensive program that satisfies both Privacy Rule Compliance and Security Rule Standards, supported by policies, training, and ongoing risk management.

Program foundation

• Designate a privacy official and a security official.
• Conduct an enterprise-wide risk analysis and maintain a risk management plan.
• Adopt written policies and procedures; train the workforce and apply sanctions when appropriate.
• Manage records in the designated record set and retain required documentation (typically six years from creation or last effective date).

Business associates

• Identify vendors that create, receive, maintain, or transmit PHI on your behalf.
• Execute business associate agreements that specify permitted uses/disclosures and safeguards.
• Oversee vendor risk, including incident reporting and right-to-audit provisions.

Breach notification

• Assess incidents to determine whether unsecured PHI was compromised.
• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• Report to HHS and, for breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media.

Participation in Health Information Exchange

• Govern sharing of PHI through Health Information Exchange networks with clear access controls.
• Ensure data-sharing arrangements align with minimum necessary and patient preferences.
• Map data flows to HIPAA Covered Transactions and verify appropriate Data Standardization.

Safeguards for Covered Entities

Administrative safeguards

• Security management processes: risk analysis, risk mitigation, and ongoing governance.
• Workforce security, role-based access, training, and sanction policies.
• Contingency planning: backups, disaster recovery, and emergency-mode operations.
• Vendor and third-party risk management, including due diligence and monitoring.

Physical safeguards

• Facility access controls and visitor management.
• Workstation use and placement to reduce shoulder-surfing and unauthorized viewing.
• Device and media controls: secure storage, encryption, and verified destruction.

Technical safeguards

• Access controls with unique user IDs, strong authentication, and emergency access procedures.
• Audit controls and log monitoring to detect inappropriate access.
• Integrity protections and change monitoring for systems handling ePHI.
• Transmission security (for example, TLS and modern encryption) to protect data in transit.

Operational best practices

• Apply least-privilege and need-to-know principles across systems and workflows.
• Keep systems patched; segment networks that handle Electronic Health Information.
• Use endpoint protection, email security, and data loss prevention for high-risk channels.
• Test your incident response plan with tabletop exercises and update controls post-incident.

Enforcement and Penalties

The HHS Office for Civil Rights (OCR) enforces HIPAA through complaint investigations, breach investigations, and compliance reviews. Outcomes may include technical assistance, corrective action plans, resolution agreements, and civil monetary penalties.

Civil and criminal penalties

Civil penalties follow a tiered structure that considers the level of culpability and efforts to correct violations, with annual caps that are adjusted periodically. The Department of Justice may pursue criminal cases for knowingly obtaining or disclosing PHI in violation of HIPAA, including offenses committed under false pretenses or for personal gain or malicious harm.

Common enforcement themes

• Failure to conduct an accurate and thorough risk analysis or to manage known risks.
• Inadequate access controls, audit logging, or device/media safeguards.
• Delayed breach notification or incomplete notices to individuals and HHS.
• Improper disposal of records or impermissible uses/disclosures of PHI.

Summary

Covered entities under HIPAA are health plans, qualifying healthcare providers, and healthcare clearinghouses. They must protect PHI, honor patient rights, implement Security Rule Standards, and maintain Privacy Rule Compliance across everyday operations and HIPAA Covered Transactions. Strong governance, tested safeguards, and disciplined vendor oversight are the cornerstone of sustainable compliance.

FAQs

What organizations are classified as covered entities under HIPAA?

Covered entities are (1) health plans that pay for medical care, (2) healthcare providers that transmit health information electronically in connection with HIPAA Covered Transactions, and (3) healthcare clearinghouses that standardize transaction data. Each must safeguard PHI and comply with the Privacy and Security Rules.

How does HIPAA define healthcare clearinghouses?

HIPAA defines clearinghouses as entities that process or facilitate the processing of health information from another entity by converting nonstandard formats or content into standard transaction data (or the reverse). Their central purpose is Data Standardization for claims, eligibility, payments, and related exchanges of Electronic Health Information.

What are the main responsibilities of covered entities?

Core responsibilities include Privacy Rule Compliance, implementing Security Rule Standards (administrative, physical, and technical safeguards), honoring individual rights, executing business associate agreements, conducting risk analyses, maintaining policies and training, and performing timely breach notification when unsecured PHI is compromised.

How must covered entities secure protected health information?

They apply layered safeguards: administrative controls (governance, training, vendor oversight), physical protections (facility, workstation, and media controls), and technical measures (access control, encryption, logging, integrity and transmission security). These measures protect ePHI and other PHI across systems, workflows, and Health Information Exchange activities.