Understanding HIPAA’s Three Covered Entities and What Each Must Do to Comply

HIPAA’s three covered entities—health care providers, health plans, and health care clearinghouses—share core obligations to protect protected health information (PHI) and Electronic Protected Health Information (ePHI). This guide explains who is covered and the practical steps you must take to comply with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule.

Health Care Providers Defined

Under HIPAA, a health care provider is any person or organization that furnishes, bills, or is paid for health care and transmits health information electronically in connection with standard transactions (such as claims, eligibility inquiries, or remittance advice). This includes physicians, hospitals, clinics, laboratories, pharmacies, dentists, chiropractors, therapists, and many others.

If you are a provider that conducts these electronic transactions, you must comply with the Privacy Rule (for PHI in any form) and the Security Rule (for ePHI). Key actions include issuing a Notice of Privacy Practices, honoring patient rights, applying the Minimum Necessary Standard to most uses and disclosures, and executing Business Associate Agreements with vendors that handle PHI on your behalf (for example, billing services, cloud storage, EHR hosting, or telehealth platforms).

Operationally, you should assign privacy and security leadership, train your workforce, manage role-based access, and maintain written policies and procedures. You must also investigate incidents, perform risk analyses for ePHI systems, and document decisions and safeguards.

Health Plans and Their Responsibilities

Health plans include health insurance issuers, HMOs, employer-sponsored group health plans, and government programs that pay for health care (such as Medicare and Medicaid). Certain “excepted benefits” plans may fall outside HIPAA, but most medical, dental, and vision plans are covered.

If you operate a health plan, you must provide a Notice of Privacy Practices to members, apply the Minimum Necessary Standard, designate a privacy official, and enter into Business Associate Agreements with administrators and vendors. For group health plans, you must restrict employer access to PHI to plan administration functions, update plan documents accordingly, and maintain appropriate “firewalls” so PHI is not used for employment-related decisions.

Health plans must secure ePHI with administrative, physical, and technical safeguards; manage access to enrollment and claims data; and follow Breach Notification Rule timelines if a breach of unsecured PHI occurs.

Health Care Clearinghouses Explained

Health care clearinghouses transform nonstandard health information they receive from another entity into standard data elements or transactions—and vice versa. Examples include medical billing networks, repricing organizations, and data switch services that translate transactions like claims (837) and remittances (835).

Clearinghouses are covered entities when performing clearinghouse functions. If they provide additional services (such as analytics or hosting) beyond those functions, they may also act as a business associate and need Business Associate Agreements for those services. Although clearinghouses rarely have a direct relationship with patients (and typically do not issue a Notice of Privacy Practices), they must implement Privacy Rule requirements for any PHI they maintain and Security Rule safeguards for ePHI they create, receive, maintain, or transmit.

HIPAA Compliance Requirements

HIPAA Privacy Rule

The Privacy Rule governs how you may use and disclose PHI and requires you to protect it in all forms. You may use or disclose PHI without authorization for treatment, payment, and health care operations and in certain other permitted or required situations (for example, public health, health oversight, or as required by law). You must issue a clear Notice of Privacy Practices, apply the Minimum Necessary Standard to most uses/disclosures, and maintain policies, training, and sanctions for noncompliance.

HIPAA Security Rule

The Security Rule requires you to safeguard ePHI through administrative, physical, and technical measures. Core expectations include a documented risk analysis, risk management plan, access controls, audit logging, integrity protections, authentication, and transmission security. “Addressable” specifications are not optional—you must implement them or document an equivalent alternative that appropriately reduces risk.

Breach Notification Rule

If unsecured PHI is breached, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. You must also notify the U.S. Department of Health and Human Services, and for incidents affecting 500 or more residents of a state or jurisdiction, notify prominent media. A good-faith risk assessment of the incident determines whether notification is required.

Business Associate Agreements

Business Associate Agreements are mandatory with vendors that create, receive, maintain, or transmit PHI for you. A BAA must specify permitted uses and disclosures, require safeguard and breach reporting obligations, and flow down restrictions to subcontractors. Do not allow a vendor to access PHI until a BAA is fully executed.

Minimum Necessary Standard

Limit PHI to the minimum necessary to accomplish the intended purpose, applying role-based access and targeted disclosures. This standard does not apply to treatment, disclosures to the individual, uses authorized by the individual, or disclosures required by law, among a few other exceptions. Build practical workflows (for example, filtered reports and least-privilege access) to make compliance routine.

Privacy Officer Responsibilities

Privacy Officer Responsibilities include overseeing policies and training, managing Notices of Privacy Practices, reviewing authorizations and restrictions, responding to access and amendment requests, handling complaints, coordinating with the Security Officer on ePHI risks, monitoring vendors and BAAs, and ensuring documentation is retained for at least six years.

Administrative Safeguards for Covered Entities

• Security management process: conduct an enterprise-wide risk analysis, prioritize risks, and implement a risk management plan with timelines and owners.
• Assigned responsibility: designate a Security Officer and ensure cross-functional governance with your Privacy Officer.
• Workforce security and training: authorize and supervise workforce access; provide role-based training at hire and periodically; document sanctions.
• Information access management: define role-based access, approve requests, and review access routinely; remove access promptly upon termination.
• Security awareness: implement phishing simulations, reminders, malicious software protection, and log-in monitoring.
• Incident response: establish procedures to identify, report, investigate, and document incidents; preserve logs and evidence.
• Contingency planning: maintain data backup, disaster recovery, and emergency mode operations plans; test and update regularly.
• Evaluation and vendor oversight: perform periodic technical and nontechnical evaluations; maintain BAAs and verify vendor safeguards.
• Documentation and retention: keep policies, analyses, decisions, and training records current and retain them for six years from creation or last effective date.

Physical and Technical Safeguards

Physical Safeguards

• Facility access controls: restrict and log physical entry; protect server rooms and networking closets.
• Workstation use and security: position screens to avoid viewing by unauthorized persons; auto-lock; prohibit unencrypted storage of PHI on local drives.
• Device and media controls: secure laptops and mobile devices, track assets, and sanitize or destroy media before reuse or disposal.

Technical Safeguards

• Access control: unique user IDs, strong authentication (preferably multifactor), session timeouts, and emergency access procedures.
• Audit controls: enable system and EHR audit logs; review alerts for anomalous access and data exfiltration.
• Integrity: use hashing, checksums, and change monitoring to prevent and detect improper alteration of ePHI.
• Person or entity authentication: verify identities before granting access; manage shared accounts tightly or eliminate them.
• Transmission security: encrypt ePHI in transit (TLS or VPN) and, where reasonable and appropriate, at rest; avoid insecure channels like unencrypted email.

Individual Rights Under HIPAA

• Right to notice: receive a clear Notice of Privacy Practices describing how your PHI may be used and disclosed.
• Right of access: inspect or obtain a copy of your PHI, including ePHI, in the requested form and format if readily producible.
• Right to amend: request corrections to inaccurate or incomplete information in the designated record set.
• Right to restrict disclosures: ask for limits on certain uses or disclosures; providers must honor a restriction to a health plan when you pay for an item or service in full out of pocket.
• Right to confidential communications: request alternative means or locations for communications (for example, a different mailing address).
• Right to an accounting of disclosures: receive a list of certain disclosures made without authorization.
• Right to file a complaint: submit complaints to the covered entity or to the government if you believe your privacy rights were violated.

Conclusion

For HIPAA’s three covered entities, compliance centers on safeguarding PHI, limiting its use and disclosure, honoring individual rights, and proving due diligence through risk-based controls and documentation. By aligning your operations with the Privacy Rule, Security Rule, and Breach Notification Rule—and by managing Business Associate Agreements and the Minimum Necessary Standard—you establish a defensible, sustainable privacy and security program.

FAQs

What are the three types of HIPAA covered entities?

The three covered entities are health care providers that conduct electronic standard transactions, health plans (including insurers, HMOs, employer group health plans, and government programs), and health care clearinghouses that convert nonstandard health information into standard transactions or the reverse.

How must health care providers comply with HIPAA?

Providers must implement the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule; issue a Notice of Privacy Practices; apply the Minimum Necessary Standard; honor patient rights (access, amendment, restrictions, and more); execute Business Associate Agreements with vendors; conduct risk analyses; train the workforce; and maintain written policies, procedures, and documentation.

What are the major safeguards required under HIPAA?

HIPAA requires administrative safeguards (governance, risk analysis, training, incident response, contingency planning, vendor management), physical safeguards (facility and device controls, workstation security, media handling), and technical safeguards (access control, audit logs, integrity protections, authentication, and transmission security) to protect Electronic Protected Health Information.