Understanding the Three HIPAA Covered Entities: Who Is Covered and What’s Required

HIPAA defines who must safeguard Protected Health Information (PHI) and how. This guide clarifies the Covered Entity Definition, explains the three covered entity types, and outlines what you must do when you use Health Information Technology to create, receive, maintain, or transmit PHI.

Health Care Providers

You are a covered health care provider if you transmit any health information electronically in connection with a standard HIPAA transaction (for example, submitting claims or checking eligibility). Using a billing service or clearinghouse to send those transactions on your behalf still counts as electronic transmission for coverage purposes.

Covered providers include, among others, physicians, dentists, chiropractors, clinics, hospitals, laboratories, durable medical equipment suppliers, home health agencies, and pharmacies. If you never conduct HIPAA standard transactions electronically, you may fall outside coverage—but in practice most providers use Electronic Data Interchange through their EHR or revenue cycle systems.

As a provider, ensure your Notice of Privacy Practices is accurate, keep Business Associate Agreements in place for vendors, apply minimum-necessary access to PHI, and maintain Security Rule safeguards for electronic PHI (ePHI) across your devices, networks, and apps.

Health Plans

Health plans are covered entities because they pay for medical care. This category spans commercial insurers, HMOs, employer-sponsored group health plans, Medicare, Medicaid, Medicare Advantage and Part D sponsors, TRICARE, and certain government programs. Plan sponsors and administrators that handle enrollment and claims data must protect PHI across their systems and vendors.

For health plans, compliance extends to member communications, enrollment and disenrollment processing, premium billing, claims adjudication, appeals, and any analytics that use PHI. Plans also manage complex vendor ecosystems, making Business Associate management, data sharing rules, and secure Electronic Data Interchange central to their programs.

Health Care Clearinghouses

Clearinghouses transform health information between nonstandard and standard formats. Common examples are medical billing services, repricers, and EDI gateways that convert claims, eligibility inquiries, and remittance files to HIPAA-standard transactions and code sets. Although they often act as Business Associates to providers and plans, clearinghouses are covered entities in their own right.

If you operate a clearinghouse, your obligations include strict data mapping controls, format validations, and audit trails to ensure the integrity, confidentiality, and availability of PHI as it moves through conversion pipelines.

Electronic Transmission Requirements

HIPAA’s Transactions and Code Sets standards govern how you exchange administrative and financial data. When you conduct these transactions electronically, you must use recognized standards and code sets to support accurate, secure Electronic Data Interchange.

Common standard transactions

• Claims and encounters, coordination of benefits, and claim status.
• Eligibility and benefits inquiries and responses.
• Referrals and prior authorizations.
• Payment and remittance advice.
• Premium payments and enrollment/disenrollment for health plans.

Identifiers and code sets

• Use the National Provider Identifier (NPI) for covered providers and organizations.
• Adopt standard code sets such as ICD-10-CM/PCS, CPT, HCPCS, CDT, and NDC where applicable.

If a vendor (for example, your billing company or clearinghouse) performs the electronic transaction, you are still considered to have transmitted information electronically. Build these requirements into your contracts and workflows so your Health Information Technology stack consistently meets HIPAA expectations.

Compliance Obligations

Governance and documentation

• Designate a privacy official and a security official responsible for HIPAA oversight.
• Maintain written policies, procedures, and sanctions; review and update them regularly.
• Document all decisions about addressable safeguards, risk responses, and exceptions.

Risk management and safeguards

• Conduct an enterprise-wide security risk analysis and implement risk management plans.
• Apply administrative, physical, and technical safeguards proportionate to your risks.
• Implement access controls, authentication, audit logging, integrity checks, and secure transmission.

Workforce readiness

• Provide new-hire and periodic HIPAA training tailored to roles and systems.
• Use role-based access, unique user IDs, and timely termination of access to protect PHI.

Patient and member rights

• Honor the HIPAA Privacy Rule rights to access, amendment, and accounting of disclosures.
• Apply minimum-necessary policies to routine uses and disclosures of PHI.

Business Associates and vendors

• Execute Business Associate Agreements that bind vendors to HIPAA standards.
• Evaluate vendor security, require incident reporting, and verify downstream safeguards.

Monitoring and improvement

• Run internal compliance audits and technical assessments; remediate findings promptly.
• Test incident response and breach notification processes end to end.

Privacy and Security Rules

HIPAA Privacy Rule

• Defines PHI and the permitted uses and disclosures for treatment, payment, and health care operations.
• Requires a Notice of Privacy Practices and limits non-routine disclosures without authorization.
• Mandates the minimum necessary standard and safeguards for oral, paper, and electronic PHI.

HIPAA Security Rule

• Covers ePHI with administrative, physical, and technical safeguards driven by a risk analysis.
• Examples include contingency planning, device/media controls, facility security, access management, encryption at rest and in transit (where reasonable and appropriate), and audit controls.
• Integrate these safeguards across your EHR, claims, analytics, and other Health Information Technology systems.

Breach notification

• Investigate potential incidents quickly; if a breach of unsecured PHI occurs, notify affected individuals, HHS, and, in some cases, the media, within required timelines.

Enforcement and Penalties

The HHS Office for Civil Rights (OCR) enforces HIPAA through investigations, compliance reviews, and Compliance Audits. Civil monetary penalties follow a tiered structure based on the level of culpability, with higher penalties for uncorrected willful neglect. OCR may also impose corrective action plans and ongoing monitoring.

Serious violations can trigger referrals to the Department of Justice for criminal enforcement, which may include fines and, for intentional misuse of PHI, imprisonment. Beyond monetary exposure, noncompliance risks operational disruption, reputational harm, and costly remediation.

Conclusion

Covered entities—health care providers, health plans, and health care clearinghouses—must use standard Electronic Data Interchange for transactions and comply with the HIPAA Privacy Rule and HIPAA Security Rule. By governing PHI rigorously, managing vendor risk, and continually testing safeguards, you can meet legal duties, pass audits, and maintain patient and member trust.

FAQs

Who qualifies as a HIPAA covered entity?

Three groups qualify: health care providers that conduct standard transactions electronically, health plans that pay for medical care, and health care clearinghouses that convert health data between nonstandard and standard formats. If you use a vendor to submit transactions electronically on your behalf, you are still a covered entity.

What are the responsibilities of each covered entity?

All must protect PHI under the HIPAA Privacy Rule and safeguard ePHI under the Security Rule. Practically, this means risk analysis, written policies, workforce training, role-based access, Business Associate Agreements, standard EDI for transactions, incident response, and timely breach notification where required.

How do covered entities handle electronic health information?

They use standard transactions and code sets for EDI, maintain administrative, physical, and technical controls to secure ePHI, and limit use and disclosure to what is permitted or authorized. Encryption, access controls, audit logs, and vendor oversight are core elements of a compliant Health Information Technology program.