What Are the Three HIPAA Covered Entity Categories? Requirements Checklist

You must understand the Covered Entity Definition to determine whether HIPAA applies to your organization. Under HIPAA, covered entities are health care providers, health plans, and health care clearinghouses that create, receive, maintain, or transmit Electronic Protected Health Information (ePHI) in connection with standard transactions.

The HIPAA Privacy Rule and HIPAA Security Rule set baseline requirements for how you use, disclose, and safeguard ePHI. Below is a practical, role-based requirements checklist for each covered entity group, followed by controls for electronic data interchange and core privacy and security obligations.

Health Care Providers Compliance Requirements

Who is a provider covered by HIPAA?

You are a covered health care provider if you furnish, bill, or are paid for health care and transmit health information electronically in connection with a standard transaction (claims, eligibility, referrals, or payments). This includes physicians, dentists, hospitals, clinics, pharmacies, labs, and many allied professionals.

Provider requirements checklist

• Confirm applicability: if you perform covered transactions electronically, HIPAA applies. If you never transmit electronically, you may be outside scope, but this is rare in modern practice.
• Designate a Privacy Officer and a Security Officer and document their responsibilities.
• Conduct an enterprise-wide risk analysis for ePHI and implement risk management actions; review at least annually and upon major changes.
• Adopt written policies and procedures aligned to the HIPAA Privacy Rule and HIPAA Security Rule; maintain version control and retention.
• Distribute a Notice of Privacy Practices (NPP) and obtain acknowledgments when required.
• Apply minimum necessary standards to uses, disclosures, and access; limit workforce access by role.
• Secure Electronic Protected Health Information (ePHI) with administrative, physical, and technical safeguards (access control, audit logging, integrity, transmission security).
• Meet Provider Transaction Requirements: use standard code sets (ICD-10, CPT/HCPCS, CDT, NDC) and your National Provider Identifier (NPI) on transactions.
• Execute Business Associate Agreements with EHR vendors, billing services, cloud providers, and others that handle ePHI for you.
• Maintain incident response and breach notification procedures, including timelines and documentation.
• Train all workforce members initially and periodically; document attendance and comprehension.

Health Plans Compliance Requirements

Who is a health plan under HIPAA?

Health plans include group health plans, health insurance issuers, HMOs, Medicare, Medicaid, and certain employer-sponsored plans. If you administer or insure benefits and handle ePHI, HIPAA Health Plan Compliance requirements apply.

Health plan requirements checklist

• Issue an NPP to enrollees; maintain clear channels for privacy complaints and questions.
• Designate privacy and security officials; approve plan-wide policies and procedures.
• Implement identity-proofing, access controls, and data segmentation to prevent impermissible disclosures between the plan and the plan sponsor/employer.
• Honor member rights to access, amendments, and accounting; manage appeals and verification of requestors.
• Limit uses and disclosures to treatment, payment, and health care operations unless a valid authorization exists; apply the minimum necessary standard.
• Administer EDI transactions relevant to plans (e.g., 834 enrollment, 820 premium payment, 270/271 eligibility, 276/277 claim status, 278 authorization) and support Provider Transaction Requirements.
• Execute BAAs with TPAs, PBMs, actuarial firms, brokers, and analytics vendors.
• Perform ongoing risk analysis, vendor oversight, and audit logging across all plan systems that store or process ePHI.
• Follow breach notification timelines to members and regulators and maintain incident records.
• Retain documentation for required periods and review policies at least annually.

Health Care Clearinghouses Compliance Requirements

Who is a clearinghouse?

Health care clearinghouses are entities that transform nonstandard health information into standard formats and vice versa for other organizations. Examples include switch vendors and entities that perform format translation, editing, or validation against Health Care Clearinghouse Standards for claims and related transactions.

Clearinghouse requirements checklist

• Operate translation, validation, and routing services using HIPAA-named transaction and code set standards; maintain mapping and version control.
• Apply Security Rule protections end-to-end across intake, transformation, storage, and delivery pipelines, including encryption in transit and appropriate controls at rest.
• Publish an NPP and implement Privacy Rule policies; while direct patient interaction is rare, you remain a covered entity and must honor applicable rights.
• Use role-based access and strict separation of trading partner data; maintain audit trails and transaction logs (e.g., acknowledgments, edits, rejections).
• Execute BAAs when providing services that involve ePHI handling on behalf of covered entities or other business associates; flow down obligations to subcontractors.
• Monitor data quality, timely acknowledgments, and error resolution; document companion guide support and trading partner agreements.

Electronic Data Interchange Standards

HIPAA’s transaction and code set rules standardize how ePHI moves between entities. These standards reduce variability and enforce Provider Transaction Requirements that ensure uniform processing.

Core transactions you may use

• Claims/encounters: 837 (professional, institutional, dental).
• Remittance advice: 835.
• Eligibility: 270/271.
• Claim status: 276/277.
• Referrals/prior authorization: 278.
• Enrollment: 834.
• Premium payment: 820.
• Acknowledgments (e.g., 999, 277CA) are widely used for trading partner workflow even when not expressly named.

Code sets and identifiers

• Diagnosis/procedure: ICD-10-CM and ICD-10-PCS (as applicable).
• Procedures/supplies: CPT and HCPCS Level II.
• Dental: CDT.
• Drugs: NDC when required by the transaction.
• Identifiers: NPI for providers; other identifiers per transaction guides.

Implementation tips

• Use trading partner agreements and companion guides to define situational elements, testing steps, and error handling.
• Validate transactions before submission; track acknowledgments and resolve errors promptly.
• Maintain retention schedules for EDI logs and mapping tables; control access to transformation tools and endpoints.

Privacy Rule Obligations

The HIPAA Privacy Rule governs how you use and disclose PHI and grants individuals rights. It applies to all covered entities and many business associates through contracts and law.

Core obligations checklist

• Define permitted uses/disclosures (treatment, payment, health care operations) and when an authorization is required; apply minimum necessary to each disclosure.
• Publish and distribute an NPP that describes uses/disclosures, rights, and contact information.
• Grant individual rights: access, amendments, restrictions, confidential communications, and accounting of disclosures within required timeframes.
• Establish verification procedures for requestors; implement identity-proofing for portal access.
• Adopt policies for marketing, fundraising, research, and de-identification; respect more stringent state laws where applicable.
• Train workforce members; apply sanctions for violations and maintain documentation.
• Maintain breach response processes, risk assessments of incidents, mitigation steps, and timely notifications.

Security Rule Controls

The HIPAA Security Rule requires safeguards to ensure the confidentiality, integrity, and availability of ePHI. Controls fall into administrative, physical, and technical categories, with required and addressable specifications.

Administrative safeguards

• Risk analysis and ongoing risk management across systems handling ePHI.
• Security management process, assigned security responsibility, and workforce security.
• Information access management, security awareness training, and sanction policy.
• Contingency planning: data backup, disaster recovery, emergency mode operations, and periodic testing.
• Security incident procedures and vendor management, including BA oversight.

Physical safeguards

• Facility access controls and visitor management; secure server rooms and networking closets.
• Workstation use and security standards; screen privacy and automatic logoff.
• Device and media controls, including inventory, reuse, disposal, and secure media transport.

Technical safeguards

• Access control with unique user IDs, emergency access, automatic logoff, and encryption as reasonable and appropriate.
• Audit controls for systems that create or maintain ePHI; log review and retention.
• Integrity controls and mechanisms to authenticate ePHI.
• Transmission security to protect ePHI over networks, including encryption in transit.

Business Associate Agreements

Business associates are persons or entities that create, receive, maintain, or transmit ePHI on your behalf outside your workforce. You must have a Business Associate Agreement (BAA) before sharing ePHI for services like EHR hosting, billing, claims processing, analytics, or legal support.

When a BAA is required

• Any vendor or subcontractor handling ePHI for your organization’s functions, even if they never view the data directly (for example, cloud storage).
• Third-party administrators, PBMs, consultants, and data aggregators acting for health plans or providers.

What to include in a BAA

• Permitted and required uses/disclosures; prohibition on unauthorized uses.
• Security Rule compliance, safeguards, and breach notification duties with prompt timelines.
• Subcontractor flow-down obligations; right to audit or obtain attestations.
• Access, amendment, and accounting support for individual rights.
• Return or destruction of PHI at termination; restrictions, indemnification, and termination for cause.

Operationalizing vendor compliance

• Perform due diligence before onboarding; evaluate controls and past incidents.
• Track BAAs centrally; review annually and upon scope changes.
• Limit data sharing to the minimum necessary and monitor interfaces and exports.

Conclusion

The three HIPAA covered entity categories—health care providers, health plans, and health care clearinghouses—share core privacy and security duties while facing role-specific obligations. By aligning to EDI standards, enforcing the HIPAA Privacy Rule and HIPAA Security Rule, and managing Business Associate Agreements, you can protect ePHI and meet regulatory expectations.

FAQs.

What entities are considered covered under HIPAA?

HIPAA covered entities are health care providers that conduct electronic standard transactions, health plans that pay for or arrange medical care, and health care clearinghouses that translate data between standard and nonstandard formats. Business associates are not covered entities, but they are legally bound by HIPAA through law and Business Associate Agreements.

How do health care clearinghouses comply with HIPAA?

Clearinghouses comply by implementing the HIPAA Security Rule across translation pipelines, enforcing Privacy Rule policies (including an NPP and minimum necessary), using Health Care Clearinghouse Standards for EDI, maintaining audit logs and strict data segregation, honoring applicable individual rights, and executing BAAs with trading partners and subcontractors.

What are the main responsibilities of HIPAA covered health plans?

Covered health plans must publish an NPP, limit uses and disclosures to permitted purposes, honor enrollee rights, implement Security Rule safeguards, ensure Health Plan Compliance with EDI transactions and code sets, oversee business associates via BAAs, perform risk analyses, and provide timely breach notifications when required.