What Is a HIPAA Covered Entity? Definition, Examples, and Compliance Requirements

Definition of HIPAA Covered Entity

A HIPAA Covered Entity is an organization or person that creates, receives, maintains, or transmits Protected Health Information (PHI) and engages in standard electronic transactions. If you provide health care or administer benefits and send claims, eligibility checks, referrals, or similar transactions electronically, you likely fall under this definition.

Covered Entities handle PHI—including electronic PHI (ePHI)—which is individually identifiable health information tied to past, present, or future health status, care, or payment. HIPAA applies regardless of where PHI resides: in EHR systems, billing platforms, email, or stored media.

Covered Entity vs. Business Associate

Business Associates are vendors or partners that handle PHI on a Covered Entity’s behalf (for example, a cloud EHR vendor or a billing service). They are not Covered Entities by definition, but both parties must sign Business Associate Agreements, and the Covered Entity remains responsible for appropriate oversight.

Examples of HIPAA Transactions

• Health care claims and remittance advice
• Eligibility inquiries and responses
• Referral authorization requests
• Claim status requests and responses

Categories of Covered Entities

Health Care Providers

Any provider who transmits health information electronically in a standard HIPAA transaction is a Covered Entity. Examples include hospitals, physician practices, clinics, dentists, pharmacies, laboratories, and long‑term care facilities.

Health Plans

Health plans encompass health insurance issuers, HMOs, employer‑sponsored group health plans, Medicare, Medicaid, and certain government programs that pay for health care. If you sponsor or administer a plan that processes PHI, HIPAA obligations apply.

Health Care Clearinghouses

Clearinghouses transform nonstandard health information into standard formats (and vice versa). Examples include billing services and claims processing hubs that translate provider data for health plans.

Compliance Requirements Overview

HIPAA compliance rests on three core rules: the HIPAA Privacy Rule, the HIPAA Security Rule, and the Breach Notification Rule. Together, they govern how you use and disclose PHI, protect ePHI with safeguards, and respond to incidents.

Program Essentials You Should Implement

• Designate privacy and security officials responsible for oversight.
• Conduct initial and ongoing Risk Assessment Procedures and manage identified risks.
• Adopt written policies, procedures, and sanctions; maintain documentation for required periods.
• Train your workforce and provide periodic security awareness updates.
• Execute Business Associate Agreements with vendors that access PHI.
• Publish and distribute a Notice of Privacy Practices, and honor individual rights.
• Establish incident response, breach notification, and contingency plans.

Privacy Rule Standards

The HIPAA Privacy Rule governs how PHI may be used and disclosed. You may use or disclose PHI for treatment, payment, and health care operations without written authorization, but must apply the minimum necessary standard for routine non‑treatment activities.

Individual Rights

• Access and obtain copies of PHI in a timely manner, often within defined time frames.
• Request amendments to inaccurate or incomplete information.
• Request restrictions and confidential communications when feasible.
• Receive an accounting of certain disclosures not related to treatment, payment, or operations.

Notice of Privacy Practices and Governance

You must provide a clear Notice of Privacy Practices, designate a privacy official, and maintain processes for complaints and sanctions. Policies and procedures should be documented and retained as required by HIPAA.

Authorizations and De‑identification

Uses and disclosures outside permitted purposes require a valid authorization. If data are de‑identified so individuals cannot be identified, the information is no longer PHI and the Privacy Rule does not apply.

Security Rule Safeguards

The HIPAA Security Rule requires you to protect ePHI through Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Your approach must be risk‑based, scalable to your size, complexity, and capabilities.

Administrative Safeguards

• Risk analysis and risk management to identify, prioritize, and mitigate threats to ePHI.
• Workforce security, role‑based access, and sanction policies.
• Security awareness and training, including phishing and password hygiene.
• Contingency planning: data backup, disaster recovery, and emergency operations.
• Vendor management and Business Associate oversight.

Physical Safeguards

• Facility access controls and visitor management.
• Workstation security and screen privacy.
• Device and media controls, including secure disposal and reuse procedures.

Technical Safeguards

• Access controls with unique user IDs and strong authentication.
• Encryption of ePHI in transit and at rest where reasonable and appropriate.
• Audit controls and log monitoring to detect suspicious activity.
• Integrity protections and secure transmission mechanisms.

Risk Assessment Procedures

Use a structured process to guide decisions and document your rationale:

1. Inventory systems, data flows, and locations of ePHI.
2. Identify threats, vulnerabilities, and existing controls.
3. Estimate likelihood and impact to determine risk levels.
4. Select and implement controls (Administrative Safeguards and Technical Safeguards).
5. Validate effectiveness, track remediation, and review after environmental or technological changes.

Breach Notification Obligations

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. You must conduct a documented risk assessment considering factors such as the nature of PHI, who received it, whether it was actually viewed, and mitigation steps taken.

Who to Notify and When

• Affected individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• Department of Health and Human Services: promptly for large breaches; for smaller breaches, report within the annual reporting window.
• Local media: required when a breach affects 500 or more residents of a state or jurisdiction.

Content of Notices

• What happened and when it was discovered.
• Types of PHI involved (for example, diagnoses or account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact methods for questions and assistance.

Workforce Training and Risk Assessments

You must train your workforce on the HIPAA Privacy Rule, the HIPAA Security Rule, and your internal policies. Training should occur at onboarding, when roles change, and periodically thereafter, with reminders and updates as threats evolve.

Perform comprehensive risk assessments at least annually or when major changes occur—such as new systems, locations, or vendors. Use the results to update controls, refresh procedures, and tailor training to observed risks.

Practical Training Topics

• Recognizing PHI and applying the minimum necessary standard.
• Secure use of email, messaging, and mobile devices.
• Password management, multi‑factor authentication, and phishing awareness.
• Incident reporting, escalation, and breach response roles.
• Data handling, retention, and secure disposal practices.

Conclusion

A HIPAA Covered Entity is any provider, plan, or clearinghouse that transacts health information electronically. To comply, you must respect privacy rights, implement layered security safeguards, and follow the Breach Notification Rule. Strong governance, targeted training, and disciplined risk management keep PHI protected while enabling high‑quality care and efficient operations.

FAQs.

What types of organizations are HIPAA Covered Entities?

Covered Entities include health care providers that transmit standard electronic transactions, health plans such as insurers and HMOs, and health care clearinghouses that translate data formats. Hospitals, clinics, pharmacies, labs, billing hubs, and employer‑sponsored group health plans are common examples.

What are the main compliance rules for Covered Entities?

The core rules are the HIPAA Privacy Rule (how PHI may be used and disclosed), the HIPAA Security Rule (safeguards for ePHI, including Administrative Safeguards and Technical Safeguards), and the Breach Notification Rule (duties after impermissible disclosures of unsecured PHI). Together, they define policies, controls, and reporting expectations.

How do Covered Entities handle breach notifications?

After an incident, you must assess risk, mitigate harm, and notify affected individuals without unreasonable delay—no later than 60 days after discovery. You also notify HHS and, for large incidents, the media. Notices explain what happened, the PHI involved, protective steps, and what you are doing to prevent recurrence.

What training is required for Covered Entity workforce?

Provide role‑based training on your Privacy Rule and Security Rule policies at onboarding and periodically thereafter, with security awareness activities throughout the year. Training should cover PHI handling, access controls, phishing, incident reporting, and your Risk Assessment Procedures so staff can apply safeguards in daily workflows.