Who Is Subject to HIPAA? Covered Entities (Providers, Health Plans, Clearinghouses) and Business Associates

Define Covered Entities

Under the HIPAA Privacy Rule and HIPAA Security Rule, “covered entities” are organizations that handle Protected Health Information (PHI) in defined ways. PHI includes individually identifiable health information in any form, while Electronic Protected Health Information (ePHI) is PHI created, stored, or transmitted electronically.

Covered entities fall into three categories: health care providers, health plans, and health care clearinghouses. If you operate within one of these categories and exchange standard electronic transactions (for example, claims, eligibility checks, or referrals), you are subject to HIPAA.

HIPAA applies to your workforce and to any vendors who handle PHI on your behalf. Those vendors are called Business Associates and are also bound by HIPAA through a contract called a Business Associate Agreement.

Identify Health Care Providers

Health care providers are covered when they transmit health information electronically in connection with standard transactions. This includes a wide range of professionals and facilities that deliver diagnosis, treatment, or care coordination.

Common provider examples

• Hospitals, clinics, ambulatory surgery centers, and urgent care centers
• Physicians, nurse practitioners, dentists, chiropractors, and therapists
• Pharmacies, clinical laboratories, imaging centers, and home health agencies
• Behavioral health, substance use disorder, and telehealth providers

If you never conduct standard electronic transactions, HIPAA may not apply to you as a provider. In practice, most modern providers do, especially when submitting claims or checking eligibility.

Explain Health Plans

Health plans are covered entities because they provide or pay for medical care. If your organization administers or insures Health Plan Coverage, you likely qualify as a health plan under HIPAA.

Examples of health plans

• Commercial health insurers and HMOs
• Employer-sponsored group health plans and self-funded plans
• Government programs such as Medicare, Medicaid, and CHIP
• TRICARE and certain long-term care insurers that pay for care

Not typically health plans

• Life, disability, and workers’ compensation insurers (unless separately performing covered transactions)
• Employers in their role as employers (employment records are not PHI)

If you are a plan sponsor, you become subject to HIPAA when you receive PHI from the plan; strict conditions and safeguards apply to that flow of PHI.

Describe Health Care Clearinghouses

Health care clearinghouses transform nonstandard health information from another entity into standard formats, or the reverse. They enable smooth, compliant exchange of data among providers and health plans.

Examples of clearinghouses

• Medical billing and EDI switching services
• Repricing and claims editing organizations
• Community health management information systems that standardize transactions

Clearinghouses are covered entities in their own right. When they perform services for a provider or plan, they may also act as a Business Associate for that customer relationship.

Define Business Associates

Business Associates are persons or organizations that perform functions or services for a covered entity involving PHI. Subcontractors that create, receive, maintain, or transmit PHI on behalf of a Business Associate are also Business Associates.

Typical Business Associate roles

• Claims processing, billing, revenue cycle management, and coding
• IT support, data hosting, cloud storage, email, backup, and EHR vendors handling ePHI
• Analytics, quality reporting, utilization review, and patient engagement tools
• Legal, actuarial, accounting, consulting, accreditation, and certification services
• Health Information Exchanges and pharmacy benefit managers when handling PHI

Members of your workforce are not Business Associates. A vendor is a Business Associate only when its work requires access to PHI; purely de-identified data does not make a vendor a Business Associate.

Explain Business Associate Agreements

A Business Associate Agreement (BAA) is the contract that permits a Business Associate to use or disclose PHI for defined purposes and obligates it to safeguard PHI. You must have a BAA in place before sharing PHI.

Essential BAA elements

• Permitted and prohibited uses and disclosures of PHI
• Administrative, physical, and technical safeguards aligned to the HIPAA Security Rule for ePHI
• Prompt reporting of breaches and security incidents, plus cooperation with investigations
• Flow-down requirements ensuring subcontractors meet the same protections
• Support for access, amendment, and accounting of disclosures as required by the Privacy Rule
• Return or destruction of PHI at contract end, where feasible
• Right to terminate for material breach and to make records available to regulators

Well-drafted BAAs also address risk allocation (for example, indemnification and cyber insurance) and operational details like encryption, audit logging, and breach response timelines.

Outline HIPAA Compliance Requirements

HIPAA Privacy Rule

The Privacy Rule governs how you use and disclose PHI and grants individuals rights over their information. Core duties include Minimum Necessary use, a Notice of Privacy Practices, timely access to records, amendment processes, and controls over disclosures for treatment, payment, and health care operations.

HIPAA Security Rule

The Security Rule protects ePHI via administrative, physical, and technical safeguards. You must conduct a risk analysis, implement risk management, control access, encrypt where appropriate, train your workforce, manage devices and media, and maintain audit logs and contingency plans.

Breach Notification Rule

If unsecured PHI is breached, you must notify affected individuals, the regulator, and in some cases the media, without unreasonable delay and no later than 60 days after discovery. A documented risk assessment determines whether an incident is a breach requiring notice.

Enforcement and HIPAA Compliance Audits

The regulator enforces HIPAA through investigations, resolution agreements, corrective action plans, and civil monetary penalties. HIPAA Compliance Audits and compliance reviews assess whether your policies, safeguards, and BAAs are effective and documented.

Operational playbook

• Designate privacy and security officers; maintain up-to-date policies and procedures
• Complete an enterprise-wide risk analysis and mitigate identified risks
• Inventory all Business Associates; execute and maintain current BAAs
• Train your workforce regularly; monitor access; retain logs and documentation
• Test incident response and breach notification plans; rehearse vendor coordination
• Periodically audit your program to prepare for investigations and compliance audits

Conclusion

Covered entities—providers, health plans, and clearinghouses—and their Business Associates are all subject to HIPAA when they handle PHI or ePHI. By defining roles clearly, executing strong BAAs, and building a risk-based compliance program, you protect individuals’ privacy and position your organization to pass HIPAA Compliance Audits with confidence.

FAQs.

What entities are considered Covered Entities under HIPAA?

Covered Entities include health care providers that conduct standard electronic transactions, health plans that provide or pay for medical care, and health care clearinghouses that convert health information between nonstandard and standard formats.

Who qualifies as a Business Associate?

A Business Associate is any person or organization that performs services or functions for a Covered Entity and needs access to PHI to do so. Subcontractors that create, receive, maintain, or transmit PHI on behalf of a Business Associate also qualify.

What obligations do Business Associates have under HIPAA?

Business Associates must safeguard PHI and ePHI, use and disclose it only as the Business Associate Agreement allows, report breaches and security incidents, ensure subcontractor compliance, and support Privacy Rule requirements like access and amendments.

How do Covered Entities ensure Business Associate compliance?

Covered Entities should inventory all vendors handling PHI, execute a comprehensive Business Associate Agreement with each, assess vendor security practices, require corrective actions where needed, and retain documentation to demonstrate ongoing oversight and compliance.