Who Must Comply with HIPAA? The Four Entity Types, with Examples

HIPAA applies to four groups: health care providers, health plans, health care clearinghouses, and business associates. The first three are “covered entities,” while business associates must also comply because they handle Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) on behalf of covered entities.

If you create, receive, maintain, or transmit PHI during treatment, payment, or health care operations—or through HIPAA-standard Health Information Transactions—you likely fall within these categories and must meet the HIPAA Privacy Rule and HIPAA Security Rule requirements.

Health Care Providers

Who is a “health care provider” under HIPAA?

You are a covered entity if you furnish health care and transmit health information electronically in connection with a standard transaction (for example, claims, eligibility checks, referrals, or remittance advice). Size, specialty, and setting do not change this status.

Common examples

• Hospitals, physician practices, clinics, and urgent care centers
• Dental, vision, chiropractic, and mental/behavioral health providers
• Pharmacies, clinical laboratories, imaging centers, and ambulatory surgery centers
• Home health agencies, hospices, nursing homes, and ambulance services
• Telehealth providers and durable medical equipment suppliers

Key compliance points

• Provide a Notice of Privacy Practices, honor patient rights, and apply the minimum necessary standard.
• Safeguard ePHI with risk analysis, access controls, encryption where reasonable, and audit logs.
• Use Business Associate Agreements (BAAs) with vendors that access PHI.

Health Plans

What counts as a health plan?

Any individual or group plan that provides or pays for medical care is a covered entity. This includes commercial insurers, HMOs, self-insured employer group health plans, and government programs such as Medicare, Medicaid, and military or veterans’ health coverage.

How plans meet HIPAA obligations

• Publish a compliant privacy notice and limit uses/disclosures to permitted purposes or with authorization.
• Separate plan administration from the employer sponsor; share PHI only as allowed by HIPAA.
• Execute BAAs with third-party administrators, PBMs, and data vendors.
• Secure ePHI under the Security Rule and conduct ongoing risk management.
• Use standard Health Information Transactions and identifiers for claims, eligibility, and remittance.

Health Care Clearinghouses

Role in the HIPAA ecosystem

Clearinghouses convert nonstandard health data they receive from another entity into standard formats (or vice versa) for HIPAA transactions. Because they routinely handle PHI, they are covered entities.

Typical examples

• Billing services and repricers that standardize claims data
• Electronic data interchange (EDI) networks and switching services
• Value-added networks or hubs that normalize transaction formats

Responsibilities

• Comply with the Privacy Rule when using or disclosing PHI received for clearinghouse purposes.
• Implement HIPAA Security Rule safeguards for all systems that create, receive, maintain, or transmit ePHI.
• Use BAAs when performing separate services that make them a business associate.

Business Associates

Definition

A business associate is any person or organization that performs functions or services for a covered entity involving PHI (or provides services to a business associate with PHI access). Subcontractors with PHI access are also business associates.

Examples

• Cloud hosting, data storage/backup, and EHR vendors
• Billing, coding, claims processing, and third-party administrators
• Consultants, auditors, attorneys, and accreditation bodies
• Call centers, transcription, mailing/print vendors, and records destruction services
• Health information exchanges and analytics platforms

Compliance duties

• Sign and honor Business Associate Agreements defining permitted PHI uses/disclosures.
• Implement Security Rule safeguards and applicable Privacy Rule provisions.
• Flow down BAA obligations to subcontractors and report breaches promptly.

HIPAA Compliance Requirements

Privacy Rule essentials

Limit PHI uses and disclosures to treatment, payment, and health care operations or other permitted/required purposes; otherwise obtain valid authorization. Provide a Notice of Privacy Practices, apply the minimum necessary standard, and support patient rights to access, amend, and receive an accounting of disclosures.

Security Rule safeguards for ePHI

• Administrative: risk analysis, risk management, workforce training, vendor oversight, and incident response.
• Physical: facility security, device/media controls, and secure disposal.
• Technical: unique user IDs, multi-factor access where reasonable, encryption in transit/at rest, and audit controls.

Breach Notification Rule

Assess suspected incidents, document risk assessments, and provide notifications to affected individuals, regulators, and when applicable the media without unreasonable delay and within required timelines. Maintain updated response plans and test them.

Transactions, code sets, and identifiers

Use standard Health Information Transactions and code sets to submit claims, check eligibility, remit payments, and coordinate benefits. Adopt required identifiers such as the National Provider Identifier to streamline compliant data exchange.

Documentation and governance

• Designate privacy and security officers and review policies at least annually.
• Conduct periodic audits, remediate gaps, and retain documentation for the required period.
• Perform due diligence on vendors and execute BAAs before sharing PHI.

Examples of Covered Entities

Health care providers

• General and specialty hospitals; outpatient surgery and imaging centers
• Primary care and specialty physician groups; urgent care and retail clinics
• Dentists, optometrists, chiropractors, therapists, and behavioral health clinics
• Pharmacies, clinical labs, hospices, nursing facilities, and home health agencies

Health plans

• Commercial insurers and HMOs (individual and group policies)
• Self-insured employer group health plans and student health plans
• Government programs: Medicare, Medicaid, TRICARE, and veterans’ health coverage

Health care clearinghouses

• Claims clearinghouses, billing intermediaries, and repricers
• EDI networks and switching services that standardize HIPAA transactions

Note on business associates (not covered entities)

While not “covered entities,” business associates must comply with HIPAA when handling PHI for a covered entity. Examples include cloud service providers, EHR vendors, TPAs, and analytics platforms, all operating under BAAs.

Role of Protected Health Information

What PHI includes

PHI is individually identifiable health information related to a person’s health, care, or payment for care that is created or received by a covered entity or business associate. When stored or transmitted electronically, it is ePHI and must meet Security Rule safeguards.

Using and disclosing PHI

• Permitted without authorization for treatment, payment, and health care operations, and for specific public policy purposes required or allowed by law.
• Apply the minimum necessary standard, role-based access, and audit trails.
• De-identified information is not PHI; limited data sets may be shared under a data use agreement.

Practical controls

• Encrypt devices and data in transit and at rest where reasonable and appropriate.
• Implement identity and access management, logging, and retention/disposal procedures.
• Train your workforce regularly and reinforce policies through monitoring and sanctions.

FAQs.

What entities are covered under HIPAA?

Covered entities are health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses. Business associates and their subcontractors must also comply when they handle PHI for a covered entity under a Business Associate Agreement.

What is a business associate under HIPAA?

A business associate performs functions or services for a covered entity that involve PHI access—such as billing, cloud hosting, analytics, legal, or consulting services. They must sign BAAs, safeguard ePHI under the Security Rule, follow applicable Privacy Rule provisions, and report breaches.

How do health plans comply with HIPAA?

Health plans publish a privacy notice, limit PHI uses/disclosures, and protect ePHI with administrative, physical, and technical safeguards. They execute BAAs with TPAs and vendors, use standard Health Information Transactions, and maintain governance, training, and incident response programs.

What are the responsibilities of health care clearinghouses?

Clearinghouses standardize health data for HIPAA transactions and must comply with both the Privacy Rule and Security Rule. They protect PHI during processing, restrict disclosures to permitted purposes, implement robust safeguards, and use BAAs when offering additional services that make them business associates.