Who Must Follow the HIPAA Privacy Rule? Covered Entities Explained

The HIPAA Privacy Rule applies to specific organizations—called covered entities—and to their business associates that handle Protected Health Information. If you create, receive, maintain, or transmit PHI, understanding who is covered, what obligations apply, and where Privacy Rule exceptions exist is essential to lawful data use and disclosure.

Health Plans as Covered Entities

Who is included

Health plans are covered entities. They include group health plans, health insurance issuers, HMOs, Medicare, Medicaid, Medicare Advantage, and certain government programs that pay for health care. Many employer-sponsored group health plans are covered even when a third-party administrator runs day-to-day operations.

Key responsibilities involving PHI

As a plan sponsor or insurer, you must limit uses and disclosures to what the Privacy Rule permits, honor member rights, and maintain policies that reflect minimum necessary practices. When you rely on vendors, you must execute Business Associate Agreements to ensure compliant safeguards and reporting.

Plan sponsors vs. employers

Employers acting as plan sponsors access PHI only for plan administration and must keep it separate from employment records. The plan component is the covered entity—not the employer in its general HR role.

Health Care Providers Compliance

When a provider is a covered entity

Any health care provider—such as a physician, hospital, clinic, pharmacy, dentist, lab, or therapist—becomes a covered entity when it transmits health information electronically in connection with standard transactions (for example, claims, eligibility, prior authorization). This link to Electronic Transactions Standards is what triggers the Privacy Rule.

Daily compliance duties

Providers must give patients a Notice of Privacy Practices, use and disclose PHI only as permitted, apply the minimum necessary standard, and secure Business Associate Agreements with vendors. You must also train your workforce and document policies to ensure consistent, auditable compliance.

Patient rights in practice

Patients have rights of access, amendment, restriction (in certain cases), confidential communications, and an accounting of disclosures. You need processes to verify identity, respond within required timelines, and record determinations to show Compliance Enforcement readiness.

Role of Health Care Clearinghouses

What clearinghouses do

Health care clearinghouses translate nonstandard health information into standard formats (and vice versa) for billing and administrative exchanges. Because they handle PHI as part of these conversions, they are covered entities even when they have no direct relationship with patients.

Dual roles and obligations

Clearinghouses may also act as business associates when providing services to providers or plans. In both roles, they must safeguard PHI, follow the Privacy Rule’s permitted uses and disclosures, and comply with applicable Electronic Transactions Standards.

Business Associates Obligations

Who counts as a business associate

Business associates are vendors or partners who create, receive, maintain, or transmit PHI on behalf of a covered entity—such as billing services, EHR and cloud providers, IT support, claims administrators, consultants, legal counsel, and transcription services. Their subcontractors that handle PHI are also business associates.

Business Associate Agreements (BAAs)

Before sharing PHI, you must execute a Business Associate Agreement that defines permitted data use and disclosure, requires safeguards, mandates breach reporting, flows obligations down to subcontractors, and sets PHI return or destruction at contract end. BAAs are central to accountable data sharing.

Direct liability

Business associates are directly liable for complying with applicable Privacy Rule provisions and for implementing security safeguards for electronic PHI. They must cooperate with investigations and support covered entities in meeting individual rights requests when their systems hold the relevant PHI.

Exemptions from the Privacy Rule

Entities generally not covered

Some organizations are outside HIPAA’s scope unless they perform covered functions. Common examples include life insurers, employers in their general capacity, workers’ compensation carriers, many schools and school districts (whose education records are governed by FERPA), and law enforcement agencies. Personal health apps and consumer platforms are not covered unless they act as business associates.

Hybrid entities

Organizations that perform both covered and non-covered functions (such as a county government with a health clinic) may designate themselves as hybrid entities. Only the health care components must follow the Privacy Rule; other components are exempt from HIPAA obligations.

HIPAA Privacy Rule Compliance Requirements

Protected Health Information (PHI)

PHI is individually identifiable health information held or transmitted by a covered entity or business associate, in any form or medium. De-identified data is not PHI; a limited data set may be used for specific purposes under a data use agreement.

Permitted data use and disclosure

The Privacy Rule permits data use and disclosure for treatment, payment, and health care operations without individual authorization. Additional Privacy Rule exceptions allow disclosures for public health, health oversight, certain law enforcement and judicial requests, research under defined conditions, and averting serious threats, among others.

Minimum necessary standard

Outside of treatment, you must limit PHI to the minimum necessary to accomplish the purpose. Role-based access, routine protocols, and documented approvals help meet this requirement and reduce risk.

Individual rights and notices

You must provide a clear Notice of Privacy Practices and processes for access, amendment, restrictions in specific scenarios, confidential communications, and disclosure accounting. Keep logs and determinations to demonstrate consistent handling of rights requests.

Electronic Transactions Standards

If you conduct standard electronic transactions, you must adhere to HIPAA’s Administrative Simplification rules. Coordination with clearinghouses, payers, and vendors ensures formats, code sets, and identifiers are properly applied and audited.

Governance, training, and incident response

Written policies, workforce training, vendor oversight, and timely breach notification are foundational. Align privacy and security functions so that incident detection, containment, notification, and corrective action are coordinated and documented.

Enforcement and Penalties

How enforcement works

Compliance Enforcement is led by the U.S. Department of Health and Human Services’ Office for Civil Rights, which investigates complaints, conducts audits, and negotiates resolution agreements with corrective action plans. State attorneys general may also bring actions under HIPAA.

Civil and criminal exposure

Civil penalties follow a tiered structure based on the level of culpability and are subject to annual caps. Factors include the nature and extent of the violation, harm caused, and the entity’s compliance posture. Knowing misuse of PHI can trigger criminal penalties enforced by the Department of Justice.

Practical takeaway

If you are a health plan, a provider conducting standard electronic transactions, a clearinghouse, or a business associate, you must implement documented controls, limit data use and disclosure, and be ready to show evidence of compliance. Doing so protects individuals, reduces risk, and positions you to respond effectively if regulators call.

FAQs.

Who qualifies as a covered entity under HIPAA?

Covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions. If you fit one of these categories, the HIPAA Privacy Rule governs how you handle PHI.

What obligations do business associates have under the HIPAA Privacy Rule?

Business associates must comply with applicable Privacy Rule provisions, implement safeguards for electronic PHI, report breaches, flow obligations to subcontractors, and operate under Business Associate Agreements that define permitted uses and disclosures and require accountable practices.

How does the Privacy Rule affect health care providers?

Providers that conduct standard electronic transactions must give a Notice of Privacy Practices, use and disclose PHI only as permitted, apply minimum necessary, honor patient rights, execute Business Associate Agreements with vendors, and maintain documented policies, training, and incident response processes.