Many organizations handle health-related data, but do not know if HIPAA actually applies to them. That uncertainty creates risk. Over-restrict and you slow care and operations; under-protect and you face penalties and loss of trust.
You can eliminate the ambiguity in one sitting by mapping your operations to the legal definitions, understanding the key exclusions, and aligning your workflows to the privacy and security rules that actually apply to you.
Federal law and HHS guidance precisely define the rules governing covered entities and specify where exceptions apply. This guide will help you understand your organization’s obligations, implement efficient controls, and automate HIPAA compliance.
If you find that your organization is not a covered entity, confirm whether you are a business associate handling protected health information for one. Either way, you must design for continuous compliance.
What is a HIPAA Covered Entity?
Under 45 CFR 160.103, a covered entity is either a health plan, a healthcare clearinghouse, or a healthcare provider who transmits health information in electronic form in connection with a standard transaction.
These standard transactions include claims, eligibility inquiries, referrals and authorizations, claim status, and related electronic data interchange formats defined under part 162.
If a provider never conducts these transactions electronically, it is not a “covered” health care provider for HIPAA purposes.
Key Differences Between Covered Entities and Business Associates
Covered entities must comply directly with the privacy, security, and breach notification rules because they originate or control protected health information (PHI) in the ordinary course of care, payment, or operations.
Business associates are persons or entities that perform functions or services for a covered entity that involve the use or disclosure of protected health information. They are not part of the covered entity’s workforce and must sign a business associate agreement. They have direct obligations under HIPAA to safeguard PHI.
A covered provider or health plan can also act as a business associate to another covered entity, depending on the function performed. The relationship and the contract determine the obligations for that specific activity.
Types of HIPAA Covered Entities
The three types of HIPAA covered entities are:
- Health plans
- Healthcare clearinghouses
- Healthcare provider
1. Health plans
A health plan is any individual or group plan that provides or pays for medical care, including health insurers, HMOs, employer group health plans, and government programs such as Medicare and Medicaid.
However, there are important exclusions and special cases. These include:
- Policies that provide only workers’ compensation, automobile medical payment, or property and casualty coverage are not health plans for HIPAA.
- A government-funded program whose principal purpose is other than paying for health care, or whose principal activity is the direct provision of care (for example, grantmaking to clinics), is excluded unless otherwise listed in the regulation.
- Group health plans with fewer than 50 participants that are self-administered by the employer are also excluded.
For further clarity, use the Centers for Medicare and Medicaid Services decision tool to test edge cases like grant-funded programs or plans with excepted benefits only.
2. Healthcare clearinghouses
Clearinghouses process nonstandard information from one entity into a standard format (or vice versa) for billing, claims, or related transactions.
Examples include billing services, repricing companies, “value-added” networks, and switches. If they handle protected health information, they are covered entities.
3. Healthcare provider
Providers of medical or healthcare services are covered entities when they conduct standard electronic transactions (like claims, eligibility checks, referrals, and similar administrative transactions).
Examples of healthcare providers that fall under HIPAA:
- Hospitals and ambulatory surgery centers submitting electronic claims
- Physician practices or dental offices conducting electronic eligibility inquiries
- Pharmacies processing electronic prescriptions and claims adjudication
- Telehealth providers are billing electronically for services rendered
Rights and responsibilities of HIPAA Covered Entities
These are the major responsibilities of HIPAA covered entities:
Signed patient consent
HIPAA does not require blanket “consent” for treatment, payment, and health care operations. For most other uses and disclosures, authorization is required, and marketing uses are tightly controlled.
Many organizations still collect consent or acknowledgment to reinforce policy, but it is not a universal legal requirement for core operations.
Communication with the patient’s family
Covered entities may share relevant information with family or friends involved in a patient’s care or payment using professional judgment. This is permitted but not required. Policies should define how staff verify involvement and respect patient preferences.
Patient visit and contact
Appointment reminders, follow-up instructions, and other routine contacts are permitted communications. Messages should reveal the minimum necessary information and follow reasonable safeguards.
Child abuse reporting
HIPAA does not preempt state child abuse reporting laws. Covered entities may disclose information to the appropriate authorities consistent with 45 CFR 164.512 and applicable state law.
Communication via electronic means
Email and texting with patients are permitted if the entity applies reasonable safeguards (for example, confirming the address or number, enabling encryption where feasible, honoring requests for alternative means).
Document the decision and train staff accordingly. Patients may also request restrictions and confidential communications under 45 CFR 164.522.
| Important Note:
Civil and, in some cases, criminal penalties may apply for violations of these rights and responsibilities. Penalty tiers depend on the level of culpability and can add up across violations, which is why continuous compliance and strong incident response processes matter. |
Automating HIPAA Compliance
Manual and point-in-time checks create gaps between audits and are open to increased probabilities of error.
Automation, on the other hand, reduces cost and complexity while improving audit readiness. It reduces decision latency and prevents silent regressions across privacy, security, and data breach obligations.
Practical automations to implement now:
- Data inventory and mapping: Maintain live inventories of systems holding protected health information and map data flows. This helps your organization better assess the Security Rule on risk management requirements by showing exactly where risk lives and how it moves.
It also improves “minimum necessary” decisions under the Privacy Rule because teams can see which systems actually require access for treatment, payment, and operations.
- Policy-as-code controls: Codify requirements like encryption at rest, multi-factor authentication on privileged accounts, and log retention into machine-checkable rules.
This directly operationalizes administrative, physical, and technical safeguards under the Security Rule, so controls validate themselves instead of relying on quarterly checks.
- Continuous evidence collection: Pull configurations, access logs, and vendor attestations through application programming interfaces into a normalized store for real-time posture reporting.
This turns evidence for the Security Rule and Privacy Rule from a one-time export into a living record that auditors can sample at any point in time.
- Vendor oversight: Track Business Associate Agreements and onboarding, and collect periodic assurances and breach notices; proposed updates put more emphasis on vendor risk.
Automation here enforces the contract obligations and disclosure timelines in the Business Associate provisions of the Privacy and Security Rules.
- Breach-response playbooks: Pre-stage templates and timers for the sixty-day clock and document risk-of-harm assessments.
This operationalizes the Breach Notification Rule so the countdown is visible, accountable, and supported with the right disclosures and logs.
Partnering with Network Intelligence for HIPAA Compliance
For covered entities, the biggest cost drivers are Security Rule safeguards at scale (EHR, identity, cloud), vendor oversight under Business Associate Agreements, and recurring audit preparation.
Automation is the practical answer because it converts these recurring, high-variance obligations into repeatable workflows with live evidence.
Transilience AI from Network Intelligence applies multi-agent AI for continuous monitoring, automated evidence collection, and real-time risk assessment, while our healthcare experts harden governance and close gaps.
Organizations using this model report up to a 70% reduction in compliance overhead alongside a stronger security posture.
Talk to an expert, let us map your covered-entity obligations and stand up an automation plan that keeps you always HIPAA compliant.
