Covered Entity

A covered entity is an organization or individual directly regulated under HIPAA because it performs certain healthcare functions involving protected health information. Common covered entities include healthcare providers, health plans, and healthcare clearinghouses.

In compliance, covered entity status means the organization has direct obligations to protect health information, manage privacy and security safeguards, train its workforce, oversee vendors, and maintain evidence that required controls are operating.

Organizations that commonly qualify include healthcare providers that conduct regulated healthcare transactions, health plans, and healthcare clearinghouses. The determination depends on the organization's role, services, data handled, and transaction activity.

Examples include hospitals, physician practices, dentists, pharmacies, health insurers, employer-sponsored health plans, telehealth providers that deliver clinical care, and healthcare clearinghouses that process standardized transaction data.

A covered entity is responsible for protecting health information, limiting access, maintaining privacy practices, implementing administrative and technical safeguards, training workforce members, handling requests from individuals, and managing third-party relationships.

To determine covered entity status, review whether the organization is a healthcare provider, health plan, or clearinghouse, what types of health information it handles, and whether it conducts regulated healthcare transactions or related services.

A covered entity has direct regulated responsibilities because of its healthcare role. A business associate typically provides services to a covered entity and handles protected health information on that covered entity's behalf.

Covered entities must protect the confidentiality, integrity, and availability of protected health information. This usually involves access controls, audit logging, workforce training, risk management, vendor oversight, incident response, and documented policies.

A vendor or service provider can be a covered entity if it independently performs covered healthcare functions. If it only supports another covered entity while handling protected health information, it is more commonly a business associate.

Covered entities should maintain controls such as identity and access management, multi-factor authentication where appropriate, encryption where appropriate, logging and monitoring, endpoint protection, backup and recovery, vulnerability management, workforce training, and vendor risk management.