What Exactly Qualifies as a HIPAA Covered Entity?

Does your staff think HIPAA is a strange type of undiscovered animal? Or do they understand the significance of this law and how it can affect your medical practice?

A HIPAA covered entity is an agency that handles protected health information. This information includes identification of the patient, diagnoses they’ve received and payment information.

Data like this identifies the person and what they have experienced medically or psychiatrically. It’s the same information you use to fill in the blanks when you fill out documents to become a new patient or client.

This law keeps individuals from experiencing discrimination based on their prior circumstances. Public eyes don’t get to view private information or use it unfairly for any number of reasons.

What Providers Fall Under HIPAA?

There are four major categories of providers that fall under HIPAA requirements and protections. You’ll recognize most of these if you’ve been researching medical coverage plans.

These are:

  1. Health plan providers
  2. Clearinghouses
  3. Providers of services
  4. Business associates related to these providers.

Each of these offers a unique benefit package that works for certain patient groups. They are easy to research and discover how HIPAA applies to them.

Health Plan Providers

A health plan provider is an agency that provides an independently purchased health plan, one your employer provides and pays for, or one that your local government offers. HMOs are also included in this group.

These agencies must protect any personal information you provide to them since it lines out your medical history. It also shows any treatment plans for diagnoses you’ve received.

Provider information gets handed out when individuals first choose a medical coverage plan. Documentation like this explains how each plan differs and what benefits get included.

Patients have specific groups of doctors to choose from based on the plan they choose. Provider and hospital availability vary based on the region their clients live in.

All of them need to follow the law exactly with HIPAA procedures.


Data storage organizations process related health information on the behalf of other companies. Your physical and mental health histories get included in this data. Because they contract to handle this data, they too fall under the HIPAA restrictions.

Clearinghouses must follow all confidentiality requirements when they share information. If it isn’t protected, the individual who suffered the breach of confidentiality can sue them.

Depending on the amount of damage this release causes, a lawsuit of this type can be quite expensive.

Service Providers of all Types

Providers work in nursing homes, chiropractor offices, dentist offices, pharmacies, clinics, and psychologists. All of them and general doctors fall under HIPAA requirements. They must protect any information that reveals services or claims according to HIPAA procedures.

This non-inclusive list of providers gives you a general idea of who to expect privacy from. These procedures are in place anytime you receive a medication refill or a specific type of treatment.

Staff members who do not follow these protocols can be prosecuted or fined, as well as the agency itself if the information falls into the wrong hands. Even if there is an accidental breach of information, administrative officials must report the breach.

The incident will get investigated and attempt recovery of the data, if possible. This incident shows the consequences for neglectful actions on the part of staff who handle this private information.

Health-Related Business Associates

Service professionals who contract with medical providers and handle protected health information must follow the same rules and procedures as the providers themselves.

This list includes:

  1. Contractors, i.e. transcriptionists
  2. Consultants
  3. Contracted doctors
  4. Review or audit professionals.

Their contracts might include verbiage that victims can file suit against them if information gets misused. Even so, federal law requires them to follow the same strict procedures as other entities.

HIPAA Covered Entity “Minimum Necessary” Rule

The main rule to remember with any type of protected health information is the “minimum necessary”. It states that no one should receive any more data than the absolute minimum they need to get their job done.

For example, if medical records receive a chart request, they need to ask which dates of service are in question. Find out what specific pieces of information the agency is asking for.

As long as the agency receives the bare minimum data they need, the rule has been satisfied. It also protects the office providing the data during an audit.

Legal Notifications and Consents

Patients and clients can seek out the treatment they need with this legal protection. The privacy rule gets distributed on brochures by government agencies who provide services. Private doctors also have this information on hand for new patients.

Patients sign acknowledgments when receiving information on this privacy rule. It protects the agency and provides patients with facts about how they protect their data.

Clients receive information on how to access their personal records, as well as other personnel who can view them. They also learn about procedures medical professionals use to access records during treatment.

HIPAA Best Practices

Find available training to educate your staff with the most up-to-date information on this law. They can attend these either in-person or online. The money you invest in training ensures the future success of your practice.

State agencies help protect your practice as they help monitor the use of protected health information. As a HIPAA covered entity, you are fully responsible for the information about your patients and how it gets shared between your office and your co-treating colleagues. It might also help patients reach their treatment goals faster.

Doctors and providers who don’t feel confident in their understanding of this privacy rule put themselves at risk of a costly lawsuit. They also risk losing the trust of their patients. The effort that it takes to follow HIPAA laws is much less than the effort of trying to save a practice once a breach is proven.

It’s an ongoing education that will change with the times. It’s a privacy law that will adapt as more entities start operations.

Keep up with the law and your staff will feel more secure in their positions. It’s a win-win for providers and patients alike and protects everyone involved.

Learn how this law applies to you and the services you provide, so you can treat your clients and make them feel more secure.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top