Free tool
Every HIPAA decision starts with one question: what are you?
Covered Entity, Business Associate, Hybrid Entity, or Vendor — your HIPAA classification determines which rules apply, what documentation you need, and how severe the penalties are if something goes wrong. Most practices assume they know. This tool makes sure.
4
Classifications
Covered Entity, Business Associate, Hybrid Entity, Vendor
7
Questions
Branching logic — you only answer 3–4 based on your path
%
Confidence score
Each result includes a likelihood rating based on your answers
100%
Free
No login, no credit card, no trial expiration
Question 1
Does your organization provide healthcare services directly to patients?
Your obligations are now clear. Patient Protect satisfies them continuously.
Know the landscape
Four classifications. Four different compliance obligations.
Covered Entity
Healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. Subject to the full scope of HIPAA — Privacy Rule, Security Rule, and Breach Notification Rule.
Examples
Medical practices, dental offices, hospitals, pharmacies, health insurance companies, Medicare/Medicaid programs.
Full HIPAA compliance required
Business Associate
Organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity. Must sign a BAA and comply with the Security Rule. Directly liable for breaches since the 2013 Omnibus Rule.
Examples
IT vendors, cloud hosting providers, billing companies, EHR vendors, shredding companies, consultants with PHI access.
Security Rule + BAA required
Hybrid Entity
Organizations where only part of the business performs HIPAA-covered functions. The covered component must comply fully; non-covered components may operate under different standards but must maintain information barriers.
Examples
Universities with medical centers, corporations with employee health clinics, retailers with in-store pharmacies.
Partial — covered components must fully comply
Vendor (Not Covered)
Organizations that sell products or services to healthcare but never create, receive, maintain, or transmit PHI. No direct HIPAA obligations, though customers may require contractual security assurances.
Examples
Office supply vendors, building maintenance, food service providers, general IT hardware suppliers.
No direct HIPAA obligations
Why classification matters
Get this wrong and every compliance decision that follows is built on the wrong foundation.
Entity classification is not a formality. It is the first decision in HIPAA compliance because it determines which rules apply to your organization. A covered entity has Privacy Rule obligations that a business associate does not. A business associate has Security Rule requirements that a vendor does not. Get the classification wrong, and you either over-invest in controls you do not need or under-invest in protections you are legally required to have.
OCR enforcement actions regularly cite misclassification as an aggravating factor. Organizations that believed they were vendors when they were actually business associates have faced penalties for operating without BAAs, failing to conduct risk assessments, and lacking breach notification procedures — all obligations they did not know they had because they started from the wrong assumption.
This tool uses branching logic to narrow your classification in 3–4 questions. It is not a legal determination — that requires counsel. But it eliminates the ambiguity that causes most classification errors and gives you a working frame for every compliance decision that follows.
Next step
HIPAA Compliance Roadmap
Now that you know your classification, work through the 17-step operational roadmap to see where your practice has real coverage and where the gaps are hiding. Entity classification is Step 1 — there are 16 more.
See the Full RoadmapGet a full picture
Unified Risk Assessment
Entity determination is one input. The Unified Risk Assessment combines it with compliance readiness, practice profile, and ePHI data flow analysis for a comprehensive risk score — all in one evaluation.
Take the Free AssessmentKnow your classification. Now act on it.
Classification tells you which rules apply. Patient Protect implements them — automated risk assessments, policy management, vendor oversight, and breach response built for your entity type and practice size.