Covered entities are the people and organizations that hold and process PHI data for their customers
– the ones required to report HIPAA violations and who are responsible for paying fines imposed by the Office
of Civil Rights if and when a HIPAA violation occurs.