WHAT ARE COVERED ENTITIES UNDER HIPAA?

When the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, it established a clear legal boundary: certain organizations and individuals that handle health information are directly subject to its rules. These are called covered entities under HIPAA — and understanding exactly who qualifies, what their obligations are, and how they differ from other healthcare stakeholders is essential for anyone operating in or adjacent to the US healthcare system.

This guide answers the most common questions: what is a covered entity under HIPAA, which of the following are covered entities under HIPAA, what does HIPAA define as a covered entity, and who is covered under the HIPAA rules — with clear definitions, real examples, and a breakdown of responsibilities.

What Is a Covered Entity Under HIPAA?

A HIPAA covered entity is defined by the Department of Health and Human Services (HHS) as any individual or organization that:

1. Provides healthcare services, health insurance coverage, or health data processing functions, and
2. Transmits protected health information (PHI) electronically in connection with standard transactions for which HHS has established requirements

In plain terms: if your organization deals with patients’ health information as part of its core function — and conducts that business electronically — it is almost certainly a covered entity under HIPAA and must comply with its Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule.

Covered Entity Definition

The formal covered entity definition under HIPAA encompasses three distinct categories:

• Healthcare providers that transmit PHI electronically
• Health plans that provide or pay for healthcare coverage
• Healthcare clearinghouses that process health data between parties

Every organization that falls into one of these three categories is subject to HIPAA’s full regulatory requirements — including mandatory safeguards, patient rights obligations, staff training, breach reporting, and documentation. This is what HIPAA defines as a covered entity and forms the foundation of the law’s enforcement structure.

The 3 Types of Covered Entities Under HIPAA

1. Healthcare Providers

What is a covered entity in healthcare? The most commonly encountered category is healthcare providers — individuals and institutions that furnish, bill for, or receive payment for healthcare services and transmit PHI electronically in connection with standard HIPAA transactions.

A healthcare provider becomes a HIPAA covered entity specifically when it transmits health information electronically for standard activities such as submitting insurance claims, checking patient eligibility, or processing electronic remittance. In today’s digital healthcare environment, virtually all active providers meet this threshold.

Which of the following are covered entities under HIPAA as healthcare providers?

• Hospitals and health systems — including emergency, surgical, and specialty care
• Physicians, primary care practices, and specialist clinics
• Dentists and oral health professionals
• Chiropractors and physical therapists
• Psychologists, psychiatrists, and behavioral health providers
• Pharmacies that dispense medications and submit electronic claims
• Nursing homes, assisted living facilities, and home health agencies
• Laboratories and diagnostic imaging centers
• Telehealth and virtual care practices that handle electronic billing

Important exception: A healthcare provider that never conducts electronic standard transactions — for example, a physician who bills patients entirely by paper mail — is technically not a covered entity. In practice, this is increasingly rare, as nearly all modern healthcare operations involve electronic transactions in some form.

2. Health Plans

Health plans are the second major category of covered entities under HIPAA. A health plan is any individual or group program that provides or pays for the cost of medical care as its principal activity.

Who is covered by the HIPAA Privacy Rule as a health plan?

• Health insurance companies offering medical, dental, or vision coverage
• Health Maintenance Organizations (HMOs) and Preferred Provider Organizations (PPOs)
• Employer-sponsored group health plans — note that the plan is the covered entity, not the employer in its HR capacity
• Government-administered programs: Medicare, Medicaid, CHIP (Children’s Health Insurance Program)
• Military and veterans’ health programs including TRICARE
• Long-term care insurers (in most cases)

Key nuance — employer-sponsored plans: Many employers offer group health plans to their employees. The plan itself is the HIPAA covered entity — not the employer. However, if the employer self-administers the plan or has access to PHI for plan administration purposes, specific HIPAA obligations apply to those functions.

Small plan exception: Employer-sponsored group health plans with fewer than 50 participants that are fully self-administered — without any third-party vendors processing claims — are generally exempt from HIPAA. However, once a third party is engaged to administer benefits or process electronic transactions, the plan falls within covered entity status.

What is not a covered entity in the health plan category: Insurance companies that pay healthcare costs only as a secondary benefit — such as an auto insurer covering medical costs resulting from a car accident — are not HIPAA covered entities. Healthcare coverage must be the primary purpose of the plan for HIPAA to apply.

3. Healthcare Clearinghouses

Healthcare clearinghouses are the third category of HIPAA covered entities and the least widely understood. A healthcare clearinghouse is an organization that translates nonstandard health information received from one entity into a standard electronic format — or performs the reverse — to facilitate transactions between healthcare providers and health plans.

Their core function is to bridge compatibility gaps between providers and payers who use different data systems, ensuring that claims, eligibility checks, and remittance data can flow accurately and efficiently across the healthcare system.

Which of these entities is considered a covered entity as a clearinghouse?

• Medical billing companies that process and submit claims on behalf of providers
• Electronic Data Interchange (EDI) gateways and vendors
• Repricing companies that process claims for cost containment
• Data intermediaries that translate non-standard formats into HIPAA-compliant formats
• Health Information Exchanges (HIEs) that standardize and translate data between parties

Healthcare clearinghouses handle large volumes of PHI from multiple organizations, making their compliance with HIPAA’s security and privacy requirements critical for the integrity of the entire healthcare data ecosystem.

BENEFITS OF COVERED ENTITIES

Covered entities under HIPAA play a crucial role in the healthcare ecosystem, and their existence yields numerous benefits for both patients and the broader healthcare industry.

1.  Patient Data Protection: One of the primary benefits of covered entities is the protection of patients’ sensitive health information. These entities are legally obligated to implement stringent privacy and security measures to safeguard protected health information (PHI).

2.  Privacy Rights: Covered entities are required to adhere to the HIPAA Privacy Rule, which grants patients certain rights over their health information. Patients can access their medical records and request corrections.

3.  Improved Healthcare Quality: Covered entities’ compliance with HIPAA regulations promotes better healthcare quality. By ensuring that PHI is accurate and protected, healthcare providers can make well-informed decisions, leading to improved patient care and outcomes.

4.  Data Standardization: Healthcare clearinghouses, which fall under the category of covered entities, facilitate the standardization of health data formats. 

5.  Efficient Data Exchange: Covered entities, particularly healthcare clearinghouses, play a critical role in streamlining the exchange of health information.

6.  Enhanced Trust in Healthcare: The presence of covered entities engenders trust among patients and stakeholders in the healthcare system. When individuals know that their health information is protected.

7.  Legal and Ethical Compliance: Covered entities are obligated to comply with HIPAA’s stringent requirements. This not only ensures legal adherence but also fosters an ethical environment within the healthcare sector.

8.  Global Data Security Standards: HIPAA’s privacy and security regulations have become a benchmark for data protection not only within the United States but also internationally. 

In summary, covered entities under HIPAA are the guardians of patients’ health information, promoting data protection, privacy rights, and healthcare quality. Their role extends beyond individual patient care to facilitate efficient data exchange, reduce fraud, and bolster trust within the healthcare ecosystem.

Hybrid Entities: A Special Case

A hybrid entity is a single legal organization that performs both HIPAA-covered and non-covered functions. Common examples include:

• A university that operates a hospital or student health clinic
• A county government that runs a public health department
• A retail company that operates in-store pharmacies

In these cases, only the designated healthcare components of the organization are subject to HIPAA. However, the organization must erect documented internal safeguards — often called “Chinese walls” — to ensure PHI does not flow improperly between covered and non-covered parts of the business.

Who Is Covered Under the HIPAA Rules — And Who Is Not

Understanding who is covered under the HIPAA rules requires distinguishing between covered entities, business associates, and excluded parties.

Covered Entities

As defined above — healthcare providers, health plans, and healthcare clearinghouses that transmit PHI electronically.

Business Associates

Business associates are not covered entities — they are separate organizations that perform services on behalf of covered entities and, in doing so, access or handle PHI. Examples include cloud storage vendors, billing platforms, IT managed service providers, legal counsel, and accountants who access patient data.

Business associates must enter into a Business Associate Agreement (BAA) with the covered entity and are subject to their own HIPAA compliance obligations — but they are governed under a distinct regulatory category. Learn more about how HIPAA compliance obligations flow between covered entities and their associates.

Not Covered by HIPAA

The following types of organizations are generally not considered covered entities under HIPAA:

• Employers in their HR or employment capacity (even if they sponsor a group health plan)
• Life insurance companies (unless they also provide health coverage)
• Workers’ compensation carriers
• Auto insurers covering medical costs as a secondary benefit
• Law enforcement agencies accessing health data under court order
• Schools and school districts (governed by FERPA, not HIPAA)

Many wellness apps and consumer health platforms that are not affiliated with a covered entity

Responsibilities of HIPAA Covered Entities

Who is covered by the HIPAA Privacy Rule is one question — what those covered entities must actually do is another. The obligations are substantial and cover the full lifecycle of PHI management.

1. HIPAA Privacy Rule Compliance: The Privacy Rule defines how covered entities may use and disclose PHI. It grants patients specific rights including the right to access their medical records, request corrections, and control how their health information is shared. Covered entities must have documented privacy policies and appoint a Privacy Officer responsible for implementation.

2. HIPAA Security Rule Compliance: The Security Rule requires covered entities to implement three categories of safeguards to protect Electronic Protected Health Information (ePHI):

• Administrative safeguards — workforce training, access management policies, risk analysis, and contingency planning
• Physical safeguards — facility access controls, workstation use policies, and device and media controls
• Technical safeguards — access controls, audit controls, integrity controls, and transmission security (encryption)

3. Breach Notification Rule: In the event of a breach of unsecured PHI, covered entities must notify affected individuals, the HHS Office for Civil Rights (OCR), and in cases affecting 500 or more individuals in a state, prominent local media. Notification timelines are strict — affected individuals must be notified within 60 days of breach discovery.

4. Staff Training and Education: Covered entities are required to provide all workforce members with HIPAA training appropriate to their role. Training must be documented, and records must be maintained as evidence of compliance.

5. Risk Analysis and Management: HIPAA requires covered entities to conduct a comprehensive, organization-wide risk analysis to identify vulnerabilities to PHI confidentiality, integrity, and availability — and to implement a risk management plan to address identified risks. This connects directly to the broader risk management process that underpins all compliance frameworks.

6. Documentation and Record-Keeping: Covered entities must maintain written documentation of all HIPAA policies, procedures, risk assessments, training records, and breach notifications for a minimum of six years from creation or last effective date.

Consequences of Non-Compliance for Covered Entities

Failing to meet HIPAA obligations as a covered entity carries serious consequences. The HHS Office for Civil Rights enforces HIPAA and applies a tiered civil penalty structure:

Beyond financial penalties, non-compliant covered entities face reputational damage, loss of patient trust, mandatory corrective action plans, and in cases of criminal violations, prosecution of responsible individuals.

How CertPro Supports HIPAA Covered Entity Compliance

Meeting HIPAA’s requirements as a covered entity demands a structured, documented, and consistently maintained compliance program. Many healthcare organizations — from growing practices to established health systems — benefit from working with an experienced audit partner to assess their compliance posture, close gaps, and produce the documentation required by regulators and business partners.

CertPro CPA LLC provides independent HIPAA compliance assessments for covered entities and business associates — evaluating administrative, physical, and technical safeguard implementation against HIPAA Security Rule requirements and documenting findings in a formal assessment report. Our auditors bring the regulatory depth and practical experience needed to help covered entities understand their obligations, verify their controls, and demonstrate compliance credibly.

For organizations that also handle data subject to GDPR, SOC 2, ISO 27001, or CCPA, CertPro provides a unified audit approach that addresses overlapping regulatory requirements efficiently under a single engagement.

Schedule a meeting with a CertPro auditor to begin your HIPAA covered entity assessment.

FAQ