A HIPAA Covered Entity Does Not Include These Organizations

Knowing whether you are regulated by the Health Insurance Portability and Accountability Act matters. A HIPAA Covered Entity Does Not Include These Organizations that fall outside HIPAA’s narrow definitions, even if they handle health-related data in other contexts.

This guide clarifies what “covered entity” means, which organizations are excluded, why they are excluded, and how alternative rules, Business Associate obligations, and employer roles shape your compliance strategy.

Definition of Covered Entities

Under the HIPAA Privacy Rule, a “covered entity” is one of three types that handle Protected Health Information in regulated ways tied to Electronic Health Information Transactions.

The three covered entity types

• Health plans: Group health plans, health insurance issuers, and HMOs that pay for medical care.
• Health care clearinghouses: Intermediaries that transform nonstandard health information into standard transaction formats and vice versa.
• Health care providers conducting standard transactions: Providers who transmit health information electronically in connection with covered claims, eligibility checks, referrals, authorizations, or payment transactions.

If a provider never performs standard electronic transactions, HIPAA may not apply to that provider as a covered entity, even if they deliver care.

Excluded Organization Types

Many organizations interact with health data yet are not, by default, HIPAA covered entities. They may still face other privacy requirements or become Business Associates, but they are excluded from covered entity status unless they perform covered functions.

• Employers acting in their role as employers (HR, leave administration, drug testing coordination). The employer’s group health plan may be a covered entity, but the employer itself generally is not.
• Life, disability, property, and casualty insurers (including many workers’ compensation, auto, and liability carriers) when offering those lines of coverage rather than medical benefits.
• Schools and school districts when student health records are maintained under the Family Educational Rights and Privacy Act, not HIPAA.
• Law enforcement, courts, and correctional institutions unless operating a health care component that conducts covered transactions.
• Consumer health app developers, device makers, and wellness platforms offering services directly to consumers without acting on behalf of a covered entity.
• Financial institutions and payment processors that move funds but do not provide health plan functions.
• Employers’ on-site clinics or wellness vendors that do not conduct Electronic Health Information Transactions (or that operate solely for employment-related purposes).
• Research organizations that are not health plans, clearinghouses, or providers submitting standard transactions.

Any of the above may still fall under HIPAA if they perform covered functions or operate as a Business Associate for a covered entity.

Reasons for Exclusion

• No covered function: The entity is not a health plan, clearinghouse, or a provider engaged in standard electronic transactions.
• Context matters: Activities like employment decisions, life insurance underwriting, or property/casualty claims are outside HIPAA’s scope.
• Alternative legal regimes: Another law—such as FERPA or financial privacy statutes—governs the records instead of HIPAA.
• No PHI in a HIPAA context: The organization may hold health-related data, but not as PHI created, received, maintained, or transmitted by a covered entity.
• Role-based boundaries: Hybrid entities can designate health care components; non-health components remain outside HIPAA.

Alternative Privacy Regulations

Excluded organizations are often regulated elsewhere. Understanding these frameworks helps you close gaps even when HIPAA does not apply.

• Family Educational Rights and Privacy Act (FERPA): Governs most student education records, including many school-maintained health files.
• FTC Act and Health Breach Notification Rule: Apply to many direct-to-consumer health technologies that are not covered entities or Business Associates.
• Gramm-Leach-Bliley Act (GLBA): Covers financial institutions’ handling of customer data, including certain health-related information in financial products.
• State consumer privacy laws: Laws such as comprehensive state privacy statutes and health data acts can regulate non-HIPAA entities.
• 42 CFR Part 2: Protects substance use disorder treatment records for federally assisted programs.
• Workers’ Compensation Exemption and state insurance laws: Permit specific disclosures for work-related injuries and claims while imposing separate constraints.
• State data breach notification laws: Trigger notice duties when defined personal information is compromised, even outside HIPAA.

Business Associate Considerations

Even if you are not a covered entity, you may become a Business Associate when performing services for a covered entity that involve PHI. In that role, HIPAA’s rules flow down to you via a Business Associate Agreement.

When exclusion flips to Business Associate status

• Technology vendors: Cloud hosting, e-signature, storage, analytics, and telehealth platforms that create, receive, maintain, or transmit PHI for covered entities.
• Administrative service providers: Billing, coding, utilization review, case management, and pharmacy benefit support.
• Consultants and legal support: Compliance, auditing, and expert services accessing PHI on behalf of a covered entity.

What a Business Associate Agreement should address

• Permitted and required uses/disclosures of PHI and strict prohibition on unauthorized use.
• Safeguards aligned to the Security Rule, including risk analysis, encryption at rest/in transit, and access controls.
• Breach and incident reporting timelines, investigation duties, and cooperation terms.
• Subcontractor flow-down obligations and right to audit or obtain assurances.
• Return or destruction of PHI at termination and continuity-of-operations provisions.

Without a signed Business Associate Agreement, providing services that touch PHI is a compliance risk for both parties.

Impact on Employers

Employers are generally not covered entities. However, the employer’s group health plan is a covered entity, and the HIPAA Privacy Rule strictly limits how the plan may share Protected Health Information with the plan sponsor.

Key boundaries for employers

• Separate hats: Employment records held by HR (e.g., FMLA documentation, drug testing results) are not PHI, but PHI from the group health plan is.
• Plan administration only: PHI can flow to the employer for plan administration if plan documents are amended and required safeguards are in place.
• Minimum necessary and de-identification: Favor summary health information or de-identified data for procurement and premium-setting activities.
• Workers’ Compensation Exemption: Disclosures for work-related injuries may be permitted under HIPAA and state workers’ compensation laws, but only as allowed by those rules.

Compliance Implications

Determine your status

• Map data flows to confirm whether you conduct Electronic Health Information Transactions tied to claims, eligibility, or payments.
• Identify whether you act as a covered entity, a Business Associate, a hybrid entity, or are excluded.

Operational safeguards

• Limit collection of PHI unless necessary; prefer de-identified or aggregated data.
• Execute and manage each Business Associate Agreement; push obligations to subcontractors.
• Implement role-based access, encryption, audit logging, and incident response.
• Train staff on what is PHI, when HIPAA applies, and how other laws (FERPA, GLBA, state privacy) fill gaps.

Common pitfalls to avoid

• Assuming all health-related data is PHI when collected directly from consumers outside a HIPAA context.
• Relying on the “conduit” theory for tech vendors that actually store or process PHI.
• Blurring employer HR records with group health plan PHI or using PHI for employment decisions.

Conclusion

HIPAA focuses on health plans, clearinghouses, and certain providers—not every entity that touches health data. By confirming your role, leveraging the right Business Associate Agreements, and aligning with alternative privacy regimes, you can protect individuals and reduce regulatory risk with confidence.

FAQs.

What organizations are excluded from HIPAA covered entity status?

Examples include employers (acting as employers), life and disability insurers, many workers’ compensation and auto insurers, schools subject to the Family Educational Rights and Privacy Act, law enforcement and courts, consumer health app developers serving users directly, financial institutions, and research bodies that do not operate as health plans, clearinghouses, or providers conducting standard electronic transactions.

How does HIPAA define a covered entity?

A covered entity is a health plan, a health care clearinghouse, or a health care provider who transmits health information electronically in connection with covered transactions (such as claims, eligibility inquiries, referrals, and payment). These entities handle Protected Health Information within the HIPAA framework.

Are employers always covered entities under HIPAA?

No. Employers are typically not covered entities. The employer’s group health plan is a covered entity, but employment records are not PHI. Limited PHI may be shared with the plan sponsor for plan administration under strict conditions set by the HIPAA Privacy Rule.

Can excluded organizations still be subject to HIPAA rules?

Yes. Excluded organizations can become Business Associates if they handle PHI for a covered entity, which triggers contractual and regulatory duties via a Business Associate Agreement. Even when HIPAA does not apply, other laws—such as FERPA, GLBA, or state privacy statutes—may govern the data.