Are You a Covered Entity Under HIPAA? Quick Eligibility Guide

Define Covered Entities Under HIPAA

Under the HIPAA Privacy Rule, a “covered entity” is any health plan, health care clearinghouse, or health care provider that transmits health information electronically in connection with Standard Transactions. If you fall into one of these categories, HIPAA sets baseline privacy and security obligations for your handling of protected health information (PHI).

Quick self-check: If you bill health plans electronically, operate a plan that pays for medical care, or convert data between nonstandard and standard formats for others, you’re likely a covered entity under HIPAA. Your determination hinges on the functions you perform, not your organization’s size or tax status.

Identify Health Plans as Covered Entities

Health plans are covered entities because they finance or pay for medical care. This category includes individual and group health insurance issuers, HMOs, employer-sponsored group health plans, Medicare, Medicaid, CHIP, TRICARE, and many federal or state government programs that pay for health services. Plans covering dental, vision, prescription drugs, or long-term care are typically included when they provide medical benefits.

Some benefit programs are not health plans for HIPAA purposes, such as plans that offer only “excepted benefits” (for example, certain workers’ compensation, accident-only, disability income, or property and casualty coverage). The distinction turns on whether the arrangement provides or pays for medical care, and whether HIPAA’s Data Standardization for transactions applies to your operations.

Recognize Health Care Providers Covered by HIPAA

Health care providers become covered entities when they transmit any health information electronically in connection with Standard Transactions. This covers physicians, clinics, psychologists, dentists, chiropractors, hospitals, nursing homes, laboratories, pharmacies, telehealth practices, and similar practitioners and facilities.

Common Standard Transactions include electronic claims, eligibility and benefits inquiries, claim status, remittance advice, coordination of benefits, enrollment/disenrollment, premium payments, and referral certification or prior authorization. If you or your vendor sends any of these electronically—even once—you are a covered health care provider under HIPAA.

Understand Health Care Clearinghouses Role

Health care clearinghouses are covered entities that specialize in data standardization. They transform nonstandard health data from providers or plans into Standard Transactions, and may translate standard formats back to nonstandard forms when needed. Examples include billing services, repricing firms, switching centers, and community health information systems.

By enabling accurate, secure Health Information Exchange between parties, clearinghouses reduce friction in claims and payment workflows. When a clearinghouse performs these services for a covered entity, it may also function as a business associate, but its core role as a clearinghouse independently makes it a covered entity.

Explain Hybrid Entities and Their Designation

A hybrid entity is a single legal entity that performs both HIPAA Covered Functions and non-covered activities (for example, a university with a health clinic or a city government with an employee health plan). To comply, the organization must formally designate its health care component(s) that perform Covered Functions.

Only the designated components are treated as covered entities for HIPAA purposes, but the overall organization must maintain safeguards—such as firewalls and workforce training—to prevent improper PHI sharing across components. This “ring-fences” PHI while allowing non-health operations to continue without unnecessary HIPAA burden.

Clarify Business Associates and Their Relationship

Business associates are not covered entities by virtue of their role; they are persons or organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity (or another business associate). Typical examples include billing companies, EHR vendors, cloud hosting providers, law firms, consultants, and Health Information Exchange organizations.

Covered entities must establish Business Associate Agreements that define permitted uses and disclosures, safeguards, and breach response. Business associates and their subcontractors are directly liable for compliance with applicable HIPAA requirements. While they often conduct Standard Transactions or support Covered Functions, their status derives from the services they provide, not from being health plans, providers, or clearinghouses.

Address Exceptions to Covered Entity Status

Some organizations are outside HIPAA’s covered entity definition even when they handle health-related data. Employers, life insurers, certain schools, law enforcement agencies, and entities offering only excepted benefits generally are not covered entities. A provider that never conducts a HIPAA Standard Transaction electronically (for example, accepts only cash or uses paper and phone) may also fall outside covered status.

HIPAA’s transaction standards allow limited flexibility through Transaction Exception Requests. With sufficient justification, an entity may request permission from the Secretary of HHS to test an alternative or modified standard for a defined period, usually to evaluate improvements to efficiency, interoperability, or data quality. Approvals are time-limited, require rigorous evaluation, and do not relieve you from the HIPAA Privacy Rule or other safeguards.

Conclusion

To decide if you are a covered entity under HIPAA, start with your functions: operate a health plan, act as a clearinghouse, or provide care and send Standard Transactions electronically. If you’re a hybrid, formally designate your health care component(s). If you’re a vendor handling PHI, you’re a business associate with direct responsibilities. When in doubt, map your data flows, confirm your Covered Functions, and align with HIPAA’s Data Standardization framework.

FAQs

What qualifies an organization as a covered entity under HIPAA?

You are a covered entity if you are a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with HIPAA Standard Transactions. The trigger is your role and whether you conduct these transactions—not your size, revenue, or nonprofit status.

How do hybrid entities differ from covered entities?

Hybrid entities perform both HIPAA Covered Functions and non-covered activities within one legal entity. They must designate specific health care component(s) subject to HIPAA. Only those components are treated as covered entities, while the broader organization maintains safeguards to keep PHI from flowing improperly to non-health components.

What types of health plans are included as covered entities?

Included plans typically encompass individual and group health insurers, HMOs, employer group health plans, Medicare, Medicaid, CHIP, TRICARE, and other government programs that pay for medical care. Plans that provide only “excepted benefits” (such as certain workers’ compensation, accident-only, or property and casualty coverage) are generally not HIPAA health plans.

What exceptions exist for covered entity transaction standards?

Covered entities must use HIPAA Standard Transactions, but they may submit Transaction Exception Requests to the Secretary of HHS to pilot an alternative or modified standard for a limited time. These approvals are narrowly tailored, require evaluation of outcomes, and do not waive obligations under the HIPAA Privacy Rule or security safeguards.