Are You a HIPAA Covered Entity? Quick Guide with Practical Examples

You can quickly determine covered entity status by asking one question: do you create, receive, maintain, or transmit Protected Health Information (PHI) electronically in connection with HIPAA Covered Transactions? This guide explains how the Health Insurance Portability and Accountability Act (HIPAA) defines covered entities, the categories involved, and what compliance looks like in practice.

Definition of a HIPAA Covered Entity

Under HIPAA’s Administrative Simplification provisions, a “covered entity” is any health plan, health care clearinghouse, or health care provider that transmits health information electronically in connection with a standard transaction (such as claims or eligibility checks). If that’s you, HIPAA’s Privacy, Security, and Breach Notification rules apply to your handling of PHI and electronic PHI (ePHI).

Think of covered status as activity-based. You become a covered entity the moment you conduct a HIPAA standard transaction electronically—directly, through an Electronic Health Information Exchange, or via a vendor acting on your behalf.

Quick self-check

• You submit or receive electronic claims, remittances, referrals, prior authorizations, or eligibility inquiries.
• You e-prescribe medications or exchange ePHI through interoperable systems.
• You use a clearinghouse or practice management system to format or route standard transactions.
• You operate a health plan that pays for medical care or administers health benefits.

Categories of Covered Entities

HIPAA recognizes three categories of covered entities. If you fit any one category, you are a covered entity for HIPAA purposes.

1) Health plans

• Group health plans and health insurance issuers (commercial insurers, HMOs).
• Government programs like Medicare, Medicaid, and certain military or veteran health plans.
• Employer-sponsored health plans when they pay for or administer medical benefits.

2) Health care providers (conducting standard transactions electronically)

• Physicians, clinics, dentists, chiropractors, therapists, labs, pharmacies, DME suppliers, and hospitals.
• Telehealth practices and house-call providers that bill or verify eligibility electronically.

3) Health care clearinghouses

• Entities that translate nonstandard health data into standard HIPAA formats—or the reverse.
• Switches, repricers, and billing networks that normalize and route transactions.

What’s not a covered entity?

Life insurers, employers (in their role as employers), schools, and workers’ compensation carriers generally are not covered entities. However, vendors that handle PHI for covered entities are “business associates” and must follow HIPAA obligations via contracts, even if they are not covered entities themselves.

Health Plans as Covered Entities

Health plans finance or administer the cost of medical care and are covered entities by default. Examples include HMOs, PPOs, employer group health plans, Medicare Advantage plans, and Medicaid managed care organizations.

Typical plan activities that trigger HIPAA obligations

• Processing and paying claims and issuing electronic remittance advice.
• Responding to eligibility and benefits inquiries from providers or members.
• Managing referrals and prior authorizations through standard transactions.
• Participating in Electronic Health Information Exchange with network providers.

Plan sponsors should isolate plan functions from broader employer operations to protect Patient Data Privacy and use the plan’s National Provider Identifier (NPI) and other HIPAA identifiers correctly during HIPAA Covered Transactions.

Role of Health Care Providers

Health care providers become covered entities when they transmit health information electronically in connection with standard transactions. Most modern practices do this through e-prescribing, electronic claims, or eligibility checks.

Practical examples

• A dentist submits 837 electronic claims and receives 835 remittances—covered entity.
• A therapist uses a clearinghouse to verify patient eligibility via 270/271—covered entity.
• A cash-only clinic that never conducts standard transactions electronically may not be covered, but becomes covered immediately upon e-prescribing or sending an electronic claim.

Covered providers must adopt HIPAA Compliance Standards, safeguard ePHI in EHRs and patient portals, and manage vendors (billing services, telehealth platforms) with business associate agreements.

Function of Health Care Clearinghouses

Health care clearinghouses are covered entities that convert data between nonstandard formats and HIPAA-standard transactions for plans and providers. They ensure data quality, mapping, and routing so transactions can be accepted and adjudicated.

Common clearinghouse functions

• Translating batch claims from practice systems into standard 837 formats and returning standardized acknowledgments.
• Normalizing payer responses (eligibility, claim status, remittance) across multiple carriers.
• Acting as a hub for Electronic Health Information Exchange of billing-related transactions.

Some organizations act as both a clearinghouse and a business associate, depending on the services provided. When they perform conversion or routing of standard transactions, they are clearinghouses and covered entities.

Electronic Transmission of Health Information

Electronic transmission includes internet-based exchanges, leased lines, private networks, and other digital pathways. When these carry standard transactions, HIPAA applies to the sender and receiver performing those activities.

Examples of HIPAA Covered Transactions

• Claims: 837 professional, institutional, and dental submissions.
• Eligibility/benefits inquiry and response: 270/271.
• Claim status: 276/277.
• Remittance advice: 835.
• Referrals/prior authorization: 278.
• E-prescribing transactions using adopted standards.

Phone calls and paper mail are not standard transactions, but your status is determined by whether you conduct any standard transaction electronically—even once. If you do, HIPAA’s Privacy and Security Rules govern how you handle PHI during and beyond those transactions.

Compliance Requirements for Covered Entities

Covered entities must implement HIPAA Compliance Standards designed to protect Patient Data Privacy and secure ePHI. These standards span policies, technology, training, and ongoing governance.

Core rules under Administrative Simplification

• Privacy Rule: limits uses/disclosures of PHI; grants individual rights (access, amendments, restrictions, accounting).
• Security Rule: requires administrative, physical, and technical safeguards for ePHI (risk analysis, access controls, encryption, audit logs, contingency plans).
• Breach Notification Rule: mandates evaluation of incidents and timely notification to affected individuals and regulators when required.
• Transactions, Code Sets, and Identifiers: use of standard formats and identifiers (e.g., NPI) for HIPAA Covered Transactions.

Operational expectations

• Assign a privacy official and a security official; document roles and oversight.
• Conduct a comprehensive risk analysis; implement risk management and periodic reassessments.
• Publish a Notice of Privacy Practices and apply the minimum necessary standard.
• Train workforce members; enforce sanctions; maintain policies and documentation for required retention periods.
• Execute business associate agreements with vendors that create, receive, maintain, or transmit PHI for you.

Practical first steps

• Inventory PHI and ePHI flows across EHRs, claims systems, portals, and data feeds.
• Harden access with least privilege, MFA, device encryption, and patch management.
• Test incident response, backup, and disaster recovery procedures.
• Validate that all transactions use the correct standard formats and identifiers.

Summary

If you operate a health plan, transform transactions as a clearinghouse, or provide care and conduct standard transactions electronically, you are a HIPAA covered entity. Your obligations center on safeguarding PHI, standardizing transactions, and embedding privacy and security into daily operations.

FAQs.

What defines a HIPAA covered entity?

A covered entity is a health plan, health care clearinghouse, or health care provider that transmits health information electronically in connection with a HIPAA Covered Transaction. Once you perform such a transaction, HIPAA’s Privacy, Security, and Breach Notification rules apply to your handling of PHI.

Who qualifies as a health care clearinghouse?

A health care clearinghouse is an organization that converts nonstandard health information into HIPAA-standard transactions—or the reverse—for other entities. Examples include billing networks, switches, and repricers that translate, validate, and route claims, eligibility, remittances, and authorizations.

How do covered entities handle electronic health information?

Covered entities must protect ePHI with administrative, physical, and technical safeguards, use standard formats for HIPAA Covered Transactions, and limit uses and disclosures according to the Privacy Rule. They also manage vendors via business associate agreements and support secure Electronic Health Information Exchange.

What are the compliance responsibilities of covered entities?

Responsibilities include adopting HIPAA Compliance Standards: publish privacy notices, honor patient rights, conduct risk analyses, implement security controls, train staff, manage incidents and breach notifications, execute business associate agreements, and use standardized transactions and identifiers under Administrative Simplification.