Covered Entities Under HIPAA: Healthcare Providers, Health Plans, Clearinghouses Explained

Understanding who HIPAA applies to is the first step in building a compliant privacy and security program. Covered entities under HIPAA include certain healthcare providers, health plans, and healthcare clearinghouses that handle protected health information. This guide clarifies each category, how they interact with business associates, and what “administrative simplification” means for electronic healthcare transactions.

Healthcare Providers Definition

A healthcare provider is any person or organization that furnishes, bills, or is paid for healthcare in the normal course of business. Examples include physicians, hospitals, clinics, dentists, pharmacists, laboratories, therapists, home health agencies, and telehealth practices.

A provider becomes a HIPAA covered entity only if it transmits health information electronically in connection with HIPAA-covered transactions. Using a billing service or clearinghouse to submit claims or verify eligibility counts as electronic transmission for this purpose.

Common provider scenarios

• If you send claims, eligibility checks, referrals, or claim status inquiries electronically, you are a covered entity.
• If you never conduct HIPAA-covered transactions electronically (for example, you accept only cash and do not bill plans), HIPAA may not apply to you as a covered entity.
• Even when not a covered entity, you may handle protected health information and should follow strong privacy practices.

Health Plans Overview

Health plans are individual or group arrangements that provide or pay the cost of medical care. This category includes health insurance issuers, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and many government programs that pay for healthcare.

Employer sponsors are not themselves health plans; the plan is the covered entity. If you administer a group health plan, you must ensure plan operations meet HIPAA compliance standards, including proper separation between employer functions and plan PHI.

Key responsibilities for health plans

• Adopt and use standard code sets and identifiers under administrative simplification.
• Limit uses and disclosures of PHI to permitted purposes and minimum necessary.
• Maintain business associate agreements with TPAs, PBMs, and other vendors handling PHI.

Healthcare Clearinghouses Role

Healthcare clearinghouses process nonstandard health information they receive from another entity into a standard format—or the reverse. They are integral to electronic data interchange, translating data so providers and plans can complete HIPAA-covered transactions efficiently.

Clearinghouses are covered entities in their own right. When they perform services for providers or plans, they may also function as business associates, but their covered-entity obligations still apply to the PHI they create, receive, maintain, or transmit.

Examples of clearinghouse services

• Format conversion for claims submission and remittance advice.
• Eligibility and benefit verification routing.
• Claims editing, repricing, and transaction “switch” services.

Business Associate Relationships

A business associate is a person or organization that performs functions or services for a covered entity involving PHI. Typical business associates include billing companies, cloud and data-hosting providers, EHR vendors, e-fax and email services handling PHI, consultants, and analytics firms.

Covered entities must execute business associate agreements that require appropriate safeguards, breach reporting, and downstream subcontractor compliance. Business associates are directly accountable for many HIPAA obligations and must secure PHI they create, receive, maintain, or transmit.

When vendors become business associates

• They manage or store PHI (for example, backups, hosting, data warehousing).
• They perform claims processing, utilization review, or quality reporting.
• They provide support services where PHI access is routine, not incidental.

HIPAA Compliance Requirements

Covered entities and business associates must meet HIPAA’s core compliance standards: the Privacy Rule, Security Rule, and Breach Notification Rule. Together they govern how you use and disclose PHI, safeguard electronic PHI, and notify affected parties after certain incidents.

Privacy Rule essentials

• Provide a Notice of Privacy Practices and honor patient rights (access, amendments, and accounting of disclosures).
• Use and disclose PHI only as permitted and apply the minimum necessary standard.
• Implement policies, workforce training, and sanctions for violations.

Security Rule safeguards

• Conduct a risk analysis and implement risk management.
• Apply administrative, physical, and technical safeguards (access controls, audit logs, integrity, authentication, and transmission security).
• Establish contingency plans, incident response, and ongoing evaluations.

Breach Notification and documentation

• Assess incidents for compromise of unsecured PHI and provide required notices.
• Maintain documentation, including business associate agreements and policies.
• Review changes to administrative simplification standards that affect transactions and code sets.

Exceptions to Covered Entities

Not every organization that touches health-related data is a covered entity. Employers, life insurers, schools subject to FERPA, law enforcement agencies, and many consumer health apps are typically outside HIPAA unless acting for or on behalf of a covered entity.

Certain insurance products are generally outside the “health plan” definition, such as accident-only, disability income, and liability coverage, workers’ compensation, and automobile medical payment policies. In addition, a self-administered group health plan with fewer than 50 participants is typically not a covered entity.

Practical tip

If your status is unclear, use a covered entity decision tool and map your operations to determine whether you conduct HIPAA-covered transactions. When in doubt, adopt privacy-by-design practices to protect individuals’ information.

Transmission of Health Information

For many providers, covered status hinges on transmitting health information electronically in connection with HIPAA-covered transactions. These standardized transactions streamline billing and payment but also trigger HIPAA obligations.

Common HIPAA-covered transactions

• Claims and encounter information; claim status; payment and remittance advice.
• Eligibility inquiries and responses; referrals and prior authorizations.
• Enrollment and disenrollment in a health plan; premium payments.
• Coordination of benefits and related electronic healthcare transactions.

Standards that enable administrative simplification

• Standard identifiers (such as NPI) and standard code sets (for example, ICD-10-CM and CPT/HCPCS).
• Transaction standards that allow nonstandard data to be translated by clearinghouses.
• Security requirements that protect PHI during transmission and at rest.

Summary

Covered entities under HIPAA include qualifying healthcare providers, health plans, and clearinghouses engaged in HIPAA-covered transactions. By defining roles, executing business associate agreements, and following clear compliance standards, you can protect protected health information while meeting administrative simplification goals.

FAQs.

What entities qualify as covered entities under HIPAA?

Covered entities are health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in connection with HIPAA-covered transactions. Many vendors are not covered entities but may be business associates if they handle PHI for a covered entity.

How do healthcare clearinghouses function within HIPAA?

Clearinghouses convert nonstandard health information to standard formats (and vice versa) so providers and plans can complete electronic healthcare transactions. They are covered entities themselves and may also serve as business associates when performing services for others.

What are the key compliance requirements for covered entities?

Implement the Privacy Rule, Security Rule, and Breach Notification Rule; maintain policies, training, and documentation; sign business associate agreements; apply minimum necessary; conduct risk analysis; and secure ePHI through administrative, physical, and technical safeguards aligned with HIPAA compliance standards.

When are health plans excluded from HIPAA coverage?

Insurance arrangements such as accident-only, disability income, liability coverage, workers’ compensation, and automobile medical payment policies are generally not “health plans” under HIPAA. Also, a self-administered group health plan with fewer than 50 participants is typically not a covered entity.