Covered Entities Under HIPAA: Who They Are, Examples, and Compliance Requirements

Health Plans Definition and Examples

Health plans are covered entities under HIPAA because they provide or pay the cost of medical care. If you sponsor, administer, or issue coverage that funds medical care, the plan itself is subject to HIPAA’s requirements for handling Protected Health Information (PHI).

Common examples include:

• Health insurance issuers and HMOs.
• Employer-sponsored group health plans and self-insured plans.
• Government programs that pay for health care, such as Medicare, Medicaid, and similar public programs.
• Vision or dental plans, prescription drug plans, and long-term care insurers when they pay for medical care.
• Certain supplemental plans and employee assistance programs that provide or pay for medical care.

The employer organization is typically not the covered entity—the plan component is. If a program does not pay for or provide medical care, it generally is not a health plan under HIPAA.

Healthcare Providers Scope

A healthcare provider becomes a covered entity when it transmits health information electronically in connection with standard Electronic Health Transactions. These include claims, eligibility inquiries, prior authorizations, referrals, and payment remittance advice.

Covered providers span a wide range of settings and disciplines, such as:

• Hospitals, clinics, and ambulatory surgery centers.
• Physicians, dentists, chiropractors, podiatrists, and behavioral health professionals.
• Pharmacies, laboratories, imaging centers, and durable medical equipment suppliers.
• Telehealth practices and urgent care centers.

If you never conduct standard Electronic Health Transactions (for example, a cash-only practice that does not submit electronic claims), you may not be a covered provider. The moment you or your billing agent send a standard electronic claim or eligibility check, HIPAA applies.

Healthcare Clearinghouses Role

Healthcare clearinghouses transform nonstandard health information into standard transaction formats and code sets—or the reverse. Because they standardize data across systems, they are covered entities even when they process information on behalf of other covered entities.

Examples include:

• Claims and EDI “switch” networks that translate and route transactions.
• Medical billing services that convert nonstandard data to standard formats.
• Repricing organizations and other intermediaries performing transaction standardization.

Clearinghouses may also serve as business associates when performing additional services, but their core translation function independently makes them covered entities.

Determining Covered Entity Status

Use this quick self-check to determine whether HIPAA treats your organization as a covered entity:

• Do you provide or pay for medical care? If yes, you are likely a health plan.
• Do you furnish health care and transmit information using standard Electronic Health Transactions (claims, eligibility, remittance, prior authorization)? If yes, you are a covered healthcare provider.
• Do you convert health data between nonstandard and standard formats? If yes, you are a healthcare clearinghouse.
• Do you handle PHI on behalf of a covered entity without meeting any of the three definitions above? You are likely a business associate, not a covered entity.
• Are only certain parts of your organization engaged in covered functions? You may designate those components and operate as a hybrid entity.
• Document your determination, including which Electronic Health Transactions you conduct, and review it periodically as your operations evolve.

HIPAA Compliance Requirements

Covered entities must establish a governance framework and implement rules that protect PHI throughout its lifecycle. At a minimum, this means designating leadership, adopting policies, training your workforce, and securing systems that create, receive, maintain, or transmit PHI.

• HIPAA Privacy Rule: Define permitted uses and disclosures, apply the minimum necessary standard, provide a Notice of Privacy Practices, and honor individual rights (access, amendment, and more).
• HIPAA Security Rule: Protect electronic PHI (ePHI) through Administrative Safeguards, Physical Safeguards, and Technical Safeguards, supported by a documented risk analysis and risk management program.
• Breach Notification: Assess potential incidents involving PHI and issue timely notifications to affected individuals and other required parties when a breach occurs.
• Standard Electronic Health Transactions: Use mandated transaction formats and code sets and maintain required identifiers (such as NPIs) when you conduct electronic transactions.
• Governance and Documentation: Perform regular risk assessments, maintain policies and procedures, execute business associate agreements, and retain required documentation for audit readiness.
• Privacy Officer Designation and Security Officer: Assign accountable leaders to oversee compliance, enforce policies, and coordinate corrective actions.

Safeguards for Protected Health Information

Administrative Safeguards

• Conduct a thorough risk analysis of systems and workflows that touch PHI, then implement risk-based controls.
• Define and enforce role-based access, sanction policies, and workforce clearance procedures.
• Establish incident response, contingency planning, backup, and disaster recovery processes.
• Manage vendors through business associate agreements and ongoing oversight.

Physical Safeguards

• Control facility access and monitor visitor entry to areas that store or process PHI.
• Secure workstations and portable devices; lock rooms, enable screen privacy, and restrict unattended access.
• Implement device and media controls for inventorying, re-use, and secure disposal of hardware that stores PHI.

Technical Safeguards

• Enforce unique user IDs, strong authentication, and role-based authorization.
• Encrypt ePHI in transit and at rest where feasible, and apply integrity controls and automatic logoff.
• Enable audit logging, monitoring, and regular review of access and activity.
• Use secure messaging, patch management, and configuration baselines to reduce exposure.

Workforce Training and Policy Implementation

Training is essential to operationalize the HIPAA Privacy Rule and HIPAA Security Rule. Provide onboarding, role-based, and periodic refresher training to anyone who may access PHI, and keep records of completion.

• Privacy Officer Designation and Security Officer: assign responsibility for policy development, risk management, incidents, and continuous improvement.
• Policies and Procedures: publish clear, accessible rules covering collection, use, disclosure, access rights, device use, remote work, and data retention and disposal.
• Awareness and Culture: reinforce minimum necessary practices, secure handling of PHI, and escalation paths for suspected incidents.
• Vendor and Data-Sharing Oversight: verify business associate agreements and align third parties with your safeguards.

Conclusion

Covered entities under HIPAA include health plans, healthcare providers that perform standard Electronic Health Transactions, and healthcare clearinghouses. If you meet one of these definitions, implement the HIPAA Privacy Rule and HIPAA Security Rule through robust Administrative Safeguards, Physical Safeguards, and Technical Safeguards—supported by leadership, training, and documented policies—to protect Protected Health Information and maintain compliance.

FAQs

What entities are considered covered under HIPAA?

Covered entities are health plans that pay for medical care, healthcare providers that transmit health information in standard Electronic Health Transactions, and healthcare clearinghouses that convert health data between nonstandard and standard formats. Organizations that handle PHI solely on behalf of covered entities are typically business associates rather than covered entities.

How do healthcare clearinghouses function under HIPAA?

Clearinghouses standardize health data by translating nonstandard information to standard Electronic Health Transactions and vice versa. Because of this core role, they are covered entities in their own right and must meet HIPAA requirements for safeguarding PHI, even when they process data on behalf of other covered entities.

What are the compliance requirements for covered entities?

Covered entities must implement the HIPAA Privacy Rule and HIPAA Security Rule, apply the minimum necessary standard, provide individuals’ rights (such as access), safeguard ePHI with Administrative Safeguards, Physical Safeguards, and Technical Safeguards, notify affected parties after qualifying breaches, use standard Electronic Health Transactions and code sets, designate privacy and security leadership, train the workforce, and maintain documented policies and procedures.

How can an organization determine if it is a covered entity?

Ask whether you pay for medical care (health plan), provide care and conduct standard Electronic Health Transactions (covered healthcare provider), or convert health data to and from standard formats (healthcare clearinghouse). If none apply but you handle PHI for a covered entity, you are likely a business associate. Document your determination and revisit it as your services or transactions change.