Covered Entities vs. Non‑Covered Parties Under HIPAA: A Practical Guide

Definitions of Covered Entities

Under HIPAA, a covered entity is directly subject to the Privacy, Security, and Breach Notification Rules. You qualify based on what you are and what you do—especially whether you conduct Electronic Health Information Transmission for standard transactions tied to claims, eligibility, referrals, or payments.

Health Plans

Health plans include insurers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans. The plan itself is the covered entity, not the employer sponsoring it. As a plan, you must implement HIPAA Compliance controls and protect members’ Protected Health Information (PHI).

Health Care Providers

Providers become covered entities when they transmit health information electronically in connection with standard transactions. This includes physicians, clinics, dentists, pharmacies, labs, and telehealth providers that bill or check eligibility electronically.

Health Care Clearinghouses

Health Care Clearinghouses process nonstandard health data into standard formats or vice versa. If you translate or route claims data between providers and plans, you are a covered entity even if you never treat patients directly.

Electronic Health Information Transmission

Electronic Health Information Transmission is the operational trigger for many providers. If you send claims, remittances, eligibility checks, or prior authorizations electronically using standard formats, you fall under HIPAA and must meet its Privacy and Security safeguards.

Categories of Non-Covered Entities

Many organizations handle health-related data but are not covered entities. Your status turns on legal role and data flows, not on whether information seems “medical.”

Employers (in their employer role)

Employers acting as employers are generally not covered entities. However, the employer’s group health plan is covered, and plan PHI must be walled off from routine HR uses.

Life, Disability, and Workers’ Compensation Insurers

These organizations are typically not covered entities. They may receive PHI under authorizations or specific laws, but HIPAA’s rules apply to the disclosing covered entity, not to them as covered entities.

Schools and Student Health Records

Schools and districts are usually not covered entities. Student health records are often governed by education privacy laws. A school clinic that bills electronically may be a covered provider for those clinic operations.

Consumer Apps, Wearables, and Personal Health Record Tools

Fitness trackers, diet apps, and many personal health record tools are not covered entities. Unless they serve a covered entity under a Business Associate Agreement, HIPAA typically does not apply to them.

Technology Vendors Without a HIPAA Role

General-purpose platforms that do not create, receive, maintain, or transmit PHI for a covered entity are not covered. The narrow “conduit” concept applies only to truly transient transmission, not to routine storage or processing.

Role of Business Associates

Business associates (BAs) are vendors or partners that create, receive, maintain, or transmit PHI for a covered entity or another BA. If you handle PHI on their behalf, you are a BA with direct HIPAA responsibilities.

What Makes an Entity a Business Associate

You are a BA if you support treatment, payment, or health care operations—or provide services like billing, claims management, data analysis, cloud hosting, EHR support, legal, or consulting—while handling PHI. Both onshore and offshore subcontractors can be BAs.

Business Associate Agreement Essentials

A Business Associate Agreement defines permitted uses and disclosures, mandates safeguards, requires breach reporting, and obligates return or destruction of PHI at termination. It must flow down to subcontractors to ensure equivalent protections.

Security, Privacy, and Liability

BAs must meet Security Rule requirements for ePHI and relevant Privacy Rule obligations. They must conduct risk analyses, implement controls, and report incidents promptly. Regulators can enforce directly against BAs for violations.

Characteristics of Hybrid Entities

A hybrid entity is a single legal organization that performs both covered and non-covered functions. You may elect a Hybrid Entity Designation to limit HIPAA duties to designated health care components.

Designating Covered Components

You must formally identify covered components (for example, a university hospital within a university). Only those components and their Business Associates are bound by HIPAA for covered functions.

Boundaries and Firewalls

Hybrid entities must implement administrative, technical, and physical barriers so non-covered components do not improperly access PHI. Workforce members may need role-based access, training, and data-sharing restrictions.

Covered Functions Safeguards

Apply Covered Functions Safeguards to the designated components: minimum necessary access, audit logging, encryption for ePHI, vendor oversight, and incident response. Document how PHI stays within the covered perimeter.

Common Examples

Typical hybrids include universities with medical centers, city governments with employee clinics, and retailers with in-store pharmacies. Each must clearly mark and protect covered components.

HIPAA Compliance Requirements

HIPAA Compliance rests on three pillars: the Privacy Rule, Security Rule, and Breach Notification Rule. Together, they govern PHI stewardship across policies, technology, and people.

Privacy Rule: Use, Disclosure, and Individual Rights

Use and disclose PHI for treatment, payment, and health care operations, and otherwise only with authorization or a recognized exception. Provide a Notice of Privacy Practices, honor access and amendment rights, and apply the minimum necessary standard.

Security Rule: Administrative, Physical, and Technical Controls

Conduct a risk analysis; assign security responsibility; train your workforce; and manage vendors. Control facility and device access, and implement technical safeguards such as unique user IDs, access controls, audit logs, integrity protections, and encryption for data in transit and at rest.

Breach Notification and Incident Response

Evaluate security incidents, determine if unsecured PHI was compromised, and notify affected parties and regulators as required. Maintain a tested incident response plan and document every step and decision.

Documentation, Training, and Retention

Keep policies current, record risk assessments and mitigation, track training, and retain required documentation for regulatory timeframes. Review Business Associate Agreements regularly and align them with operational reality.

Handling Protected Health Information

Protected Health Information (PHI) is individually identifiable health information relating to a person’s health, care, or payment for care. PHI in electronic form (ePHI) triggers heightened Security Rule obligations.

Minimum Necessary and Permitted Purposes

Limit PHI access to the minimum necessary for the task. Use or disclose PHI for treatment, payment, and operations; obtain authorization for other purposes unless an exception applies, such as certain public health or law enforcement needs.

De-Identification and Limited Data Sets

De-identified data is not PHI if identifiers are removed or risk is determined to be very small by an expert. Limited data sets permit certain identifiers with a data use agreement, enabling research and public health activities with controls.

Electronic Health Information Transmission Safeguards

Protect ePHI with encryption, strong authentication, and secure transport. Use vetted vendors under appropriate Business Associate Agreements, monitor access, and maintain audit trails for systems that store or transmit ePHI.

Retention and Disposal

Follow retention schedules and securely dispose of PHI using shredding, wiping, or destruction of media. Keep inventories of systems and media to ensure nothing containing PHI is overlooked.

Distinctions Between Covered and Non-Covered Parties

Covered entities and business associates must implement HIPAA programs and are subject to enforcement. Non-covered parties are not bound by HIPAA but may face other federal or state privacy rules, contracts, or consumer protection laws.

Operational Responsibilities

Covered entities must provide notices, manage access requests, and maintain safeguards across all workflows. Non-covered organizations should still adopt strong security and transparency, especially when handling sensitive health-related data.

Vendor Classification Decision Points

Ask three questions: Do you perform a function for a covered entity? Do you create, receive, maintain, or transmit PHI for that function? Is your role more than a purely transient conduit? If yes, you are likely a business associate.

Individual Rights Context

HIPAA access and amendment rights apply to PHI held by covered entities (and sometimes by their BAs acting on their behalf). Consumer apps outside HIPAA may offer different rights defined by their privacy notices or other laws.

Practical Checklist

• Map data flows to identify PHI, ePHI, and where they reside or move.
• Confirm covered entity, business associate, or hybrid status in writing.
• Execute and maintain accurate Business Associate Agreements with all relevant vendors.
• Implement Covered Functions Safeguards and minimum necessary access.
• Test incident response and breach notification procedures regularly.

In practice, knowing your role—covered entity, business associate, hybrid, or non-covered—lets you apply the right safeguards, contracts, and workflows. This clarity reduces risk and strengthens trust in every data exchange.

FAQs

What entities qualify as covered entities under HIPAA?

Covered entities include health plans, Health Care Clearinghouses, and health care providers that transmit health information electronically in standard transactions. Examples include insurers and group health plans, billing providers that submit electronic claims, and clearinghouses that convert data formats for claims processing.

What is the role of business associates in HIPAA compliance?

Business associates handle PHI for or on behalf of a covered entity. They must sign a Business Associate Agreement, implement Security Rule safeguards for ePHI, follow applicable Privacy Rule requirements, flow down obligations to subcontractors, and report incidents or breaches promptly to the covered entity.

How are hybrid entities managed under HIPAA?

Organizations with both covered and non-covered operations can elect a Hybrid Entity Designation. They must identify covered components, segregate PHI, implement Covered Functions Safeguards, train applicable staff, and ensure vendors serving those components operate under the proper Business Associate Agreements.

Are employers considered covered entities under HIPAA?

Employers acting as employers are not covered entities. However, their group health plans are covered entities, and the plan’s PHI must be protected and used only for plan administration, with strict separation from general HR or employment decisions.