Covered Entity Definition (HIPAA): What It Means and Who’s Included

Health Plan Classification

Under the Health Insurance Portability and Accountability Act, a health plan is any individual or group plan that provides or pays the cost of medical care. In HIPAA terms, the “covered entity” is the plan itself, not the employer sponsoring it.

Common covered health plans include commercial health insurers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans such as PPOs and self-funded arrangements. Government programs that pay for health care, like TRICARE and certain state programs, are also health plans.

Some arrangements that pay for limited medical benefits may be outside HIPAA’s scope or be treated as excepted benefits. Workers’ compensation, auto liability, and other property-and-casualty programs generally are not health plans, even when they pay medical expenses connected to a claim.

If an employer sponsors a group health plan, the plan is the covered entity, while the employer is not—unless the employer performs plan administration with access to Protected Health Information and follows HIPAA’s required plan-sponsor safeguards.

Health Care Clearinghouse Role

A health care clearinghouse is a public or private entity that transforms nonstandard health information into standard formats—or the reverse—for Electronic Health Transactions. Clearinghouses sit between providers and health plans to perform data standardization and translation so claims, eligibility checks, and remittances flow consistently.

Examples include medical billing services, repricing organizations, and community health information systems that convert or edit transactions. Because they routinely handle Protected Health Information, clearinghouses are covered entities in their own right, even when they also act as a business associate for a provider or plan.

Clearinghouses must comply with the Privacy Rule and Security Rule, implement robust safeguards for electronic PHI, and ensure that the standard transaction content is preserved during translation.

Health Care Provider Criteria

A health care provider becomes a HIPAA covered entity if it transmits any health information electronically in connection with a standard transaction adopted by HHS, such as submitting claims, checking eligibility, obtaining prior authorization, or receiving electronic remittance advice.

The definition covers both individuals and organizations: physicians, dentists, pharmacies, clinical laboratories, hospitals, durable medical equipment suppliers, therapists, and many others. Using an EHR alone does not determine coverage; the trigger is engaging in electronic standard transactions.

Providers that rely solely on paper mail, fax, or phone for these transactions may fall outside the covered entity definition. In practice, most modern providers conduct at least one standard transaction electronically and therefore are covered entities with full HIPAA obligations.

HIPAA Compliance Requirements

Covered entities must implement the Administrative Simplification standards, which include using standard transactions and code sets, adopting the National Provider Identifier, and following rules for data content and format. These measures support interoperability and reduce administrative friction.

Privacy and security compliance involves policies, workforce training, and documentation. You must designate a privacy official and a security official, apply the minimum necessary standard to uses and disclosures (except for treatment), and maintain written policies and procedures for at least six years from their effective date.

Business Associate Agreements are required before sharing PHI with vendors that create, receive, maintain, or transmit PHI on your behalf. You must also provide a Notice of Privacy Practices when applicable, manage individual rights requests, and follow the Breach Notification requirements if unsecured PHI is compromised.

Risk management is continuous. Conduct periodic risk analyses, address identified gaps, monitor logs where reasonable and appropriate, and review access rights to keep PHI exposure aligned with job duties and Health Care Operations needs.

Privacy Rule Overview

The Privacy Rule governs how covered entities use and disclose PHI and grants individuals specific rights. PHI may be used or disclosed without authorization for treatment, payment, and health care operations, as well as for certain public interest purposes defined by HIPAA.

Outside these purposes, you generally need a valid authorization. Apply the minimum necessary standard for payment and operations disclosures and for most non-routine requests. The standard does not apply to disclosures for treatment.

Individuals have rights to access and obtain copies of their PHI, request amendments, receive an accounting of certain disclosures, request restrictions, and ask for confidential communications. You must respond within required timeframes and document your decisions.

Security Rule Implementation

The Security Rule focuses on electronic PHI and requires administrative, physical, and technical safeguards. Administrative safeguards include risk analysis, risk management, workforce training, sanction policies, and contingency planning for backups, disaster recovery, and emergency operations.

Physical safeguards address facility access, device and media controls, and workstation security. Technical safeguards cover access controls, unique user identification, audit controls, integrity protections, authentication, and transmission security.

Some specifications are “required,” while others are “addressable.” Addressable does not mean optional; you must implement them if reasonable and appropriate, or document equivalent alternative measures. Strong encryption for data in transit and at rest is widely considered a best practice for reducing breach risk.

Examples of Covered Entities

Typical covered entities include hospitals and health systems, physician practices, dental offices, pharmacies, clinical laboratories, imaging centers, home health agencies, and behavioral health providers that submit electronic claims or eligibility checks. Durable medical equipment suppliers and telehealth providers are covered when they conduct standard electronic transactions.

On the plan side, commercial insurers, HMOs, Medicare, Medicaid, Medicare Advantage plans, and employer-sponsored group health plans are covered entities. Health care clearinghouses that convert or edit transactions are covered entities as well, regardless of whether they also serve as business associates.

Conclusion

In HIPAA, “covered entity” means a health plan, a health care clearinghouse, or a health care provider that conducts standard Electronic Health Transactions. Knowing where you fit determines which Privacy Rule and Security Rule obligations apply, how you manage Protected Health Information, and how you structure your policies, safeguards, and vendor relationships to support compliant Health Care Operations.

FAQs

What entities are considered covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. This includes insurers and group health plans, clearinghouses that standardize data, and providers such as hospitals, physicians, dentists, pharmacies, and labs that submit electronic claims or eligibility inquiries.

What are the compliance responsibilities of a covered entity?

Core responsibilities include following the Privacy Rule and Security Rule, using standard transactions and code sets, designating privacy and security officials, training the workforce, applying the minimum necessary standard, honoring individual rights (access, amendment, accounting, restrictions, and confidential communications), executing Business Associate Agreements, maintaining documentation for at least six years, and issuing breach notifications when required.

How does a health care clearinghouse differ from a health care provider?

A clearinghouse converts nonstandard health information into standard formats (and vice versa) to support Electronic Health Transactions and data standardization. A provider delivers medical care and becomes a covered entity when it conducts standard transactions electronically. Both can handle PHI, but their roles—data translation versus direct care—are different.

What are the consequences of non-compliance for covered entities?

Consequences can include corrective action plans, civil monetary penalties, and reputational damage. Significant breaches may trigger extensive notification duties and operational disruption. Regulators consider factors such as the nature of the violation, the harm caused, and whether the entity demonstrated due diligence through documented policies, risk analyses, safeguards, and timely remediation.