Covered Entity Examples Under HIPAA: Health Plans, Healthcare Providers, and Clearinghouses

If you work with health data in the United States, knowing whether you are a HIPAA covered entity is foundational. This guide explains covered entity examples under HIPAA across health plans, healthcare providers, and healthcare clearinghouses, how electronic transactions affect your status, and what the Privacy Rule and Security Rule require for Protected Health Information and Electronic Protected Health Information.

Health Plans as Covered Entities

Health plans finance or pay for medical care and are covered entities by default. They create, receive, maintain, and transmit PHI to enroll members, adjudicate claims, and manage benefits—often via HIPAA Covered Transactions.

Common health plan examples

• Health insurance issuers and HMOs.
• Employer-sponsored group health plans and multiemployer plans.
• Government programs such as Medicare, Medicaid, and TRICARE.
• State and federal employee health benefit programs.

Note: Certain small, self-administered group health plans with fewer than 50 participants may not be covered entities. Always evaluate how the plan is structured and administered before assuming HIPAA applies.

Key implications for plans

• Issue a Notice of Privacy Practices and honor member rights (access, amendments, and restrictions).
• Limit use and disclosure under the Privacy Rule’s minimum necessary standard.
• Implement Security Rule safeguards to protect ePHI across claims, enrollment, and premium-payment workflows.

Healthcare Providers and HIPAA Compliance

Healthcare providers are covered entities when they transmit health information electronically in connection with a HIPAA Covered Transaction (for example, submitting claims or checking eligibility). This is true whether you send transactions directly or through a vendor or billing service on your behalf.

Provider examples

• Physicians, dentists, therapists, and chiropractors.
• Hospitals, clinics, ambulatory surgery centers, and urgent care sites.
• Pharmacies, laboratories, imaging centers, and DME suppliers.
• Telehealth and virtual care providers using Health Information Technology platforms.

Compliance focus areas

• Privacy Rule: authorizations when required, minimum necessary, BAAs with service providers, and timely patient access to PHI.
• Security Rule: risk analysis, access controls, audit logs, device security, and secure transmission of ePHI.
• Breach readiness: incident response and notification processes aligned with HIPAA requirements.

Some cash-only or paper-only practices that never conduct standard electronic transactions may not be covered entities; however, most modern practices use electronic systems that trigger HIPAA obligations.

Role of Healthcare Clearinghouses

Healthcare clearinghouses convert nonstandard health information they receive from another entity into standard formats (and the reverse). They sit between providers and plans to route and standardize HIPAA transactions.

What clearinghouses typically do

• Translate, validate, and route claims, remittance advice, eligibility, and claim status transactions.
• Provide connectivity and editing services that enforce transaction and code-set standards.
• Support trading partners with testing and error-resolution workflows.

Clearinghouses are covered entities and must protect PHI and ePHI under the Privacy Rule and Security Rule. When they provide services to other organizations, they also execute appropriate business associate agreements to define permitted uses and safeguards.

Electronic Transactions and Covered Entity Status

HIPAA Covered Transactions are standardized electronic data exchanges used to deliver and pay for care. If you conduct these electronically—directly or through a vendor—you are likely a covered entity (if you are a plan, provider, or clearinghouse).

Core HIPAA Covered Transactions

• Claims and encounter submissions, and coordination of benefits.
• Eligibility and benefits inquiries and responses.
• Claim status requests and responses.
• Referrals and prior authorizations.
• Payment and remittance advice.
• Enrollment, disenrollment, and premium payments for health plans.

“Electronic” includes EDI through a clearinghouse, secure file transfers, and payer/provider portals. Using a billing company or vendor to send transactions on your behalf still counts as your transmission for HIPAA purposes.

Determining Covered Entity Eligibility

Quick self-check

• Are you a health plan that pays for medical care? If yes, you are a covered entity.
• Do you operate as a healthcare clearinghouse that standardizes health data? If yes, you are a covered entity.
• Are you a healthcare provider that transmits health information electronically for HIPAA Covered Transactions (even via a vendor)? If yes, you are a covered entity.

Hybrid entities and components

Organizations that perform both covered and non-covered functions can designate “health care components.” HIPAA applies to those components and any shared services handling PHI, helping you limit scope while maintaining appropriate safeguards.

Business associates vs. covered entities

Third parties (IT vendors, billing firms, TPAs) that create, receive, maintain, or transmit PHI for covered entities are business associates. They are not covered entities unless they independently qualify (for example, a clearinghouse). Use business associate agreements to define responsibilities and protect PHI.

Employers, life insurers, workers’ compensation carriers, and schools are generally not covered entities, though an employer-sponsored group health plan is. Distinguish the legal entity that is the plan from the employer that sponsors it.

HIPAA Privacy and Security Requirements

Privacy Rule essentials

• Limit uses and disclosures of PHI to treatment, payment, and health care operations unless another permission or a valid authorization applies.
• Honor individual rights: access, amendments, accounting of disclosures, and restrictions where applicable.
• Publish and distribute a Notice of Privacy Practices and apply the minimum necessary standard.
• Execute and manage BAAs with vendors that handle PHI.

Security Rule essentials (for ePHI)

• Perform a risk analysis and implement risk management for ePHI.
• Apply administrative, physical, and technical safeguards (access controls, unique IDs, audit logs, integrity and transmission protections).
• Secure Health Information Technology assets: servers, endpoints, mobile devices, cloud services, and APIs.

Breach notification and accountability

• Maintain incident response, breach assessment, and notification procedures.
• Train your workforce regularly and document policies, procedures, and Compliance Audits.
• Monitor vendors and verify controls continuously through risk assessments and remediation.

Compliance Challenges for Covered Entities

Common pitfalls

• Incomplete data inventories leading to overlooked PHI and ePHI flows.
• Third-party and cloud risks without robust BAAs or ongoing oversight.
• Legacy systems that lack encryption, auditability, or modern access controls.
• Rapid telehealth expansion outpacing Security Rule safeguards.
• Underestimating documentation needs to demonstrate Privacy Rule and Security Rule compliance.

Practical steps to stay ahead

• Conduct a current, thorough risk analysis and update it after major changes.
• Harden identity and access management (least privilege, MFA, session timeouts).
• Encrypt data in transit and at rest, and maintain reliable backups with recovery testing.
• Vet vendors, execute strong BAAs, and require evidence of controls and audits.
• Deliver role-based training and perform internal Compliance Audits to validate effectiveness.

Summary

Covered entities under HIPAA include health plans, healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses. Knowing where you fit—and aligning operations with the Privacy Rule and Security Rule—helps you protect PHI and ePHI, streamline HIPAA Covered Transactions, and confidently pass audits.

FAQs

What qualifies an organization as a HIPAA covered entity?

An organization is a covered entity if it is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically in connection with HIPAA Covered Transactions. If a vendor performs those transactions on your behalf, you still qualify.

How do healthcare clearinghouses handle health information?

Clearinghouses convert nonstandard data from providers or plans into standard electronic formats (and back), validate and route transactions, and support error resolution. Because they handle PHI and ePHI, they must meet Privacy Rule and Security Rule requirements.

Are all healthcare providers considered covered entities?

No. A provider becomes a covered entity when it transmits health information electronically for standard HIPAA transactions such as claims, eligibility checks, or remittance. Paper-only or cash-only practices that never conduct these electronic transactions may not qualify.

What are the key HIPAA requirements for covered entities?

Apply the Privacy Rule’s limits on PHI use and disclosure, honor individual rights, and issue a Notice of Privacy Practices. For ePHI, implement Security Rule safeguards through risk analysis, access controls, encryption where appropriate, auditing, training, vendor management, and breach response.