Covered Entity or Not? Medicare’s Role Under HIPAA, with Examples
Product Pricing Demo Video Free HIPAA Training
LATEST
video thumbnail
Admin Dashboard Walkthrough Jake guides you step-by-step through the process of achieving HIPAA compliance
Ready to get started? Book a demo with our team
Talk to an expert
Blog HIPAA Covered Entity or Not? Medicare’s Role Under HIPAA, with Examples

Covered Entity or Not? Medicare’s Role Under HIPAA, with Examples

Kevin Henry

HIPAA

January 18, 2025

5 minutes read
Share this article
Covered Entity or Not? Medicare’s Role Under HIPAA, with Examples

Medicare as a Covered Entity

Under HIPAA, “covered entities” include three groups: health plans, healthcare providers that conduct standard transactions electronically, and healthcare clearinghouses. Medicare meets the definition of a health plan, so Medicare is a covered entity.

Because Medicare pays for care and processes claims, it creates, receives, and uses protected health information (PHI). Much of this activity involves electronic health information transmission—for example, eligibility checks, claims submissions, and remittance advice—bringing both the Privacy Rule and Security Rule into play.

In practice, this means Medicare must limit how it uses and discloses PHI, safeguard electronic PHI (ePHI), and honor individual privacy rights granted by HIPAA.

Medicare's Role in HIPAA Compliance

As a covered entity, Medicare’s responsibilities focus on Privacy Rule compliance, information security, and standardized transactions. In plain terms, here is what that looks like:

  • Use and disclosure limits: Medicare may use or disclose PHI for treatment, payment, and healthcare operations without authorization, but must apply the minimum necessary standard whenever feasible.
  • Individual rights: Beneficiaries have rights to access and obtain copies of their PHI, request amendments, ask for restrictions, receive confidential communications, and obtain an accounting of certain disclosures.
  • Security safeguards: Medicare must protect ePHI with administrative, physical, and technical measures such as risk analysis, workforce training, access controls, and incident response.
  • Business associate management: Vendors that handle PHI on Medicare’s behalf must sign business associate agreements that set required privacy and security controls.
  • Breach response: If an incident compromises unsecured PHI, Medicare must follow HIPAA Breach Notification Rule requirements and inform affected individuals and regulators, as applicable.
  • Standard transactions: For electronic health information transmission, Medicare follows HIPAA transaction and code set standards to support interoperable claims, eligibility, and remittance processes.

While Medicare must comply, HIPAA enforcement rests primarily with the federal civil rights regulator, and Medicare cooperates with oversight as needed.

Medicare's Notice of Privacy Practices

As a health plan, Medicare must provide a Notice of Privacy Practices (NPP). This notice explains how PHI may be used and disclosed, your rights, and how to contact the plan about privacy concerns.

In clear terms, the NPP typically covers:

  • Permitted uses and disclosures, including treatment, payment, and healthcare operations.
  • Your rights to access, receive copies, request corrections, and ask for restrictions or confidential communications.
  • How to file a complaint if you believe your privacy rights have been violated.
  • Plan duties to maintain Privacy Rule compliance and safeguard PHI.

Medicare distributes the NPP to enrollees, posts it for easy access, and updates it when material changes occur so beneficiaries understand how their PHI is handled.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Medicare Advantage Plans as Covered Entities

Medicare Advantage plans are private health plans that contract with Medicare to deliver Part C (and often Part D) benefits. Because they are health plans, Medicare Advantage organizations are also covered entities under HIPAA.

That means each Medicare Advantage plan must independently implement Privacy Rule compliance and Security Rule safeguards, issue its own Notice of Privacy Practices, manage business associates, and honor member rights. These plans may share PHI with Medicare for permitted purposes—such as payment and healthcare operations—while still maintaining their own compliance obligations.

Examples of Covered Entities under HIPAA

Covered entities fall into three categories. Here are practical examples you can recognize:

  • Health plans: Medicare (Parts A, B, C, and D), Medicaid, Children’s Health Insurance Program (CHIP), Medicare Advantage plans, Part D prescription drug plan sponsors, employer-sponsored group health plans, commercial insurers, and HMOs.
  • Healthcare providers: Hospitals, physicians, clinics, dentists, pharmacies, laboratories, durable medical equipment suppliers, skilled nursing facilities, and home health agencies—when they conduct standard transactions electronically.
  • Healthcare clearinghouses: Organizations that translate nonstandard health data into standard formats (and vice versa) to support electronic health information transmission between providers and health plans.

Conclusion

Medicare is a covered entity because it is a health plan under HIPAA. As such, it must safeguard protected health information (PHI), comply with the Privacy Rule, secure ePHI, and provide a clear Notice of Privacy Practices. Medicare Advantage plans are covered entities too, with parallel obligations. Understanding how these entities operate helps you better navigate your rights and how your information is protected.

FAQs

Is Medicare considered a covered entity under HIPAA?

Yes. Medicare is a health plan, and health plans are covered entities under HIPAA. As a result, Medicare must follow the Privacy Rule, Security Rule, and related requirements when handling PHI.

What responsibilities does Medicare have under the HIPAA Privacy Rule?

Medicare must limit uses and disclosures of PHI, honor beneficiary rights (access, copies, corrections, restrictions, and more), apply the minimum necessary standard, manage business associates, issue an NPP, and respond appropriately to privacy incidents.

Do Medicare Advantage Plans follow HIPAA regulations separately?

Yes. Medicare Advantage organizations are covered entities in their own right. Each plan maintains its own HIPAA compliance program, Notice of Privacy Practices, security safeguards, and vendor oversight, even while coordinating with Medicare.

How does Medicare inform beneficiaries about their privacy rights?

Medicare provides a Notice of Privacy Practices that explains how PHI is used, your rights, and how to get help or file complaints. The notice is shared with enrollees and updated when policies change so you stay informed.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple
HIPAA Jul 31, 2025

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple

Strong dental compliance training protects patients, your team, and your practice. This guide tur...

Comparing Popular HIPAA-Compliant Telehealth Tools
HIPAA Oct 01, 2025

Comparing Popular HIPAA-Compliant Telehealth Tools

Choosing among HIPAA-compliant telehealth tools comes down to how well each platform fits your cl...

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations
HIPAA Oct 01, 2025

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations

You rely on cloud storage to keep Protected Health Information (PHI) available and secure, yet a ...