Do You Operate as a HIPAA Covered Entity? A Practical Guide

Definition of HIPAA Covered Entities

Under U.S. law, a HIPAA covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with HIPAA-covered transactions. These transactions include routine billing and administrative exchanges standardized under the administrative simplification rules.

Covered entities create, receive, maintain, or transmit protected health information (PHI) and electronic PHI, so they must protect health information privacy while enabling permitted uses and disclosures. Organizations that handle PHI only on behalf of a covered entity are typically business associates, not covered entities themselves.

Categories of Covered Entities

• Health plans: Insurers and group health plans that pay for medical care, including many employer-sponsored plans and public programs.
• Health care clearinghouses: Intermediaries that convert nonstandard health information into standard formats (and vice versa) for billing and other HIPAA-covered transactions.
• Health care providers: Individuals and organizations that furnish, bill, or are paid for health care and transmit any HIPAA-covered transactions electronically.

Health Plans Under HIPAA

Health plans include health insurance issuers, HMOs, Medicare, Medicaid, Medicare Advantage and Part D sponsors, and most employer group health plans. Dental, vision, and prescription drug benefits typically fall within scope when offered as part of a plan that pays for care.

Certain arrangements are commonly outside scope, such as workers’ compensation policies, many accident-only or disability policies, and some small, self-administered group health plans. The employer entity itself is not a covered entity; the group health plan is.

Roles of Health Care Clearinghouses

Health care clearinghouses receive health information from providers or plans and standardize it to HIPAA transaction formats or translate it back to nonstandard formats as requested. They support claim submission, eligibility and benefits inquiries, remittance advice, and electronic funds transfers by performing format conversion, data validation, and routing.

Because clearinghouses handle large volumes of PHI, they must implement robust safeguards, follow the minimum necessary standard, and ensure their services do not alter clinical content while enabling compliant data exchange.

Health Care Providers’ Responsibilities

A provider is a covered entity if it conducts electronic HIPAA-covered transactions such as claims, eligibility checks, prior authorization, or claim status inquiries. This includes physicians, dentists, therapists, hospitals, clinics, pharmacies, laboratories, home health agencies, and telehealth practices.

• Adopt and use standard transactions and code sets and obtain an NPI for identification.
• Issue a clear Notice of Privacy Practices and honor patients’ rights of access, amendment, and accounting of disclosures.
• Implement administrative, physical, and technical safeguards to protect ePHI, including access controls, encryption where appropriate, and audit logging.
• Execute business associate agreements with vendors that create, receive, maintain, or transmit PHI on your behalf (for example, billing companies, EHR hosting providers).
• Align electronic health records compliance with HIPAA Security Rule requirements and maintain policies for risk management, incident response, and workforce training.

Compliance Requirements for Covered Entities

• Privacy Rule: Limit uses and disclosures to permitted purposes, apply the minimum necessary standard, and protect health information privacy across your operations.
• Security Rule: Perform an ongoing risk analysis and implement risk-based safeguards for ePHI (access management, transmission security, device/media controls, contingency planning).
• Breach Notification Rule: Detect, investigate, and document incidents; notify affected individuals and regulators when a breach of unsecured PHI occurs.
• Administrative simplification standards: Use HIPAA standard transactions, code sets, unique identifiers, and operating rules to streamline HIPAA-covered transactions.
• Governance and training: Designate privacy and security officials, adopt written policies and procedures, train your workforce, and document compliance activities.
• Vendor and data lifecycle controls: Manage business associates, define data retention and disposal practices consistent with legal requirements, and track disclosures.

Resources for Covered Entities

• HHS guidance on covered entities for definitions, scope, and practical examples.
• CMS decision tool to help determine whether your organization is a covered entity based on transactions and functions.
• OCR compliance resources covering the Privacy, Security, and Breach Notification Rules.
• EHR implementation guides that align with HIPAA Security Rule expectations and support secure interoperability.
• Industry implementation resources that clarify standard transactions, code sets, and operating rules.

Summary

If you are a health plan, a health care clearinghouse, or a health care provider that conducts HIPAA-covered transactions electronically, you operate as a HIPAA covered entity. Your obligations span health information privacy, security safeguards for ePHI, breach response, and adherence to administrative simplification standards. Use authoritative resources, evaluate your workflows, and formalize policies to maintain compliant, trustworthy data practices.

FAQs

What entities qualify as covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with HIPAA-covered transactions. Organizations that only handle PHI for a covered entity are typically business associates rather than covered entities.

How does HIPAA define a health care clearinghouse?

A clearinghouse processes health information from another entity into standard HIPAA transaction formats—or from standard into nonstandard formats—so providers and plans can submit claims, check eligibility, receive remittance advice, and conduct related administrative transactions.

What are the compliance obligations for covered entities?

Covered entities must comply with the Privacy, Security, and Breach Notification Rules; use standard transactions and code sets; protect PHI using risk-based safeguards; honor patient rights; train their workforce; and manage business associates through written agreements and oversight.

How can an organization determine if it is a covered entity?

Start with your core functions and billing workflows: if you operate as a health plan, clearinghouse, or you are a provider that conducts electronic claims or other HIPAA-covered transactions, you are likely a covered entity. Decision aids such as the CMS decision tool and HHS guidance on covered entities can help you confirm your status.