Examples and Requirements to Identify Covered Entities Under HIPAA Privacy Rule

If you create, receive, maintain, or transmit Protected Health Information (PHI), you need a clear way to decide whether you are a “covered entity” under the HIPAA Privacy Rule. This guide provides practical examples and requirements so you can classify your organization accurately and strengthen Health Care Compliance without guesswork.

Covered Entities Definition

What “covered entity” means

Under the Privacy Rule, a covered entity is one of three types: a health care provider that conducts standard electronic transactions, a health plan that pays for medical care, or a health care clearinghouse that converts Nonstandard Health Information to standard formats (or vice versa). Your obligations attach when you handle PHI in one of these roles.

Quick self-check

• Do you provide, pay for, or standardize health care transactions involving PHI?
• Do you use HIPAA standard electronic transactions (claims, eligibility, remittances, authorizations)?
• Are you part of a single legal entity that performs Covered Functions alongside non-covered activities?

If you answer yes to any of these, you likely fall within the covered entity framework and must implement Privacy Rule safeguards and documentation.

Health Care Providers Identification

Who qualifies

You are a covered health care provider if you furnish medical or health services and transmit health information electronically in a standard transaction. Examples include physicians, clinics, dentists, psychologists, chiropractors, nursing homes, home health agencies, and pharmacies.

What triggers HIPAA status

Sending claims to a health plan, checking eligibility, obtaining prior authorizations, or receiving electronic remittance advice through standard formats triggers covered status. Using paper only, or consumer email unrelated to standard transactions, does not by itself make you covered.

Examples

• Covered: A dental practice that submits electronic claims to an insurer.
• Covered: A pharmacy transmitting e-prescriptions and claims to plans.
• Not covered (provider role): A practitioner who never conducts any HIPAA standard electronic transactions.

Health Plans Classification

What counts as a health plan

Health plans include group health plans, health insurance issuers, HMOs, employer-sponsored medical plans, and government programs that pay for health care (for example, Medicare, Medicaid, TRICARE). If you determine eligibility, pay claims, or manage benefits for medical care, you are within scope.

Small self-administered plan carve-out

A group health plan with fewer than 50 participants that is self-administered by the employer is generally not a covered entity. Once a third party administers it or it exceeds the threshold, HIPAA obligations apply.

Excepted Benefits

HIPAA excludes a plan to the extent it provides only Excepted Benefits. Common examples include workers’ compensation coverage, general liability insurance, and many limited-scope ancillary products offered separately (such as stand-alone vision or dental), as well as certain fixed-indemnity or specified disease policies. Review plan documents to confirm the scope of benefits before classifying.

Examples

• Covered: A self-funded employer medical plan administered by a third-party administrator.
• Covered: A commercial HMO offering comprehensive medical benefits.
• Not covered (plan role): An insurer issuing only liability or workers’ compensation policies that are Excepted Benefits.

Health Care Clearinghouses Role

What clearinghouses do

Health care clearinghouses process Nonstandard Health Information from another entity into a standard format, or the reverse. They enable compliant exchange of claims, eligibility, and remittance data between providers and health plans.

Typical entities

• Billing services that convert a provider’s nonstandard claim files into standard transactions.
• Repricing companies and value-added networks/switches that translate or route transactions.
• Community health information systems that standardize inbound or outbound data.

Because clearinghouses touch PHI during translation, they are covered entities and must meet Privacy and Security Rule requirements.

Hybrid Entities Designation

When hybrid status applies

A hybrid entity is a single legal entity that performs Covered Functions (for example, a university health clinic) alongside activities that are not covered (for example, teaching or retail operations). You must formally designate your health care components to apply HIPAA correctly.

Designation requirements

• Identify and document the organizational components that perform Covered Functions.
• Implement safeguards to prevent unauthorized PHI sharing between covered and non-covered components.
• Limit workforce access to PHI to those within designated components, with role-based controls.
• Apply policies, training, and risk management to the designated components for Health Care Compliance.

Example

A city government operating an employee health clinic designates the clinic (and shared support units that handle PHI) as health care components. Other city departments remain non-covered components but cannot access PHI unless permitted by HIPAA.

Business Associates Requirements

Who is a business associate

Business associates are persons or organizations that perform services for a covered entity involving PHI, such as IT hosting, EHR vendors, cloud storage, billing, collections, legal, actuarial, consulting, or data analytics. Subcontractors that handle PHI are also business associates.

Business Associate Agreement essentials

• Permitted and required uses/disclosures of PHI and minimum necessary limits.
• Safeguards for privacy and security, including breach detection and reporting.
• Subcontractor flow-down obligations for PHI protections.
• Access, amendment, and accounting support to the covered entity when required.
• Return or destruction of PHI at termination where feasible and termination-for-cause rights.

Without a signed Business Associate Agreement, sharing PHI with a vendor is a violation that can prompt Privacy Rule Enforcement, including investigations, corrective action plans, and civil penalties.

Exclusions from Covered Entities

Commonly excluded organizations or roles

• Employers in their capacity as employers (HR files are not PHI) and plan sponsors without plan administration functions.
• Life insurers, auto insurers, and liability carriers providing only Excepted Benefits.
• Workers’ compensation programs, schools, and law enforcement agencies unless acting as a covered provider or plan.
• Personal health apps and consumer wellness tools not acting on behalf of a covered entity.
• Researchers and laboratories that are outside a covered entity or its designated health care components.

Key takeaways

To apply the Examples and Requirements to Identify Covered Entities Under HIPAA Privacy Rule, first pinpoint your role (provider, plan, clearinghouse), then confirm whether you conduct standard transactions or perform Covered Functions. When in doubt, map data flows, inventories of PHI, and vendor relationships to ensure accurate classification and compliance.

FAQs

What qualifies a health care provider as a covered entity?

A provider becomes a covered entity when it furnishes health care and transmits health information electronically in connection with a HIPAA standard transaction, such as submitting claims, checking eligibility, obtaining authorizations, or receiving remittance advice. Merely providing care without using standard electronic transactions does not, by itself, trigger covered status.

How are hybrid entities designated under HIPAA?

A single legal entity that performs both Covered Functions and non-covered activities formally designates its “health care components.” The entity documents the components, applies Privacy and Security Rule controls to them, restricts PHI access to authorized workforce members within those components, and implements safeguards to prevent impermissible sharing with non-covered components.

What are the exclusion criteria for health plans from HIPAA?

Plans are excluded to the extent they provide only Excepted Benefits (for example, workers’ compensation or liability coverage). In addition, a group health plan with fewer than 50 participants that is self-administered by the employer is generally not a covered entity. Once a plan pays for medical care beyond excepted benefits or uses a third-party administrator, HIPAA usually applies.