Guide to the 3 HIPAA Covered Entity Types with Real-World Examples

This guide explains the three HIPAA covered entity types and how they handle Protected Health Information (PHI). You’ll see how Administrative Simplification, the HIPAA Privacy Rule, and the HIPAA Security Rule apply in practice, with clear, real-world examples.

Health Care Providers Overview

Under the Covered Entity Designation, a health care provider is covered by HIPAA if it furnishes, bills, or is paid for health care and transmits health information electronically in a HIPAA standard transaction. In today’s Health Information Technology environment, most providers meet this threshold.

Covered providers include, for example, physicians, hospitals, clinics, dental practices, pharmacies, laboratories, therapists, and telehealth practices. If they send claims, eligibility checks, or referrals electronically, they must safeguard PHI and follow Data Standardization rules set by Administrative Simplification.

Key implications for providers: maintain a Notice of Privacy Practices, follow the minimum necessary standard, implement access controls in EHRs, and use secure workflows for billing, referrals, and care coordination.

Health Plans Characteristics

Health plans are entities that provide or pay the cost of medical care. This category includes commercial insurers, HMOs, employer-sponsored group health plans (including self-funded plans), Medicare, Medicaid, and certain government programs. The plan—not the employer in its role as employer—is the HIPAA covered entity.

Core characteristics include premium and claims administration, member enrollment, eligibility verification, utilization management, and coordination of benefits. Health plans must execute standardized electronic transactions and code sets under Administrative Simplification while protecting PHI under the HIPAA Privacy Rule and Security Rule.

Plan sponsors that receive PHI for plan administration must implement safeguards and follow “firewall” provisions separating employment records from plan records.

Health Care Clearinghouses Functions

Health care clearinghouses specialize in transforming nonstandard health information into standard formats—or the reverse. They enable Data Standardization by converting proprietary files or paper forms into HIPAA-standard electronic transactions and code sets.

Typical functions include claim “scrubbing,” format translation (for example, to X12 837 claims and 835 remittance), routing, eligibility and prior authorization transaction handling, and EDI error reporting. Clearinghouses are HIPAA covered entities when performing these functions and often serve as business associates to providers and plans.

Note: Health information exchanges (HIEs) and many analytics vendors usually operate as business associates rather than clearinghouses unless they perform true standard/nonstandard data conversions.

Hybrid Entities Explanation

A hybrid entity is a single legal entity that performs both HIPAA-covered and non-covered functions and formally designates its “health care components.” Only those designated components are subject to HIPAA, but the entity must erect safeguards so PHI does not improperly flow to non-covered parts.

Common hybrid entity scenarios include universities that run hospitals, county governments with public health clinics, and retail companies that operate in-store pharmacies. Proper designation, documented policies, and internal “Chinese walls” are essential to comply with the HIPAA Privacy Rule and Security Rule.

Real-World Examples of Covered Entities

Health care providers

• A community hospital submitting electronic claims and e-prescriptions.
• A family medicine clinic using an EHR to bill and check eligibility.
• A telehealth psychotherapy practice handling online scheduling and billing.
• A dental office transmitting electronic referrals and claims to payers.
• A neighborhood pharmacy processing e-prescriptions and prior authorizations.

Health plans

• An employer’s self-funded group health plan administered by a third-party administrator.
• A commercial insurer offering an HMO and PPO network.
• A Medicare Advantage plan administering benefits for eligible members.
• A state Medicaid program paying for covered services for beneficiaries.

Health care clearinghouses

• An EDI vendor converting a clinic’s proprietary claim files into standard X12 transactions.
• A billing intermediary that “scrubs” and routes claims and remittance data.
• A repricing organization translating data between plans and providers for payment accuracy.

Hybrid entities

• A university that operates a teaching hospital alongside academic departments.
• A municipal government with a public health clinic and non-health departments.
• A grocery chain running an in-store pharmacy next to standard retail operations.

Compliance Requirements for Covered Entities

Governance and risk management

Designate a privacy officer and security officer, perform an enterprise-wide risk analysis, and implement risk management plans. Maintain written policies and procedures, workforce training, sanctions for violations, and ongoing auditing and monitoring.

HIPAA Privacy Rule essentials

Limit uses and disclosures to treatment, payment, and health care operations unless another permission applies or you have valid authorization. Follow the minimum necessary standard, provide a Notice of Privacy Practices, and honor individual rights such as access, amendment, and accounting of disclosures.

HIPAA Security Rule safeguards

Implement administrative, physical, and technical safeguards for electronic PHI. Practical controls include role-based access, multi-factor authentication, encryption at rest and in transit, audit logs, device and media controls, and vendor due diligence for cloud services and APIs.

Administrative Simplification and Data Standardization

Use standard transactions and code sets for claims, eligibility, remittance, enrollments, and authorizations. Adopt standardized identifiers and consistent Health Information Technology workflows to reduce friction, errors, and rework across trading partners.

Business associates and agreements

Identify vendors that create, receive, maintain, or transmit PHI (for example, EHR hosting, clearinghouses, e-prescribing networks, analytics, and cloud storage). Execute Business Associate Agreements that define permitted uses, safeguards, and breach response.

Incident response and breach notification

Maintain a documented incident response plan, investigate security events promptly, mitigate harm, and follow breach notification steps when PHI is compromised. Keep decision logs and timelines to support regulatory reporting and patient communications.

Conclusion

Covered Entity Designation under HIPAA encompasses health care providers, health plans, and health care clearinghouses. By aligning Privacy Rule and Security Rule controls with Administrative Simplification and Data Standardization, you can protect PHI, streamline transactions, and reduce compliance risk.

FAQs.

What are the three types of HIPAA covered entities?

The three types are health care providers that conduct standard electronic transactions, health plans that provide or pay for medical care, and health care clearinghouses that convert nonstandard health information to standard formats or vice versa—all responsible for protecting PHI.

How does a hybrid entity differ from other covered entities?

A hybrid entity performs both covered and non-covered functions within a single legal entity and must formally designate its health care components. Only those components are directly subject to HIPAA, but the entity must implement internal safeguards to prevent improper PHI sharing with non-covered parts.

What examples illustrate each type of covered entity?

Providers: hospitals, clinics, dentists, pharmacies, telehealth practices. Health plans: employer group health plans, commercial insurers/HMOs, Medicare Advantage, Medicaid programs. Clearinghouses: EDI vendors, billing intermediaries, repricing organizations that translate and route standardized transactions.