HIPAA Covered Entities and Business Associates List: Who's Included (With Examples)

Types of HIPAA Covered Entities

Under HIPAA, covered entities fall into three groups: health care providers, health plans, and health care clearinghouses. Each group interacts with Protected Health Information (PHI) and must meet Health Information Privacy and PHI Safeguarding requirements.

Health care providers are covered when they transmit health information electronically in connection with standard transactions such as claims, eligibility checks, referrals, or remittance advice. Health plans finance or pay for medical care. Health care clearinghouses translate data between nonstandard and standard formats to support secure, efficient transactions.

Together, these covered entities anchor the regulatory framework. They decide who may access PHI, which Business Associate Agreements (BAAs) are needed, and how the HIPAA Security Rule applies to electronic PHI during Electronic Health Records Management and related workflows.

Categories of Health Care Providers

Health care providers include a broad range of organizations and professionals that deliver diagnosis, treatment, and related services. If they conduct HIPAA standard transactions electronically, they are covered entities and must safeguard PHI accordingly.

Direct treatment providers

• Physician practices, clinics, and telemedicine groups
• Hospitals, urgent care centers, and ambulatory surgery centers
• Dentists, orthodontists, and oral surgeons
• Pharmacies and mail-order dispensaries
• Independent laboratories and imaging centers

Allied and ancillary providers

• Physical, occupational, and speech therapists
• Behavioral health providers, psychologists, and counselors
• Chiropractors, podiatrists, and optometrists
• Home health agencies and hospice organizations

When providers are covered

A provider becomes a HIPAA covered entity when it uses electronic transactions governed by HIPAA standards—for example, submitting electronic claims or checking eligibility online. Once covered, the provider must implement PHI Safeguarding measures and comply with the HIPAA Security Rule for ePHI across scheduling, billing, Electronic Health Records Management, and patient communications.

Classes of Health Plans

Health plans are entities that pay for or arrange payment for medical care. Most medical, dental, vision, and prescription drug benefit plans are covered health plans under HIPAA, and they must protect PHI and restrict its use and disclosure.

Public programs

• Medicare and Medicaid
• TRICARE and Veterans health programs
• State children’s health insurance programs

Private insurance arrangements

• Commercial health insurance carriers
• Health Maintenance Organizations (HMOs) and Preferred Provider Organizations (PPOs)
• Managed care and Medicare Advantage organizations

Employer-sponsored group health plans

• Self-funded plans using third-party administrators (TPAs)
• Fully insured plans offered by employers and unions

What’s generally not a HIPAA health plan

Certain “excepted benefits” such as workers’ compensation, disability income, and life insurance are typically not HIPAA health plans. While these programs may receive health information, they are subject to different rules and do not operate as covered health plans under HIPAA.

Health Care Clearinghouse Roles

Health care clearinghouses process health information for other entities, converting data from nonstandard formats into HIPAA standard transaction sets (and vice versa). By normalizing claims, eligibility inquiries, authorizations, and remittance data, clearinghouses help keep complex multipayer systems interoperable.

Typical clearinghouse functions

• Claims “scrubbing,” routing, and aggregation across payers
• Repricing and standardization for payment integrity
• Value-added network and switch services that securely transmit transactions

Because they create, receive, maintain, or transmit PHI, clearinghouses are themselves covered entities. When they also perform outsourced services for a provider or plan, they may act as a business associate in that relationship and must maintain PHI Safeguarding across both roles.

Definition of Business Associates

A business associate is any person or organization that performs functions or services for, or on behalf of, a covered entity and, in doing so, creates, receives, maintains, or transmits PHI. This includes access to electronic PHI (ePHI) under the HIPAA Security Rule and applies across clinical, operational, and Electronic Health Records Management activities.

What counts as a business associate

• Vendors enabling claims, billing, eligibility, or utilization review
• IT, cloud, hosting, and data backup providers that handle ePHI
• Data analytics, quality reporting, and population health services
• Legal, actuarial, accounting, and consulting firms working with PHI
• Patient engagement, communications, and call center services involving PHI

A covered entity’s workforce members (employees and volunteers under its direct control) are not business associates. But independent vendors and contractors who touch PHI are business associates and must meet HIPAA’s privacy, security, and breach notification requirements under a Business Associate Agreement.

Examples of Business Associates

• Electronic Health Records vendors; practice management and patient portal providers
• Cloud storage, data centers, managed service providers, and email encryption services
• Medical billing companies, revenue cycle firms, and clearinghouse affiliates
• Telehealth platforms, e-prescribing networks, and secure messaging vendors
• Transcription, scanning, imaging, shredding, and secure disposal companies
• Utilization review firms, quality auditors, and external compliance assessors
• Research organizations and clinical registries receiving PHI from covered entities
• Law firms, accountants, actuaries, and consultants accessing PHI for services
• Pharmacy benefit administrators handling eligibility, formulary, or claims data
• Device and software support vendors that remotely access systems containing ePHI

In each example, the organization handles PHI on behalf of a covered entity or another business associate. That access triggers HIPAA obligations and requires a Business Associate Agreement to define permissible uses and PHI Safeguarding expectations.

Requirements for Business Associate Agreements

A Business Associate Agreement (BAA) is a contract that sets the rules for how a business associate may use and disclose PHI, how it will protect PHI under the HIPAA Security Rule, and how it will support the covered entity’s compliance duties. BAAs translate regulatory requirements into concrete, auditable commitments.

Core BAA elements

• Permitted uses and disclosures of PHI, including minimum necessary standards
• Administrative, physical, and technical safeguards for ePHI, aligned to risk assessments
• Workforce training, access controls, audit logging, and PHI Safeguarding procedures
• Breach Notification and incident reporting timelines and content
• Subcontractor Compliance: requiring downstream subcontractors that handle PHI to sign BAAs and follow the same restrictions and safeguards
• Support for individual rights (access, amendment, and accounting of disclosures when applicable)
• HHS inspection rights, cooperation with investigations, and mitigation duties
• Return or secure destruction of PHI at contract end, where feasible
• Termination for cause if the business associate violates material terms

Security expectations for ePHI

The HIPAA Security Rule requires appropriate safeguards for electronic PHI, including access management, encryption where reasonable and appropriate, integrity controls, and continuous risk management. BAAs should reflect the security program’s scope across applications, data flows, and integrations used in Electronic Health Records Management.

Operationalizing compliance

• Map PHI data flows with vendors and verify role-based access
• Align incident response and Breach Notification playbooks across parties
• Validate Subcontractor Compliance before onboarding and at renewal
• Test backups, disaster recovery, and continuity plans that protect ePHI
• Review audit logs and attestation evidence to confirm ongoing PHI Safeguarding

Conclusion

Covered entities include providers, health plans, and clearinghouses; business associates are the vendors and partners that handle PHI for them. Clear scoping, robust BAAs, and disciplined Security Rule controls ensure Health Information Privacy while keeping care delivery and operations running efficiently.

FAQs

What entities are considered HIPAA covered entities?

HIPAA covered entities are health care providers that conduct standard electronic transactions, health plans that pay for medical care, and health care clearinghouses that convert data between nonstandard and standard formats. These entities must protect PHI and follow privacy, security, and breach notification rules.

Who qualifies as a HIPAA business associate?

A business associate is any vendor or partner that creates, receives, maintains, or transmits PHI on behalf of a covered entity (or another business associate). Examples include EHR and cloud providers, billing companies, analytics firms, legal and consulting services, and telehealth platforms that access ePHI.

What is the purpose of a business associate agreement?

A Business Associate Agreement defines how a business associate may use and disclose PHI, mandates safeguards consistent with the HIPAA Security Rule, requires Breach Notification, and compels Subcontractor Compliance. It operationalizes privacy and security obligations so both parties can demonstrate PHI Safeguarding.

Are subcontractors of business associates subject to HIPAA?

Yes. If a subcontractor handles PHI for a business associate, it is itself a business associate under HIPAA. The primary business associate must obtain a BAA with that subcontractor, and the subcontractor must implement the same privacy, security, and breach notification protections.