HIPAA Covered Entities Checklist: Included Organizations and Key Exceptions

This HIPAA covered entities checklist helps you quickly confirm who is regulated under the HIPAA Privacy Rule and how Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) must be handled. You will see which organizations are included, key exclusions, and how hybrid structures, business associates, and self-administered plans fit into health information portability and compliance.

Health Plans Covered by HIPAA

Health plans are covered entities because they create, receive, maintain, or transmit PHI to pay for care. The plan—not the employer sponsoring it—is the covered entity.

• Group health plans, whether fully insured or self-funded (including employer-sponsored plans).
• Health insurance issuers and HMOs that pay for healthcare services.
• Government programs that finance care, such as Medicare, Medicaid, and Medicare Advantage/Part D plans.
• Certain long-term care insurers when they pay for healthcare services.

Note: Insurance products that are “excepted benefits” (for example, accident-only, disability income, or other property and casualty coverage) are not health plans for HIPAA purposes and fall outside this checklist’s covered scope.

Healthcare Providers Included

You are a covered entity if you are a healthcare provider who transmits health information electronically in connection with a standard transaction (e.g., claims, eligibility checks, remittance advice). Most modern practices meet this threshold.

• Hospitals, physician practices, clinics, and urgent care centers.
• Dentists, chiropractors, physical/occupational therapists, behavioral health professionals.
• Pharmacies, clinical laboratories, imaging centers, and durable medical equipment suppliers.
• Telehealth providers and mobile practices that bill or check eligibility electronically.

Covered providers must safeguard PHI under the HIPAA Privacy Rule and protect ePHI under the Security Rule, regardless of size or specialty.

Roles of Healthcare Clearinghouses

Healthcare clearinghouses are covered entities that transform nonstandard data into standard HIPAA transaction formats (or the reverse). They perform covered functions that enable claims submission, adjudication, and payment across the ecosystem.

• Claims “switches,” repricers, and data translators that standardize transactions.
• Intermediaries that receive provider data and convert it for health plans, or vice versa.
• Entities that de-identify data as part of their transformation activities.

When acting in the clearinghouse role, these organizations must implement administrative, physical, and technical safeguards for ePHI and apply policies consistent with their covered functions.

Definition of Business Associates

Business associates are not covered entities, but they are directly regulated when they create, receive, maintain, or transmit PHI on behalf of a covered entity (or another business associate). A Business Associate Agreement (BAA) is required before PHI is shared.

• Examples: EHR and cloud hosting vendors, IT managed service providers, billing companies, TPAs, data analytics firms, law firms, consultants, and health information exchanges.
• Obligations: safeguard ePHI under the Security Rule, follow key Privacy Rule provisions, flow down requirements to subcontractors, and provide breach notifications.

If an organization works directly for consumers and not on behalf of a covered entity, it may be outside business associate status—even if it handles health data—unless it performs covered functions for a HIPAA-regulated partner.

Exceptions to Covered Entities

Some organizations are explicitly outside HIPAA’s definition of covered entity. Understanding these compliance exceptions helps you avoid over- or under-scoping your program.

• Employers in their role as employers (employment records are not PHI).
• Life insurers, workers’ compensation carriers, and most property/casualty insurers.
• Schools and school districts with education records governed by FERPA.
• Law enforcement agencies and many public safety entities not providing healthcare.
• Consumer apps, wearables, and personal health record vendors that do not act on behalf of a covered entity.
• Financial institutions processing payments without handling PHI for covered functions.

Additionally, de-identified information is not PHI, and thus not regulated by HIPAA. However, non-covered organizations may still receive limited PHI under the HIPAA Privacy Rule’s permitted uses, and other laws (state privacy or consumer protection statutes) may apply.

Self-Administered Employer Health Plan Exemptions

A group health plan that is both self-administered and has fewer than 50 participants is generally exempt from HIPAA as a covered entity. “Self-administered” means the employer handles all plan administration internally without a third-party administrator.

• If the plan uses a TPA or has 50 or more participants, it becomes a covered entity.
• The employer itself is not the covered entity; the group health plan is.
• Covered plans must amend plan documents, establish “firewalls” for plan administration, execute BAAs, and protect ePHI.

Most employer-sponsored health plans do not qualify for this narrow exemption. Confirm participant counts and administration arrangements before relying on it.

Hybrid Entities and Designations

Hybrid entities are single legal entities that perform both covered and non-covered activities (for example, a university with a student clinic or a city government with an employee health center). They may designate specific healthcare components that perform covered functions.

• Designate healthcare components in writing and document boundaries.
• Implement safeguards so PHI does not flow to non-covered components without a valid basis.
• Train workforce members in covered components and execute BAAs where needed.
• Maintain risk analysis and risk management for ePHI within designated components.

Only the designated components must comply with HIPAA, but the entity must keep robust internal “firewalls” to prevent impermissible uses or disclosures. Done well, this structure supports health information portability while limiting the compliance footprint.

In summary, use this HIPAA covered entities checklist to map your role: health plan, provider, or clearinghouse; identify business associates and BAAs; confirm any compliance exceptions; and decide whether hybrid designation or the small self-administered plan exemption applies.

FAQs

What organizations qualify as HIPAA covered entities?

Covered entities are health plans (including most employer-sponsored group health plans), healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses that convert data to or from HIPAA standard formats.

Which organizations are explicitly excluded from HIPAA coverage?

Employers in their employer role, life and property/casualty insurers, workers’ compensation carriers, most schools (for education records under FERPA), law enforcement agencies, and consumer apps not acting for a covered entity are generally outside HIPAA’s covered entity definition.

How do hybrid entities affect HIPAA compliance?

Hybrid entities designate specific healthcare components that perform covered functions. Only those components must comply with HIPAA, and the organization must maintain documented boundaries, training, and safeguards to prevent improper PHI sharing with non-covered components.

When are self-administered employer health plans exempt from HIPAA?

When a group health plan is self-administered and has fewer than 50 participants, it is typically exempt as a covered entity. If it uses a third-party administrator or reaches 50 or more participants, HIPAA coverage applies to the plan.