HIPAA Covered Entities Explained: Definitions, Examples, and Common Exclusions

Health Plans Defined

Under the HIPAA Privacy Rule, a health plan is any individual or group plan that provides or pays for the cost of medical care. If you administer or sponsor such a plan, you are a covered entity and must protect Protected Health Information (PHI) and honor individual rights.

Common examples

• Insurers and HMOs issuing medical, dental, or vision coverage.
• Medicare, Medicaid, CHIP, TRICARE, and certain veterans’ health programs.
• Employer-sponsored group health plans (the plan is covered; the employer in its HR role is not).
• Government programs that pay for health care, such as state high-risk pools.

What is not a health plan

• Life, disability, and workers’ compensation policies.
• Auto liability insurers paying medical claims arising from accidents.
• Long-term care policies that do not provide or pay for health care benefits.

Key compliance obligations

• Maintain and disclose a Notice of Privacy Practices and honor access, amendment, and accounting rights.
• Limit uses/disclosures to the minimum necessary for payment and operations; obtain authorization for non-routine uses.
• Execute Business Associate Agreements (BAAs) with vendors that create, receive, maintain, or transmit PHI.
• Support Transaction Standards for eligibility, claims, remittance, enrollment, and related EDI activities.

Health plans must also ensure strong security controls for ePHI, including access management, audit logging, and transmission protections to meet Data Transmission Compliance requirements.

Health Care Providers Overview

A health care provider becomes a HIPAA covered entity when it transmits health information in electronic form in connection with a standard transaction. If you submit electronic claims, check eligibility, or receive electronic remittance, HIPAA applies to your operations.

Examples of covered providers

• Hospitals, clinics, ambulatory surgery centers, and laboratories.
• Physicians, dentists, chiropractors, physical and behavioral health therapists.
• Pharmacies dispensing medications and submitting electronic claims.

When a provider may not be covered

A provider that never conducts electronic standard transactions is not a covered entity. In practice, that is uncommon, and many providers also interact with business associates who facilitate those transactions.

Core responsibilities

• Safeguard PHI under the HIPAA Privacy Rule and apply the the minimum necessary standard where applicable.
• Implement administrative, physical, and technical safeguards for ePHI, including encryption-in-transit for Data Transmission Compliance.
• Manage BAAs with billing services, EHR vendors, cloud providers, and other service partners.

Role of Health Care Clearinghouses

Health care clearinghouses process nonstandard health information they receive from another entity into standard data elements, or vice versa. If you convert claims files, reprice services, or normalize code sets, you likely operate as a clearinghouse.

Typical functions

• Converting batch claim submissions into standard formats and routing them to payers.
• Normalizing code sets, performing edits, and translating between proprietary and standard EDI formats.
• Providing reporting and reconciliation services tied to Transaction Standards.

Compliance posture

• Clearinghouses are covered entities when they process PHI for standard transactions.
• They may also act as business associates to providers and plans, requiring BAAs.
• Strong access controls, audit trails, and secure transmission channels are essential to protect PHI at scale.

Understanding Non-Covered Entities

Many organizations handle health-related data yet are not HIPAA covered entities. If you do not meet the definition of a health plan, health care provider engaging in standard transactions, or health care clearinghouse—and you are not a business associate—you are generally outside HIPAA’s scope.

Common exclusions

• Employers in their role as employers (HR files and leave requests are not PHI).
• Life, disability, and property/casualty insurers not providing health benefits.
• Schools subject to FERPA, most law enforcement agencies, and courts.
• Consumer health apps offering services directly to individuals without acting on behalf of a covered entity.

Even when HIPAA does not apply, state privacy laws, TCPA, FTC rules, and professional ethics may still govern your data practices. Always determine which framework applies to each dataset.

Business Associates and Their Functions

A business associate is a person or organization that performs functions or activities for a covered entity involving PHI. If you create, receive, maintain, or transmit PHI on behalf of a covered entity, you are a business associate and must comply with applicable HIPAA requirements.

Typical business associate roles

• Cloud service providers, data centers, and backup vendors storing ePHI.
• EHR, eRx, telehealth, billing, coding, and revenue cycle platforms.
• Claims repricing, utilization review, analytics, and quality measurement firms.
• Legal, accounting, consulting, and transcription services handling PHI.

Business Associate Agreements

BAAs define permitted uses and disclosures, require safeguards aligned to the Security Rule, mandate breach notification, and flow down obligations to subcontractors. If you subcontract PHI-handling work, your subcontractors also need written BAAs.

Core responsibilities

• Limit PHI to the minimum necessary and use it only for contracted purposes.
• Implement risk-based security controls, including encryption, key management, and monitoring for Data Transmission Compliance.
• Report breaches promptly to the covered entity and cooperate with investigations.

What is not a business associate

The narrow “conduit” exception applies to entities that merely transmit PHI but do not access it other than on a random or infrequent basis (for example, the postal service). Most cloud or managed service providers do not qualify as conduits and must sign BAAs.

Hybrid Entities and Their Designation

A hybrid entity is a single legal entity that conducts both HIPAA Covered Functions and non-covered activities. Universities with medical centers, municipalities with employee clinics, and retailers operating pharmacies often choose Hybrid Entity Designation to confine HIPAA obligations to specific health care components.

How to designate

• Identify all Covered Functions (treatment, payment, and health care operations) performed within the organization.
• Formally designate the health care components in writing and document shared services that require access to PHI.
• Implement “firewalls” so workforce members outside the health components do not impermissibly access PHI.
• Apply Privacy Rule and Security Rule policies to designated components and relevant support units.

Operational tips

• Segment systems and data to keep PHI within designated components.
• Map data flows and enforce role-based access; ensure BAAs cover hybrid components’ vendors.
• Train workforce members differently based on whether they support covered or non-covered operations.

Affiliated Covered Entities Overview

Affiliated Covered Entities (ACEs) are legally separate covered entities under common ownership or control that designate themselves as a single covered entity for HIPAA purposes. If you operate multiple related plans or providers, ACE status can streamline privacy practices while maintaining required safeguards.

Key features

• Participants may share PHI for treatment, payment, and health care operations as if within one covered entity.
• A combined Notice of Privacy Practices and uniform policies are permitted if they clearly identify ACE participants.
• BAAs may be centralized, but each participant remains accountable for its compliance posture.
• Documentation is essential: maintain the ACE designation and the list of participating entities.

Practical considerations

• Perform coordinated risk analyses and incident response planning across participants.
• Standardize access controls and auditing to support shared PHI handling.
• Clarify workforce roles when employees or systems serve multiple ACE participants.

Conclusion

HIPAA covered entities include health plans, most providers conducting standard electronic transactions, and clearinghouses; businesses that handle PHI on their behalf are business associates. Hybrid Entity Designation and ACE structures help you align HIPAA’s requirements with your organization’s footprint while preserving strong safeguards for PHI.

FAQs

What entities are covered under HIPAA?

HIPAA covers health plans, health care providers that transmit health information electronically in standard transactions, and health care clearinghouses. Vendors that create, receive, maintain, or transmit PHI for those entities are business associates and must comply with applicable HIPAA requirements under BAAs.

Which organizations are excluded from HIPAA coverage?

Employers in their HR role, life and disability insurers, most schools (under FERPA), law enforcement, courts, and many direct-to-consumer health apps are not HIPAA covered entities. However, they may still be subject to other federal or state privacy laws and should assess obligations accordingly.

How do hybrid entities comply with HIPAA?

Hybrid entities formally designate their health care components, apply Privacy Rule and Security Rule policies to those components, and establish access “firewalls” so non-covered operations cannot use PHI improperly. They document the Hybrid Entity Designation, train staff, segment systems, and manage BAAs for vendors supporting covered components.

What are the responsibilities of business associates under HIPAA?

Business associates must use and disclose PHI only as permitted by their BAAs, implement robust safeguards for ePHI, ensure Data Transmission Compliance, limit access to the minimum necessary, report breaches to the covered entity, and flow down HIPAA obligations to subcontractors that handle PHI.