HIPAA Covered Entities Explained: Who Is Covered and Who Isn’t

Health Plans as Covered Entities

Under HIPAA’s covered entity definition, a “health plan” is a covered entity because it pays for or provides the cost of medical care and handles protected health information (PHI). If you operate or sponsor a plan, HIPAA’s health plan regulations apply to how you collect, use, disclose, and safeguard members’ PHI.

Examples of health plans include commercial insurers and HMOs, Medicare, Medicaid, Medicare Advantage and Part D sponsors, CHIP, TRICARE, and multiple employer welfare arrangements. Employer-sponsored group health plans—whether fully insured or self-funded—are health plans and therefore covered entities.

Nuances and edge cases

• Employers themselves are not covered entities; the group health plan is. Employers may only receive limited plan information as permitted by HIPAA.
• Some benefit programs become health plans if they provide or pay for medical care (for example, many HRAs, FSAs, and certain EAPs).
• A group health plan with fewer than 50 participants that is administered solely by the employer may be excluded from HIPAA’s definition of a “health plan,” but other federal and state obligations may still apply.
• Life, disability, workers’ compensation, and auto insurers are not health plans under HIPAA; they fall outside covered entity status unless they perform separate HIPAA-covered functions.

Healthcare Providers under HIPAA

A healthcare provider becomes a HIPAA covered entity if it transmits health information electronically in connection with a standard transaction (for example, claims, eligibility checks, referrals/authorizations, enrollment, premium payments, remittance advice, or coordination of benefits). Most modern practices meet this threshold.

Covered providers include physicians, dentists, chiropractors, therapists, hospitals, urgent care centers, pharmacies, labs, and clinics. If you operate an on‑site employer clinic that bills health plans or verifies insurance electronically, that clinic is a covered provider even though the employer is not.

Important threshold

• Cash‑only or membership‑only providers that never conduct HIPAA standard transactions electronically may fall outside HIPAA coverage. The moment they use an electronic standard transaction, HIPAA applies.
• Providers must protect PHI across paper, verbal, and electronic forms; ePHI triggers specific HIPAA Security Rule safeguards.

Role of Healthcare Clearinghouses

Healthcare clearinghouses are covered entities whose core role is converting data between nonstandard and standard formats for HIPAA transactions. If you submit claims or eligibility files, a clearinghouse may validate, edit, and transform that data so health plans and providers can exchange it consistently.

Common healthcare clearinghouse functions

• Translating nonstandard formats to HIPAA EDI standards and back again.
• Scrubbing claims for errors and code set mismatches (for example, ICD‑10, CPT/HCPCS).
• Batching, routing, and tracking transactions between multiple trading partners.
• Generating acknowledgments and edit reports to improve clean claims rates.

Because they handle PHI for many parties, clearinghouses must meet HIPAA compliance requirements in their own right. When a clearinghouse also provides services on behalf of a plan or provider, it may function as a business associate as well, but its status as a covered entity does not change.

Exclusions from HIPAA Coverage

HIPAA does not cover every organization that touches health‑related data. If an entity is not a health plan, healthcare clearinghouse, or qualifying healthcare provider—and it is not acting as a business associate of one—it typically falls outside HIPAA.

• Employers (in their role as employers), schools and school districts (student health records are generally governed by FERPA), law enforcement agencies, and most state agencies not providing healthcare services.
• Life, disability, workers’ compensation, auto, and property/casualty insurers when operating in those capacities.
• Consumer health apps, fitness trackers, and personal wellness platforms that are not offered by, on behalf of, or integrated as a business associate of a covered entity.
• General websites, financial institutions, and research organizations not providing healthcare or servicing covered entities with PHI.

Even when HIPAA does not apply, other laws and best practices may govern personal data handling. Always assess your data flows to confirm whether PHI is involved and who controls it.

Compliance Responsibilities of Covered Entities

Covered entities must implement a comprehensive program that satisfies the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification requirements. The goal is to govern how you use and disclose protected health information and how you safeguard it.

Privacy Rule essentials

• Define allowable uses and disclosures, apply the minimum necessary standard, and issue a Notice of Privacy Practices to individuals.
• Honor individual rights: access, amendments, restrictions, confidential communications, and an accounting of disclosures where required.
• Establish and enforce policies, designate a privacy official, and train your workforce.

Security Rule essentials (for ePHI)

• Conduct a risk analysis and implement risk management for administrative, physical, and technical safeguards.
• Implement access controls, audit logs, authentication, transmission security, and contingency planning (backup and disaster recovery).
• Train staff, manage devices and media, and maintain ongoing monitoring and security incident procedures.

Breach Notification and vendor management

• Assess suspected incidents for compromise of unsecured PHI; when a breach occurs, notify affected individuals and, when required, regulators within prescribed timelines.
• Execute and manage Business Associate Agreements that restrict vendor uses/disclosures of PHI and flow down obligations to subcontractors.
• Document policies, procedures, and decisions; retain required documentation for the statutory period.

Distinguishing Covered Entities from Business Associates

Covered entities are health plans, healthcare clearinghouses, and qualifying providers. Business associates are persons or organizations that perform services for a covered entity (or another business associate) that involve PHI—such as claims processing, data hosting, analytics, billing, EHR support, transcription, or secure destruction.

If you are a business associate, you must comply with the HIPAA Security Rule and key Privacy Rule provisions, maintain appropriate safeguards, and report breaches. A single organization can wear both hats: for instance, a hospital (covered entity) that also provides billing services to unrelated clinics acts as a business associate for that service line and needs appropriate agreements and controls for each role.

Conclusion

HIPAA covered entities fall into three buckets: health plans, healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses. Many other organizations interact with PHI only as business associates, while others are entirely outside HIPAA. Map your data flows, identify your role, and implement the appropriate safeguards and agreements to meet HIPAA compliance requirements.

FAQs.

Which organizations qualify as HIPAA covered entities?

Covered entities are health plans (including employer‑sponsored group health plans), healthcare providers that transmit health information electronically in connection with HIPAA standard transactions, and healthcare clearinghouses. These entities create, receive, maintain, or transmit protected health information and are directly subject to the HIPAA Privacy and Security Rules.

Are employers considered covered entities under HIPAA?

No. Employers, acting as employers, are not covered entities. The employer’s group health plan is the covered entity. An employer‑operated clinic that conducts standard electronic transactions (for example, billing a health plan) is a covered healthcare provider for that clinic’s operations, but the employer itself remains outside HIPAA in its employment role.

What entities are excluded from HIPAA coverage?

Entities outside HIPAA include employers, schools (for student records), law enforcement, life and disability insurers, workers’ compensation, auto and property/casualty insurers, and consumer health apps not offered by or on behalf of a covered entity. These organizations may handle health‑related data but are not covered entities unless they perform HIPAA‑regulated functions or act as business associates.

How do healthcare clearinghouses fit into HIPAA regulations?

Healthcare clearinghouses are covered entities that convert nonstandard data to standard HIPAA transaction formats and vice versa. Their healthcare clearinghouse functions—such as claim editing, EDI translation, and routing—require them to safeguard PHI and comply with the HIPAA Privacy Rule and Security Rule, even when they also serve as business associates for plans or providers.