HIPAA Covered Entities List: Health Plans, Providers, and Clearinghouses

The HIPAA Covered Entities List includes three groups that handle Protected Health Information (PHI): health plans, healthcare providers, and healthcare clearinghouses. If you create, receive, maintain, or transmit PHI—especially Electronic Protected Health Information (ePHI)—you may fall into one of these categories.

This guide explains how each category operates, the core HIPAA rules that apply (Privacy Rule, Security Rule, and the Transactions and Code Sets Rule), and the Covered Entity Responsibilities you must meet, including Business Associate Agreements with vendors.

Health Plans Overview

Health plans finance or pay the cost of medical care. This category includes employer-sponsored group health plans, health insurance issuers, HMOs, and government programs such as Medicare, Medicaid, and military or veterans’ health programs. While an employer is not a covered entity, its group health plan is.

Typical health plan functions involve enrollment, premium billing, eligibility verification, claims adjudication, and remittance. Because these rely on standardized electronic transactions, health plans have extensive HIPAA obligations and must coordinate closely with vendors that touch PHI.

• Examples: major medical plans, Medicare Advantage, prescription drug plans, dental and vision plans offering medical benefits, and certain employee assistance programs.
• Key responsibilities: publish a Notice of Privacy Practices, limit uses/disclosures to the minimum necessary, and execute Business Associate Agreements with third-party administrators and other vendors.

Healthcare Providers Types

Healthcare providers are covered entities when they transmit health information electronically in connection with standard HIPAA transactions. This includes hospitals, physicians, dentists, chiropractors, psychologists, pharmacies, laboratories, durable medical equipment suppliers, home health agencies, and many telehealth organizations.

Not every provider is automatically covered: a cash-only practice that never conducts standard electronic transactions may fall outside HIPAA. Once a provider sends or receives claims, eligibility, or other HIPAA-standard transactions electronically, HIPAA applies to their PHI workflows.

• Common activities: submitting claims (837), checking eligibility (270/271), receiving remittance advice (835), prior authorization, referrals, and coordination of benefits.
• Operational focus: identity verification, role-based access to ePHI, secure e-prescribing, patient rights (access, amendments), and workforce training on the Privacy Rule.

Healthcare Clearinghouses Functions

Healthcare clearinghouses process nonstandard health information they receive from another entity into standard HIPAA formats—or the reverse. They enable interoperability across plans and providers by translating, editing, validating, and routing transactions.

Typical clearinghouse services include batch claim intake, format normalization, code set validation, eligibility and claim status translation, and remittance aggregation. Some billing services, repricing companies, and value-added networks act as clearinghouses when they transform transaction formats.

• Primary role: ensure that transactions comply with the Transactions and Code Sets Rule so claims, eligibility checks, and remittances flow correctly.
• Security focus: protect ePHI during ingestion, transformation, and transmission, with strict access controls, audit trails, and integrity monitoring.

HIPAA Compliance Requirements

The Privacy Rule governs how covered entities use and disclose PHI, grants patient rights (access, amendments, accounting of disclosures), and requires the “minimum necessary” principle. It applies to PHI in any form—paper, verbal, or electronic.

The Security Rule applies specifically to Electronic Protected Health Information (ePHI) and requires administrative, physical, and technical safeguards. You must conduct a risk analysis, implement risk management, train your workforce, and maintain policies and procedures suited to your environment.

The Transactions and Code Sets Rule standardizes electronic data exchange for claims, eligibility, remittance, claim status, referrals, and more. Covered entities must use the mandated transaction standards and code sets to improve accuracy and efficiency.

Business Associate Agreements are mandatory when vendors create, receive, maintain, or transmit PHI on your behalf. BAAs spell out permitted uses, safeguard requirements, breach reporting duties, and termination rights if obligations are not met.

Identifying Covered Entities

Use the following questions to determine your status: Do you finance or pay for medical care as a plan? Do you provide healthcare and send or receive standard electronic transactions? Do you transform nonstandard health data to standard transactions or vice versa for others? If yes to any, you likely belong on the HIPAA Covered Entities List.

Some organizations are “hybrid entities,” with both covered and non-covered components (for example, a university with a health clinic). In these cases, designate the healthcare component and apply HIPAA to that component’s PHI.

• Covered Entity Responsibilities include: appointing privacy/security officials, training staff, managing access, honoring individual rights, documenting policies, and maintaining BAAs with applicable vendors.
• When in doubt, map your data flows and transactions; the presence of standard HIPAA transactions is a strong indicator of covered status.

Legal Implications for Entities

Enforcement is led by the U.S. Department of Health and Human Services Office for Civil Rights, with potential involvement from the Department of Justice in criminal cases and state attorneys general. Outcomes may include investigations, corrective action plans, and civil monetary penalties.

Penalties escalate with the nature and duration of noncompliance, especially for willful neglect. Failure to implement reasonable safeguards, ignore risk analysis findings, or maintain required BAAs are common triggers for enforcement.

Breaches that compromise PHI or ePHI require prompt assessment and, when criteria are met, breach notification to affected individuals and regulators. Documenting decisions, remediation steps, and timelines is essential for defensibility.

Data Security Standards

Security starts with a documented, repeatable risk analysis that identifies where ePHI resides, who can access it, and how it is protected. Update your risk analysis as systems, vendors, or threats change, and track mitigation through a risk management plan.

• Administrative safeguards: policies and procedures, workforce training, sanctions, contingency planning, vendor risk management, and ongoing audits aligned to the Security Rule.
• Physical safeguards: secure facilities, device/media controls, screen privacy, and procedures for disposal and reuse of hardware containing ePHI.
• Technical safeguards: unique user IDs, role-based access control, multi-factor authentication, encryption in transit and at rest, audit logs, integrity checks, and secure transmission protocols.

Embed security into daily operations: apply the minimum necessary standard, review access routinely, patch systems promptly, and test incident response. These practices reduce breach risk while supporting compliance across the HIPAA Covered Entities List.

In summary, health plans, providers, and clearinghouses share the same core goal: protect PHI and ePHI while enabling efficient care and payment. By aligning with the Privacy Rule, Security Rule, and the Transactions and Code Sets Rule—and by maintaining strong Business Associate Agreements—you fulfill key Covered Entity Responsibilities and reduce legal and operational risk.

FAQs

What qualifies an organization as a HIPAA covered entity?

An organization qualifies if it is a health plan, a healthcare provider that transmits standard electronic transactions, or a healthcare clearinghouse that converts nonstandard health data to standard formats (or vice versa). If these activities involve PHI or ePHI, the HIPAA Privacy Rule, Security Rule, and administrative requirements apply.

How do healthcare clearinghouses process health information?

Clearinghouses receive health data from plans or providers, validate and transform it to HIPAA-standard transactions and code sets, and route it to the intended recipient. Throughout this translation workflow, they safeguard ePHI with access controls, encryption, and audit logging.

What are the main types of HIPAA covered entities?

The HIPAA Covered Entities List includes three types: health plans (e.g., group health plans and insurers), healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses that standardize and transmit transactions for others.