HIPAA Covered Entities: The Three Categories, Requirements, and Examples

If you work in health care or health insurance, you need to know whether you are a HIPAA covered entity. This guide explains the three categories—health plans, health care providers, and health care clearinghouses—the core requirements you must meet, and practical examples to help you apply the covered entity definition to your organization.

Under HIPAA’s Administrative Simplification, covered entities handle Protected Health Information (PHI) and must follow the Privacy Rule, the Security Rule, and standardized electronic transactions that enable industry-wide data standardization. The sections below break down what that means for you in plain terms.

Health Plans Overview

Health plans are covered entities because they pay for medical care and routinely exchange PHI in standard electronic transactions. This includes commercial insurers, HMOs, employer group health plans (including many self-insured plans), and government programs such as Medicare, Medicaid, and CHIP. Medicare Advantage and Medicare Part D prescription drug plans are also health plans.

Several arrangements often count as health plans if they provide medical benefits: stand‑alone dental or vision plans, student health plans, and many employee assistance programs that offer treatment or referrals. When these plans conduct standard HIPAA transactions, they must comply.

Some entities are not health plans and therefore not HIPAA covered entities unless they separately operate a covered component: life insurers, disability carriers, workers’ compensation and auto liability insurers, and employers in their role as employers. Also excluded is a group health plan with fewer than 50 participants that is self-administered solely by the employer.

In short, if you finance health care and transmit claims, eligibility, authorizations, or related standard transactions electronically, you likely meet the covered entity definition as a health plan.

Health Care Providers Description

Health care providers become HIPAA covered entities when they transmit health information electronically in connection with a standard transaction. That includes submitting electronic claims, checking eligibility or benefits, receiving electronic remittance advice, or requesting prior authorization.

Examples include hospitals, physician practices, clinics, pharmacies, laboratories, dentists, chiropractors, physical and occupational therapists, behavioral health providers, home health agencies, DME suppliers, and telehealth practices. If you only provide services and never conduct standard electronic transactions, HIPAA might not cover you—but most modern practices do.

Once a provider is covered, HIPAA applies to all PHI the provider maintains, not just the data tied to specific electronic transactions. That encompasses paper, verbal, and electronic PHI across your workforce and systems.

Health Care Clearinghouses Function

Health care clearinghouses are intermediaries that perform data standardization. They convert nonstandard data from providers or plans into standard formats and code sets, and they can translate standard data back to nonstandard formats for trading partners that need it.

Typical functions include editing and validating claims for completeness, converting paper or proprietary files into ASC X12 837 claims, delivering 835 remittance advice, processing 270/271 eligibility inquiries and responses, handling 276/277 claim status, and managing 278 referrals and authorizations. Pharmacy transactions commonly use NCPDP standards.

Because clearinghouses create, receive, and transmit PHI at scale, they are covered entities in their own right. They also act as business associates when providing services to plans and providers, so robust safeguards and agreements are essential.

HIPAA Compliance Requirements

Compliance rests on four pillars: the Privacy Rule, the Security Rule, the Breach Notification Rule, and Administrative Simplification for transactions and code sets. Together, these govern how you use, disclose, secure, and exchange PHI.

• Governance and accountability: designate privacy and security officials, conduct regular risk analyses, implement risk management, train your workforce, apply sanctions for violations, and document policies and procedures.
• Privacy Rule fundamentals: use and disclose PHI only as permitted, apply the minimum necessary standard, provide a Notice of Privacy Practices, and honor individual rights (access, amendment, accounting of disclosures, restrictions, and confidential communications).
• Security Rule safeguards for ePHI: implement administrative, physical, and technical controls such as access management, authentication, encryption, audit logging, integrity controls, device/media handling, and contingency planning.
• Transactions and code sets: use standard electronic transactions (e.g., 837, 835, 270/271, 276/277, 278) and recognized Transaction Code Sets (e.g., ICD‑10‑CM/PCS, CPT, HCPCS, CDT, NDC). This is the core of Administrative Simplification and promotes interoperable data exchanges.
• Business associates: sign Business Associate Agreements before sharing PHI with vendors that create, receive, maintain, or transmit PHI on your behalf.
• Breach response: assess incidents, mitigate harm, and provide breach notifications without unreasonable delay (and within the regulatory deadline) to individuals, HHS, and, when required, the media.
• Documentation and retention: maintain required documentation for at least six years from the date of creation or last effective date.

Examples of Covered Entities

• Health plans: employer group health plans (fully insured or self‑insured), commercial medical, dental, or vision plans, HMOs, Medicare Advantage, Medicare Part D plans, Medicaid managed care organizations, and student health plans.
• Health care providers: hospitals, physician groups, ambulatory surgery centers, dental offices, pharmacies, independent labs, imaging centers, behavioral health clinics, home health agencies, DME suppliers, and telemedicine practices that bill electronically.
• Health care clearinghouses: organizations that convert, validate, and route claims and other transactions between providers and health plans, including entities specializing in claims editing, eligibility routing, and remittance delivery.

Privacy and Security Obligations

As a covered entity, you must safeguard Protected Health Information throughout its lifecycle. Limit PHI uses and disclosures, obtain patient authorizations when required, and apply the minimum necessary principle to routine operations, payments, and health care activities.

Provide individuals with rights to access and obtain copies of their records, request amendments, receive an accounting of certain disclosures, and ask for restrictions or confidential communications. These rights arise from the Privacy Rule and must be operationalized in your processes.

For ePHI, the Security Rule requires appropriate administrative, physical, and technical safeguards. Practical measures include role‑based access, strong authentication, encryption in transit and at rest, endpoint protection, timely patching, audit logs and monitoring, secure disposal, and tested backups and disaster recovery plans.

When sharing PHI with vendors, execute Business Associate Agreements and verify their safeguards. Use de‑identification or a limited data set with a data use agreement when full identifiers are not necessary.

Enforcement and Penalties

The HHS Office for Civil Rights enforces the Privacy, Security, and Breach Notification Rules through investigations, corrective action plans, and civil monetary penalties. CMS oversees Administrative Simplification for standard transactions and code sets. The Department of Justice may bring criminal cases for intentional misuse of PHI, and state attorneys general can also enforce HIPAA.

Penalties scale across four tiers based on the level of culpability, with per‑violation amounts and annual caps adjusted for inflation. Settlements can reach millions of dollars and often include multi‑year corrective action and monitoring. Consistent risk analysis, training, and prompt incident response significantly reduce enforcement exposure.

In summary, HIPAA covered entities fall into three groups—health plans, health care providers, and health care clearinghouses—and each must safeguard PHI, standardize electronic transactions and code sets, and maintain a documented compliance program aligned to the Privacy Rule, Security Rule, and Administrative Simplification.

FAQs

What are the three categories of HIPAA covered entities?

The three categories are health plans, health care providers that conduct standard electronic transactions, and health care clearinghouses that convert or route health data between parties. Each category handles PHI and is subject to the Privacy Rule, Security Rule, and Administrative Simplification requirements.

Which health plans must comply with HIPAA?

Commercial insurers, HMOs, employer group health plans (including many self‑insured plans), and government programs like Medicare, Medicaid, and CHIP must comply when they conduct standard electronic transactions. A small, self‑administered group health plan with fewer than 50 participants is excluded, and entities like life or disability insurers are not health plans under HIPAA unless they operate a covered health plan component.

How do health care clearinghouses contribute to HIPAA compliance?

Clearinghouses enable data standardization by converting nonstandard data to standard HIPAA formats and Transaction Code Sets and vice versa. They validate, edit, and route transactions (claims, eligibility, remittance, status, authorizations), helping plans and providers meet Administrative Simplification while safeguarding PHI as covered entities themselves.