HIPAA Covered Entity Definition (45 CFR 160.103): Plain-English Guide with Exclusions and Edge Cases

Definition of HIPAA Covered Entities

Under 45 CFR 160.103, a HIPAA “covered entity” is any health plan, health care clearinghouse, or health care provider that transmits health information electronically in connection with standard transactions. If you meet one of these categories, HIPAA’s Privacy, Security, and Breach Notification Rules apply.

HIPAA focuses on Protected Health Information (PHI)—identifiable data about an individual’s health status, care, or payment. For providers, the trigger is participation in Health Information Transaction Standards (for example, electronic claims or eligibility checks). Paper-only or cash-only practices that never conduct a standard electronic transaction are not covered entities.

The three categories

• Health plans that pay for medical care.
• Health care clearinghouses that transform data to or from standard formats.
• Health care providers who conduct standard electronic transactions.

Components of Health Plans

Health plans include group health plans, health insurance issuers, HMOs, and public payer programs that finance care, such as Medicare and Medicaid. The plan—not the employer sponsor—holds covered entity status and is responsible for HIPAA compliance.

Typical plan functions include enrollment, eligibility, premium billing, claims adjudication, coordination of benefits, and remittance. These activities use the transaction and code set standards, which is why health plans are always covered entities under 45 CFR 160.103.

Governmental health plan nuances

Governmental Health Plan Exclusions apply where a government program’s principal purpose is not to provide or pay for health care, or where the program primarily delivers care directly rather than acting as a payer. Such programs are not “health plans,” though their provider components can still be covered providers.

Role of Health Care Clearinghouses

A health care clearinghouse receives nonstandard health information and processes it into standard data elements (or vice versa). Examples include medical billing services that translate claims, repricing firms, community health information systems, and value-added networks/switches that perform data format conversion.

Clearinghouses are covered entities because their core function touches PHI within the transaction flow. When a clearinghouse also provides services on behalf of a plan or provider, it may act as a business associate too—but it retains covered entity obligations for its clearinghouse functions.

Edge cases to watch

• Vendors that only transport data without transforming content are not clearinghouses.
• Entities that standardize claims for providers who submit on paper still count as clearinghouses.

Health Care Providers Explained

“Health care provider” includes any person or organization that furnishes, bills, or is paid for health care. A provider becomes a covered entity only if it transmits health information electronically in connection with a standard transaction (claims, eligibility, claim status, referrals/authorizations, enrollment, premium payments, remittance advice, or coordination of benefits).

Using a vendor or clearinghouse to submit transactions still counts as the provider transmitting electronically. By contrast, emailing patients, running a portal, or accepting credit cards does not by itself trigger covered entity status unless you also conduct a standard transaction.

Common provider scenarios

• Traditional or telehealth practices billing insurers electronically are covered entities.
• Cash-only practices that never engage in standard transactions may not be covered entities.

Exclusions from Covered Entity Status

HIPAA does not make an organization a covered entity merely because it handles health information. Employers, life insurers, schools, law enforcement, and municipal agencies are not covered entities when performing their non–health plan, non-provider functions. Personal health apps serving consumers directly are not covered entities unless they act on behalf of a covered entity.

Within the health plan definition, certain benefits are excluded—often referred to as “excepted benefits”—such as workers’ compensation or property-and-casualty coverage. Governmental Health Plan Exclusions also remove programs whose primary purpose is not paying for health care or that primarily deliver care directly; however, those provider components may still be covered providers.

Practical implications

• Vendors that create, receive, maintain, or transmit PHI for a covered entity are typically business associates, not covered entities.
• On-site employer clinics are generally not health plans; if they bill electronically, they may be covered providers.

Understanding Hybrid Entities

A hybrid entity is a single legal entity that performs both covered and non-covered functions. It formally adopts a Hybrid Entity Designation and identifies its health care components—the parts that meet Covered Function Criteria (i.e., would make the entity a health plan, provider, or clearinghouse if those functions stood alone).

Only the designated health care components must comply with the HIPAA rules, but the entity must implement safeguards to prevent improper PHI sharing between covered and non-covered components. Documentation, workforce training, and access controls are essential to keep PHI within the designated components.

Typical examples

• A university that designates its medical center and health plan as covered components while excluding academic and residential units.
• A city government that designates its employee health plan and public clinic, but not its public works department.

Compliance Implications for Covered Entities

Covered entities must comply with the HIPAA Privacy Rule (lawful uses/disclosures, minimum necessary, individual rights), the Security Rule (administrative, physical, and technical safeguards for ePHI), Breach Notification Rule (assessment and notices), and Administrative Simplification (transaction, code set, and identifier standards). Business Associate Agreements are required before vendors handle PHI on your behalf.

Operationally, you should conduct regular risk analyses, maintain policies and procedures, manage access based on job duties, monitor system activity, train your workforce, and keep documentation current. For hybrid entities, ensure your Hybrid Entity Designation and firewalls between components are explicit and enforced.

Conclusion

If you are a health plan, a clearinghouse, or a provider that conducts standard electronic transactions, you are a covered entity under 45 CFR 160.103. Apply the Governmental Health Plan Exclusions and Covered Function Criteria carefully, and use a hybrid structure when only some parts of your organization perform covered functions. Align your operations with the HIPAA Privacy Rule, Security Rule, and transaction standards to manage PHI responsibly.

FAQs

What is a HIPAA covered entity?

A HIPAA covered entity is a health plan, health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions. These entities must follow the HIPAA Privacy, Security, and Breach Notification Rules when handling Protected Health Information.

How are health care clearinghouses classified under HIPAA?

Clearinghouses are covered entities because they convert nonstandard health data to standard formats (and back) for claims and other transactions. Even when they also act as a vendor to a plan or provider, they remain covered entities for their clearinghouse functions.

What exclusions apply to covered entity definitions?

Exclusions include programs that provide excepted benefits (for example, workers’ compensation or property-and-casualty coverage) and Governmental Health Plan Exclusions where a program’s main purpose is not paying for health care or where it primarily provides care directly. Employers, schools, and similar entities are not covered entities unless they operate a covered plan or provider component.

How does a hybrid entity affect HIPAA compliance?

A hybrid entity designates its health care components—parts that meet Covered Function Criteria—so only those components must comply with HIPAA. The organization must document the designation and implement safeguards to prevent PHI from flowing to non-covered components except as HIPAA allows.