HIPAA Covered Entity Examples: Who Qualifies and What They Include

If you handle Protected Health Information (PHI) in the United States, understanding who qualifies as a HIPAA covered entity is essential for HIPAA Compliance. Covered entities fall into three core categories—health plans, health care providers, and health care clearinghouses—with related structures like business associates, hybrid entities, and affiliated covered entities influencing how PHI is managed and shared under the Privacy Rule and Security Rule.

This guide clarifies each category, shows practical HIPAA covered entity examples, and explains what each includes in terms of responsibilities, PHI disclosure allowances, and operational boundaries. You’ll see where Data Standardization fits, how Covered Functions are defined, and what to expect when forming hybrid or affiliated arrangements.

Health Plans

Health plans are organizations that provide or pay for the cost of medical care. They qualify as covered entities because they create, receive, maintain, or transmit PHI to enroll members, adjudicate claims, manage benefits, and coordinate care.

Not all insurance products qualify; for example, certain accident-only or disability income policies are generally outside HIPAA’s scope. Employer plan sponsors are not covered entities, but their group health plans are—and access to PHI must be strictly separated from employment records.

Common examples

• Health insurers and HMOs.
• Employer-sponsored group health plans and self-funded plans.
• Government programs such as Medicare, Medicaid, and TRICARE.
• Medicare Advantage and Part D prescription drug plans.
• Student health plans administered by universities.

Key HIPAA obligations for plans

• Apply the Privacy Rule to limit PHI disclosure to treatment, payment, and health care operations (and other permitted purposes) using the minimum necessary standard.
• Implement Security Rule safeguards for ePHI, including risk analysis, access controls, and incident response.
• Provide members a Notice of Privacy Practices and support individual rights (access, amendments, accounting of disclosures).
• Execute Business Associate Agreements (BAAs) with vendors that handle PHI.

Health Care Providers

Health care providers qualify as covered entities if they transmit health information electronically in connection with standard transactions (for example, claims, eligibility checks, prior authorizations). If you submit electronic claims—even through a billing service—you’re likely a covered entity under HIPAA.

Providers use PHI daily for diagnosis, treatment, and billing, so compliance hinges on practical controls: role-based access, secure patient communications, and appropriate PHI disclosure for treatment, payment, and operations.

Provider examples

• Hospitals, clinics, and ambulatory surgery centers.
• Physicians, dentists, chiropractors, psychologists, and counselors.
• Pharmacies, labs, imaging centers, and durable medical equipment suppliers.
• Home health, hospice, telehealth practices, and urgent care centers.

What qualifies a provider as a covered entity

• Electronic submission of standard transactions (claims, eligibility, claim status, referrals).
• Use of EHRs or billing systems connected to payers or clearinghouses for Data Standardization.
• Contracting with billing services or RCM vendors that transmit PHI on your behalf.

Privacy and Security in practice

• Disclose PHI as permitted by the Privacy Rule (e.g., for treatment or payment) and otherwise obtain valid authorization.
• Apply Security Rule safeguards to ePHI, including encryption in transit where feasible and audit logging.
• Maintain BAAs with vendors and ensure minimum necessary PHI disclosure.

Health Care Clearinghouses

Health care clearinghouses are entities that transform nonstandard health information into standard formats, or the reverse, to enable Data Standardization across the industry. They sit between providers and health plans, translating and routing transactions like claims, eligibility, and remittance advice.

Because clearinghouses handle PHI at scale, they are covered entities in their own right when performing these processing functions, even if they never interact directly with patients.

Clearinghouse examples

• Medical billing “switches” and EDI networks that convert claim files to standard transactions.
• Repricing organizations and value-added networks that normalize payer data.
• Vendors that standardize claim attachments and eligibility requests for multiple systems.

Core HIPAA duties

• Maintain strict Security Rule controls for ePHI integrity, availability, and confidentiality.
• Limit PHI disclosure under the Privacy Rule to permitted purposes and de-identify data where appropriate.
• Ensure subcontractors who process PHI also meet HIPAA Compliance requirements.

Business Associates

Business associates are organizations or individuals that perform services for a covered entity (or for another business associate) involving PHI access—such as claims processing, data analysis, IT support, cloud storage, or legal services. While not covered entities, they are directly liable for complying with key provisions of the Privacy Rule and the full Security Rule.

A Business Associate Agreement defines allowable PHI uses, PHI disclosure limits, and security expectations. If you share PHI with a vendor, you must ensure a BAA is in place and the vendor can meet breach notification and safeguard obligations.

Typical business associates

• EHR platforms, cloud hosting and backup providers, email and messaging platforms handling PHI.
• Revenue cycle management, billing services, and coding vendors.
• Analytics, quality improvement, and population health companies.
• Law firms, auditors, consultants, and transcription services with PHI access.
• HIEs and data registries receiving identifiable data.

Obligations under HIPAA

• Comply with the Security Rule (risk analysis, access control, encryption, monitoring).
• Use and disclose PHI only as permitted by the Privacy Rule and the BAA; apply the minimum necessary standard.
• Flow down HIPAA requirements to subcontractors and report breaches to covered entities.
• Support individual rights (e.g., access to PHI) when the BAA requires your assistance.

Hybrid Entities

A hybrid entity is a single legal entity that performs Covered Functions (like providing health care or operating a health plan) and non-covered functions (such as education or retail), and formally designates its health care components. Only those designated components are subject to HIPAA, but internal walls must prevent inappropriate PHI sharing across components.

Designations must be documented, and workforce members who straddle components need clear role-based controls. This structure lets complex organizations comply with the Privacy Rule and Security Rule without imposing HIPAA on unrelated business units.

Common hybrid scenarios

• A university that runs student health and counseling clinics alongside academic programs.
• A municipal government with a public health department and unrelated city services.
• A large retailer that operates in-store pharmacies within its broader retail operations.

How compliance works

• Identify and document Covered Functions and designate health care components.
• Implement access controls so PHI remains within designated components; apply minimum necessary to PHI disclosure.
• Maintain BAAs for vendors serving the health care components; conduct component-specific risk analyses for HIPAA Compliance.

Affiliated Covered Entities

Affiliated Covered Entities (ACEs) are legally separate covered entities under common ownership or control that designate themselves as a single covered entity for HIPAA purposes. An ACE can streamline compliance by using a joint Notice of Privacy Practices and treating PHI use and disclosure among affiliates as internal operations.

Only entities that are already covered entities may join an ACE, and the affiliation must be documented. Even within an ACE, each affiliate must uphold Security Rule safeguards and follow shared policies, including minimum necessary and breach response standards.

When to form an ACE

• Health systems with multiple hospitals, clinics, and employed physician groups.
• Integrated delivery networks sharing centralized IT, billing, and compliance functions.
• Multi-state plan subsidiaries operating under a parent organization.

Compliance implications

• Unified policies, single Notice of Privacy Practices, and consolidated patient rights processes.
• Permissible PHI sharing among affiliates for treatment, payment, and operations as if one covered entity.
• Shared BAAs and coordinated risk management, incident response, and training programs.

Conclusion

In practice, HIPAA covered entity examples span health plans, providers, and clearinghouses, with business associates, hybrid entities, and ACEs shaping how PHI moves and is protected. If you define Covered Functions clearly, manage PHI disclosure under the Privacy Rule, and harden systems per the Security Rule, you create a durable foundation for HIPAA Compliance and responsible Data Standardization across your organization.

FAQs.

What organizations qualify as HIPAA covered entities?

Covered entities include health plans, health care providers that conduct standard electronic transactions, and health care clearinghouses. Related structures affect how PHI is handled: business associates must comply with key HIPAA requirements when they access PHI; hybrid entities apply HIPAA to designated health care components; and affiliated covered entities may operate as a single covered entity for Privacy Rule purposes.

How do hybrid entities comply with HIPAA?

They identify and document Covered Functions, designate health care components, and confine PHI to those components using role-based access, training, and technical safeguards. Vendors serving the components need BAAs, and the designated components must meet Privacy Rule and Security Rule requirements while preventing unnecessary PHI disclosure to non-covered parts of the organization.

What is the role of business associates under HIPAA?

Business associates perform services for covered entities that involve PHI access. They must sign BAAs, limit PHI use and disclosure to permitted purposes, comply with the Security Rule, support Privacy Rule obligations (such as access requests), and notify covered entities of breaches. Their HIPAA Compliance obligations extend to subcontractors that handle PHI on their behalf.