HIPAA Covered Entity Explained: Health Plans, Providers, and Clearinghouses with Examples

Understanding who HIPAA applies to is the first step toward effective HIPAA Compliance. A HIPAA covered entity is generally a health plan, a healthcare provider, or a healthcare clearinghouse that handles Protected Health Information (PHI), often through Electronic Data Interchange and standard insurance transactions. This guide explains each category, how Transaction Standards and the Privacy Rule and Security Rule apply, and what health information portability means in practice.

Overview of HIPAA Covered Entities

Under HIPAA, covered entities are organizations that create, receive, maintain, or transmit PHI as part of providing or paying for healthcare. They fall into three groups: health plans, healthcare providers, and healthcare clearinghouses. Each must meet administrative, technical, and physical safeguards for PHI and follow standardized electronic transactions.

Covered entities are distinct from business associates, which are vendors that handle PHI on a covered entity’s behalf. Employers are not covered entities solely by being employers; their employer-sponsored group health plans are. The focal point across all categories is PHI and the standardized electronic exchange of data.

Health Plans as Covered Entities

Health plans pay for medical care and include commercial insurers, HMOs, employer-sponsored group health plans, Medicare Advantage and Part D plans, and Medicaid managed care organizations. Health flexible spending accounts (FSAs) and health reimbursement arrangements (HRAs) are also health plans when they pay for medical care.

Plans must comply with Transaction Standards for claims, eligibility, remittance, and prior authorization, supporting Electronic Data Interchange for efficient processing. They must protect PHI under the Privacy Rule and secure electronic PHI under the Security Rule, limit uses to the minimum necessary, provide a Notice of Privacy Practices, and execute business associate agreements with vendors.

Some payers are not health plans under HIPAA, such as life insurers and workers’ compensation carriers, though they may still be business associates when performing functions for covered entities.

Healthcare Providers as Covered Entities

A healthcare provider becomes a covered entity when it transmits health information electronically in connection with standard transactions (for example, sending an electronic claim or eligibility inquiry). This includes hospitals, physician practices, clinics, dentists, chiropractors, therapists, pharmacies, labs, and urgent care centers.

Providers must implement HIPAA Compliance programs that safeguard PHI, support patient rights (access, amendment, and accounting of disclosures), and follow Transaction Standards when billing or checking eligibility. Providers that never conduct standard electronic transactions may not be covered entities, but in modern practice most do.

Role of Healthcare Clearinghouses

Healthcare clearinghouses translate nonstandard health information they receive from another entity into standard formats, and vice versa. In effect, they enable Electronic Data Interchange by converting files, validating data, and routing transactions between providers and plans.

Examples include claims “switches,” gateways that convert claims to the standard 837 format, and repricing organizations when they standardize transactions. Some billing services act as business associates rather than clearinghouses unless they perform the standardization function. Clearinghouses are covered entities in their own right and must comply with the Privacy Rule and Security Rule.

Compliance Requirements for Covered Entities

Covered entities must build a comprehensive HIPAA Compliance program that aligns legal requirements with daily operations. Core obligations include:

• Privacy Rule: Limit uses and disclosures to permitted purposes, apply the minimum necessary standard, provide a Notice of Privacy Practices, and honor individuals’ rights to access and receive copies of PHI.
• Security Rule: Protect electronic PHI with risk analysis and risk management; implement administrative, physical, and technical safeguards such as access controls, audit logs, encryption where reasonable and appropriate, and workforce security.
• Breach Notification: Investigate potential incidents, assess risk, and notify affected individuals and regulators without unreasonable delay (and within set timelines) when a breach of unsecured PHI occurs.
• Transaction Standards and Code Sets: Use adopted standards for claims, eligibility (270/271), claim status (276/277), remittance (835), and prior authorization (278) to support efficient Electronic Data Interchange.
• Business Associate Management: Execute and maintain business associate agreements, monitor services, and ensure vendors meet applicable safeguards.
• Policies, Training, and Documentation: Maintain written policies, train the workforce, apply sanctions for noncompliance, and retain documentation for required periods.

Together, these requirements enhance data protection and operational consistency while supporting health information portability—helping individuals access and use their health information across settings.

Examples of Covered Entities

• Health Plans: Employer-sponsored group health plans; commercial health insurance issuers and HMOs; Medicare Advantage and Part D plan sponsors; Medicaid managed care plans; FSAs and HRAs that pay for medical care.
• Healthcare Providers: Hospitals and health systems; physician and dental practices; community clinics and urgent care centers; pharmacies; imaging centers and laboratories; physical, occupational, and behavioral health therapists.
• Healthcare Clearinghouses: Claims clearinghouses and “switches” that convert data to standard EDI formats; gateways that validate and route 837 claims; repricing entities when performing standardization functions.

Edge cases to note: Employers themselves are not covered entities, but their group health plans are. Universities or municipalities that operate hospitals often designate only their healthcare components as covered (hybrid entities).

Impact of HIPAA on Covered Entities

HIPAA reshapes operations by embedding privacy and security into daily workflows. Covered entities invest in access controls, audit capabilities, and vendor oversight while training staff to reduce risk and support trustworthy care.

Standardized Transaction Standards streamline Electronic Data Interchange, lowering manual rework and claim errors. Patients gain stronger rights to access and receive their PHI, advancing health information portability and coordination across providers and plans.

For small practices, the lift centers on practical safeguards and reliable vendors; for large systems and health plans, the focus expands to enterprise risk management, incident response, and continuous monitoring. In all cases, HIPAA sets a common baseline that protects PHI and improves administrative efficiency.

In summary, identifying whether you are a health plan, provider, or clearinghouse—and building the right controls around PHI and EDI—positions your organization to meet HIPAA Compliance, reduce risk, and deliver consistent, secure care and payment operations.

FAQs.

What qualifies as a HIPAA covered entity?

A HIPAA covered entity is a health plan, a healthcare provider that transmits health information electronically in standard transactions, or a healthcare clearinghouse that standardizes health data. These organizations handle Protected Health Information and must follow the Privacy Rule, Security Rule, and Transaction Standards.

How do healthcare clearinghouses differ from providers?

Clearinghouses do not deliver medical care. They convert nonstandard health information into standard Electronic Data Interchange formats (and back) so providers and health plans can exchange data reliably. Providers diagnose and treat patients; clearinghouses enable standardized data exchange and are covered entities because of that translation function.

Are employers considered covered entities under HIPAA?

No. Employers are not covered entities simply by being employers. However, an employer’s group health plan is a covered entity, and the employer acting as plan sponsor must follow HIPAA requirements for plan administration, including safeguarding PHI and limiting access to authorized personnel.

What are the main responsibilities of a covered entity?

Key responsibilities include protecting PHI under the Privacy Rule, securing electronic PHI under the Security Rule, following Breach Notification requirements, using HIPAA Transaction Standards for electronic claims and related exchanges, training the workforce, managing business associates, and maintaining policies, risk analyses, and documentation as part of ongoing HIPAA Compliance.