How to Determine If Your Organization Is a Covered Entity

Determining whether you are a HIPAA Covered Entity starts with understanding how you handle Protected Health Information (PHI) and whether you participate in HIPAA Administrative Simplification transactions. This guide walks you through each covered category and the practical steps to reach a confident decision.

Identify Health Plans

Key criteria

A health plan is any individual or group plan that provides or pays the cost of medical care. This includes commercial insurers, HMOs, government programs (such as Medicare and Medicaid), and employer-sponsored group health plans, including self-insured plans. If you operate or sponsor one of these, the plan itself is typically a covered entity.

Examples and edge cases

• Covered: major medical policies, Medicare Advantage plans, Medicaid managed care, flexible spending accounts (FSAs) and HRAs when they reimburse medical care.
• Not covered: plans limited to “excepted benefits” (e.g., workers’ compensation, property and casualty insurance, accident-only), which do not meet the HIPAA health plan definition.
• Small self-administered exception: a group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is excluded from the health plan definition.

Remember that the employer is generally the plan sponsor, not the covered entity; the group health plan is the covered entity. If the employer handles PHI for plan operations, it must meet plan sponsor requirements and may also act as a business associate in certain functions.

Recognize Health Care Providers

Key criteria

A health care provider becomes a covered entity if it transmits any health information electronically in connection with a standard transaction. If you never send standard transactions electronically, you may not be a covered entity—but the moment you do, you are subject to HIPAA rules.

Transactions that trigger coverage

• Claims (837) and claim payments/remittance (835)
• Eligibility inquiries and responses (270/271)
• Claim status (276/277) and prior authorization/referral (278)
• Pharmacy e-prescribing and related NCPDP transactions

Common scenarios

• Covered: physicians, dentists, hospitals, labs, pharmacies, DME suppliers, behavioral health clinics, telehealth practices that e-prescribe or bill electronically.
• May not be covered: a cash-only practice that uses paper only and never conducts a standard transaction electronically. Using a clearinghouse, e-prescribing, or checking eligibility online changes this status.

Understand Health Care Clearinghouses

Health Care Clearinghouse Definition

A health care clearinghouse is an entity that translates nonstandard health information into standard formats (or the reverse) for another entity. If you convert, validate, route, or reformat transactions between providers and plans, you likely meet this definition.

Examples and clarifications

• Common clearinghouses: medical billing services that standardize claims, value-added networks/switches, repricing organizations that transform transaction data.
• Not automatically clearinghouses: software vendors that merely sell or host software without transforming data. If you also perform transaction conversion or routing, you may be a clearinghouse.

Evaluate Business Associates

Are you a business associate?

A business associate (BA) creates, receives, maintains, or transmits PHI on behalf of a covered entity. Being a BA does not make you a covered entity, but it gives you direct HIPAA obligations and requires a Business Associate Agreement (BAA) with each covered entity customer.

Typical BA roles

• Cloud service providers storing ePHI, revenue cycle vendors, TPAs, transcription and coding services, e-signature platforms handling PHI, IT support with system access, shredding and disposal firms.
• Subcontractors that handle PHI on a BA’s behalf are “downstream BAs” and must also sign BAAs.

Business Associate Agreement essentials

A strong BAA defines permitted uses/disclosures, requires Security Rule safeguards, mandates breach reporting, flows obligations to subcontractors, and sets PHI return or destruction at contract end. If you are both a provider and a BA, you must meet obligations for each role.

Use the Covered Entity Decision Tool

How to apply CMS Covered Entity Guidance

The CMS Covered Entity Decision Tool helps you classify your organization under Administrative Simplification. Work through it methodically and document your answers for audit readiness.

Practical steps

1. Classify your role: determine if you are a health plan, health care provider, or clearinghouse based on the definitions above.
2. List transactions: identify whether you conduct standard transactions electronically (claims, eligibility, claim status, prior authorization, remittance, e-prescribing).
3. Map PHI flows: note where Protected Health Information is created, received, maintained, or transmitted, including vendors.
4. Check exceptions: confirm whether you fall into any limited exclusions (e.g., small self-administered group health plan).
5. Record the outcome: retain the decision path and rationale as part of your HIPAA Compliance Criteria documentation.

Comply with HIPAA Requirements

Core rules you must address

• Privacy Rule: define permitted uses/disclosures, minimum necessary, patient rights (access, amendments, accounting), and issue a Notice of Privacy Practices where applicable.
• Security Rule: perform a risk analysis and implement risk management across administrative, physical, and technical safeguards for ePHI.
• Breach Notification Rule: establish incident response, risk assessment, and timely notification procedures for unsecured PHI incidents.
• Administrative Simplification: follow standards for transactions, code sets, identifiers (NPI), and operating rules if you conduct standard transactions.

Actionable compliance checklist

• Designate a privacy and security official; define governance and oversight.
• Conduct risk analysis; implement encryption, access controls, audit logging, and contingency plans proportional to risk.
• Develop and enforce written policies, workforce training, sanctions, and periodic evaluations.
• Execute and manage Business Associate Agreements; vet vendors and document due diligence.
• Maintain records: decisions, risk analyses, policies, BAAs, and training logs to meet HIPAA Compliance Criteria.

Conclusion

If you pay for care as a plan, provide care and send standard transactions, or transform transactions, you are likely a HIPAA Covered Entity. If you handle PHI for others, you are a business associate and must sign a BAA and safeguard PHI. Use CMS Covered Entity Guidance to confirm status, then align your privacy, security, and transaction practices with HIPAA’s Administrative Simplification requirements.

FAQs.

What is a HIPAA covered entity?

A HIPAA covered entity is a health plan, health care clearinghouse, or health care provider that electronically transmits health information in connection with a standard transaction. Covered entities must follow HIPAA’s Privacy, Security, Breach Notification, and Administrative Simplification requirements for PHI and ePHI.

How do I know if my organization is a health care provider under HIPAA?

You are a covered health care provider if you furnish health care and transmit any standard transaction electronically (e.g., claims, eligibility checks, e-prescribing). If you never conduct such transactions electronically, you may not be a covered entity—but starting any one of them brings you under HIPAA.

What role do business associates play in HIPAA compliance?

Business associates handle PHI on behalf of covered entities and must sign a Business Associate Agreement. They are directly liable for Security Rule compliance and certain Privacy Rule provisions, must safeguard PHI, and must report breaches. Being a BA does not, by itself, make you a covered entity.

How can the CMS Covered Entity Decision Tool help determine covered entity status?

The CMS Covered Entity Decision Tool guides you through role classification and standard transaction use, clarifies whether exceptions apply, and helps you document your determination. It provides practical CMS Covered Entity Guidance to support consistent, defensible decisions about HIPAA status.