How to Identify a Covered Entity Under the HIPAA Privacy Rule

Knowing whether you are a covered entity is the first step to Privacy Rule Compliance. It determines how you must handle Protected Health Information (PHI), which rights individuals have, and which safeguards and notices you must implement.

Under HIPAA, you are a covered entity if you fit specific categories and engage in certain activities tied to HIPAA-covered transactions using Electronic Data Interchange (EDI). The sections below show you how to make that determination with confidence.

Define Covered Entities

A “covered entity” under the HIPAA Privacy Rule is one of three types of organizations that handle PHI in the health care system. The designation is activity-based and does not depend on size or tax status. If you meet the criteria below, you are a covered entity and must comply with HIPAA.

• Health plans
• Health care clearinghouses
• Health care providers that transmit health information electronically in connection with HIPAA-covered transactions

HIPAA-covered transactions are standard administrative and financial activities conducted via EDI. Common examples include electronic claims (submission and remittance), eligibility inquiries and responses, claim status checks, referrals and prior authorizations, enrollment and disenrollment, and premium payments.

If you do not perform these transactions electronically, you may not be a covered entity, even if you create or store PHI. However, most modern operations rely on EDI to support health information portability and efficient payment workflows.

Describe Health Plans

Health plans are covered entities because they arrange for or pay the cost of medical care. If you administer or insure health benefits, you likely fall into this category and must meet Privacy Rule Compliance obligations.

• Included: health insurers, HMOs, employer-sponsored group health plans, government programs such as Medicare and Medicaid, and certain long-term care insurers that pay for health care.
• Not included: life, disability, and workers’ compensation insurers when they do not provide or pay for health care; employers in their role as employers (the plan is covered, not the employer itself).

Group health plans must safeguard PHI, limit uses and disclosures, and execute Business Associate Agreements with vendors that access PHI on the plan’s behalf.

Explain Health Care Clearinghouses

Health care clearinghouses are entities that standardize data—turning nonstandard health information into standard EDI formats and vice versa. Because they transform data for HIPAA-covered transactions, they are covered entities.

• Examples: medical billing “switches,” repricers, and data translation services that convert claims, remittances, eligibility, or referral data between systems.
• Core role: enable interoperable Electronic Data Interchange (EDI), reduce errors, and support health information portability across health plans and providers.

Clearinghouses must safeguard PHI they process and, when providing services to other covered entities, adhere to Privacy Rule Compliance and Security Rule requirements.

Outline Health Care Providers

You are a covered health care provider if you furnish medical or health services and transmit any health information electronically in connection with HIPAA-covered transactions. The trigger is the transaction, not merely owning an EHR system.

• Common qualifying activities: submitting electronic claims, sending or receiving electronic eligibility or claim status inquiries, processing electronic remittance advice, or transmitting referrals and prior authorizations.
• Examples of providers: physicians, hospitals, clinics, dentists, chiropractors, physical therapists, pharmacies, labs, and long-term care facilities.

If you never conduct these transactions electronically, you may not be a covered entity. Still, if you later begin using EDI for billing or eligibility, you become subject to HIPAA and must handle PHI accordingly.

Clarify Hybrid Entities

A hybrid entity is a single legal organization that performs both covered and non-covered functions. To comply, you must identify and designate your “health care components” that perform Covered Functions and apply HIPAA to those components.

• Who becomes hybrid: universities with clinics, retail chains with pharmacies, municipalities with employee health clinics, or corporations running on-site medical services.
• Required steps: formally designate health care components in writing; implement administrative, physical, and technical safeguards; train the workforce; and maintain “firewalls” to prevent impermissible PHI sharing with non-covered components.
• Support functions: internal units (e.g., IT, HR, legal) that assist a health care component and access PHI must either be included within the designated components or operate under Business Associate Agreements.

Only the designated health care components are subject to the Privacy Rule, but the entity must prevent unauthorized PHI flow across its covered and non-covered operations.

Detail Business Associates Compliance

Business associates are not covered entities by type, but they are directly obligated to protect PHI when performing services for a covered entity or another business associate. Typical business associates include cloud and data hosting providers, analytics vendors, billing firms, transcription services, and e-prescribing or EDI intermediaries that are not acting as clearinghouses.

• Business Associate Agreements (BAAs): define permitted uses and disclosures of PHI, require safeguards, mandate breach reporting, and impose “flow-down” obligations on subcontractors.
• Privacy Rule Compliance: business associates may use or disclose PHI only as allowed by the BAA or as required by law, must apply the minimum necessary standard where applicable, and must support individual rights when acting for the covered entity.
• Security and breach duties: implement risk-based administrative, physical, and technical safeguards; maintain audit controls; and notify the covered entity of any breach without unreasonable delay.

In practice, you identify your status by mapping your activities. If you are a health plan, clearinghouse, or provider using EDI for HIPAA-covered transactions, you are a covered entity. If you support those activities for another organization and handle PHI, you are likely a business associate and must sign a BAA and follow HIPAA safeguards.

FAQs

What criteria determine a covered entity under HIPAA?

You are a covered entity if you are a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with HIPAA-covered transactions. The key trigger is participating in standard EDI transactions—such as claims, eligibility, or referral authorizations—while creating, receiving, maintaining, or transmitting PHI.

How do hybrid entities comply with the Privacy Rule?

They designate their health care components that perform Covered Functions, apply HIPAA to those components, and implement safeguards to prevent PHI from flowing to non-covered parts of the organization. They also train staff, document policies, and execute Business Associate Agreements with internal or external units that access PHI to support those components.

What is the role of business associates in HIPAA?

Business associates perform services for covered entities that involve PHI, and they must sign Business Associate Agreements. They are obligated to safeguard PHI, limit uses and disclosures to what the BAA allows, comply with security requirements, manage subcontractors with the same protections, and report breaches promptly.

When does a health care provider qualify as a covered entity?

A provider qualifies when they conduct HIPAA-covered transactions electronically, such as submitting claims, verifying eligibility, checking claim status, or sending referrals via EDI. Merely having an EHR or emailing patients is not the trigger; performing standard EDI transactions is what brings the provider under HIPAA.