Real-World Examples of Covered Entities in Healthcare

If you handle Protected Health Information (PHI) in the United States, you may be regulated as a HIPAA Covered Entity. This guide walks you through real-world examples across the three core categories—health plans, healthcare providers, and healthcare clearinghouses—plus common government, social service, and private practice settings.

By seeing how Healthcare Provider Definitions, Health Plan Entities, and Clearinghouse Operations apply in practice, you can quickly determine where you fit and what responsibilities you have for safeguarding PHI.

Health Plans

What qualifies as Health Plan Entities

Health plans are organizations that pay for or arrange medical care. This includes commercial insurers, HMOs, employer-sponsored group health plans, and government programs like Medicare, Medicaid, and CHIP. If a plan enrolls members, processes claims, or manages benefits, it is a covered entity under HIPAA.

Real-world examples you know

• Commercial plans: UnitedHealthcare, Aetna, Cigna Healthcare, Elevance Health (Anthem Blue Cross Blue Shield), Humana, Kaiser Foundation Health Plan.
• Government programs: Medicare (Original, Medicare Advantage, Part D), state Medicaid and CHIP programs, TRICARE, and the Federal Employees Health Benefits Program.
• Employer-sponsored group health plans: self-funded or fully insured plans administered by third-party administrators.

Where PHI shows up day to day

Health plans touch PHI during eligibility checks, prior authorization, claims adjudication, care management, and appeals. You see PHI in enrollment files, EOBs, utilization management notes, and disease management outreach.

Healthcare Providers

Understanding Healthcare Provider Definitions

Under HIPAA, a healthcare provider is any person or organization that furnishes, bills, or is paid for healthcare in the normal course of business. Providers are covered entities when they transmit standard electronic transactions (for example, claims, eligibility, referrals) using HIPAA-adopted formats.

Real-world examples across settings

• Hospitals and systems: academic medical centers, community hospitals, specialty hospitals, and county or city-run facilities.
• Clinics and urgent care: primary care, pediatrics, OB/GYN, cardiology, dermatology, orthopedics, and urgent care chains.
• Pharmacies and labs: retail pharmacies and independent pharmacies; national laboratories such as clinical pathology and reference labs.
• Behavioral health and rehab: psychologists, licensed clinical social workers, psychiatry groups, substance use treatment programs, physical/occupational/speech therapy clinics.
• Dental, vision, and allied: dental offices, orthodontists, optometrists, chiropractors, ambulatory surgery centers, home health, and ambulance services.
• Telehealth-only practices: virtual primary care or specialty clinics that bill payers or check eligibility electronically.

Medicaid Providers in particular

Many community clinics, hospitals, and specialty groups serve as Medicaid Providers. If they submit electronic claims or conduct eligibility checks for Medicaid members, HIPAA applies to their PHI handling just as it does for commercial plans.

Where PHI shows up day to day

Providers access PHI in EHR documentation, test results, e-prescribing, referral notes, scheduling, claim submissions, and remittance processing. Even small practices become covered entities once they use standard electronic transactions.

Healthcare Clearinghouses

What Clearinghouse Operations look like

Healthcare clearinghouses translate, validate, and route nonstandard data from providers into standard HIPAA EDI formats (for example, X12 837 claims, 835 remittance, 270/271 eligibility, 276/277 claim status, 278 referrals/authorizations). They scrub claims, apply payer rules, and return standardized responses.

Real-world examples you know

• Large multi-payer networks and EDI hubs that connect provider practice systems to hundreds of payers.
• Vendor platforms that bundle claims submission, eligibility, prior authorization, and remittance services for medical and dental practices.
• Pharmacy and medical claim gateways that translate between practice management systems and plan-specific formats.

Where PHI shows up day to day

Clearinghouses process PHI embedded in claims, eligibility, and remittance files. As covered entities, they must secure PHI while translating and routing transactions between providers and payers.

State and Local Government Agencies

When a public agency is a covered entity

State Health Agencies and local governments qualify as covered entities when they operate a health plan or provide healthcare. Common examples include state Medicaid agencies (health plans), state employee health benefit programs (group health plans), and county or city public health clinics (providers).

Real-world examples you might encounter

• State Medicaid agencies administering benefits, authorizations, and claims for beneficiaries.
• County health departments running immunization, STI, and TB clinics that bill payers electronically.
• Public hospital systems and university medical centers delivering care and submitting standard transactions.
• Correctional health programs within jails or prisons that furnish and bill for medical services.

Hybrid entities are common

Many government bodies are “hybrid entities,” designating covered healthcare components (for example, a public health clinic) within a larger agency that performs non-health functions. Only the healthcare components must follow HIPAA, but PHI must be protected across all components that interact with it.

Social Service Agencies

When social services become covered entities

Social service agencies are covered entities only if they meet Health Plan Entities or Healthcare Provider Definitions and conduct standard electronic transactions. That often happens when an agency directly furnishes and bills for clinical services or operates a health plan component.

Real-world examples you might encounter

• County behavioral health departments that provide counseling and bill Medicaid electronically.
• Community-based organizations running primary care or substance use treatment programs and submitting claims.
• Area agencies on aging that deliver home health or therapy services and verify eligibility with payers.

Where PHI shows up day to day

PHI flows through intake forms, care coordination notes, authorizations, claims, and remittances. Even if a broader agency is not covered, any clinic or program that bills electronically for healthcare services must handle PHI under HIPAA.

Private Practices

Who is included

Private practices—solo or group—across medicine, dentistry, behavioral health, chiropractic, vision, and therapy are covered entities once they transmit HIPAA-standard electronic transactions. Size does not matter; a one-physician office is covered if it submits an 837 claim or checks 270/271 eligibility.

Real-world examples you know

• Primary care, pediatrics, internal medicine, and family medicine practices.
• Specialty groups such as cardiology, dermatology, orthopedics, gastroenterology, and allergy/immunology.
• Dental, orthodontic, endodontic, and oral surgery practices that e-bill plans.
• Behavioral health practices—psychologists, psychiatrists, and therapy groups—that submit electronic claims.
• Chiropractic, optometry, and physical/occupational/speech therapy clinics.
• Telehealth-only private practices that verify eligibility or submit claims electronically.

Where PHI shows up day to day

You handle PHI in scheduling, registration, clinical documentation, e-prescribing, lab ordering, claim submission, and payment posting. Business associate management, minimum necessary access, and breach response are routine privacy and security responsibilities.

Conclusion

If you operate as a health plan, healthcare provider that uses standard electronic transactions, or a clearinghouse, you are a HIPAA Covered Entity and must protect PHI accordingly. Government and social service organizations qualify when they deliver or finance care, and most private practices are covered once they e-transact with payers.

FAQs.

What defines a covered entity in healthcare?

Under HIPAA, covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit PHI electronically in connection with standard transactions (such as claims, eligibility, referrals, authorizations, and remittances). If you perform these functions, you must comply with HIPAA’s privacy and security requirements.

How do healthcare clearinghouses function?

Clearinghouses receive data from providers, convert it into HIPAA-standard EDI formats, apply payer edits, and route transactions to and from health plans. Their Clearinghouse Operations include claims scrubbing, eligibility verification, claim status inquiries, and remittance delivery—while safeguarding the PHI contained in those files.

Which government agencies qualify as covered entities?

Government bodies are covered entities when they operate a health plan or provide healthcare services. Examples include state Medicaid agencies (health plans), public employee health benefit programs (group health plans), city or county public health clinics (providers), correctional health programs, and public hospital systems that bill and transmit transactions electronically.