The 3 Types of HIPAA Covered Entities Explained: Examples and Requirements

If you handle health data in the United States, you must know the covered entity definition under HIPAA. This guide explains the three types of HIPAA covered entities—health plans, health care providers, and health care clearinghouses—along with practical examples and core requirements from the HIPAA Privacy Rule and HIPAA Security Rule.

You’ll also see how Electronic Health Transactions, Health Information Technology, and data standardization shape day-to-day compliance and protect Protected Health Information (PHI).

Health Plans

Health plans finance or pay for medical care and are covered entities by definition. They routinely create, receive, maintain, and transmit PHI and must follow standardized Electronic Health Transactions for enrollment, eligibility, claims, and payments.

Who is included

• Employer-sponsored group health plans (fully insured or self-funded)
• Health insurers and HMOs
• Government programs that pay for health care (e.g., Medicare, Medicaid, TRICARE)
• Medicare Advantage and Part D plan sponsors
• High-risk pools and multiemployer plans

What health plans do in practice

• Process standardized transactions (e.g., claims, remittance, eligibility, enrollment) to support data standardization and interoperability
• Issue member Notices of Privacy Practices and honor individual rights to access and amend PHI
• Manage business associate agreements for vendors handling plan PHI

What is not a covered health plan

• Life, disability, or workers’ compensation insurers (unless they also operate a health plan)
• Employers themselves (separate from the group health plan they sponsor)
• Auto liability and property insurers

Health Care Providers

Any provider—individual or organization—is a covered entity if it transmits health information electronically in connection with standard HIPAA transactions. This includes in-person, telehealth, and virtual care models integrated with Health Information Technology systems such as EHRs.

Who is included

• Physicians, clinics, hospitals, urgent care centers, and surgical centers
• Dentists, chiropractors, podiatrists, optometrists, physical and occupational therapists
• Pharmacies, laboratories, imaging centers, and DME suppliers
• Mental and behavioral health professionals, substance use treatment providers
• Telehealth platforms that submit or receive standard transactions

When a provider is not covered

If you never conduct standard Electronic Health Transactions (for example, you only accept cash and never submit electronic claims or eligibility checks), you may fall outside of HIPAA’s covered provider category. However, most modern practices transmit at least one standard transaction and are therefore covered.

Health Care Clearinghouses

Health care clearinghouses transform health information from nonstandard formats into standard HIPAA formats—or the reverse. They operate behind the scenes to ensure data standardization so plans and providers can exchange information accurately and efficiently.

Typical clearinghouse services

• Claims “scrubbing,” validation, and conversion to standard transaction formats
• Switching and routing transactions between providers and health plans
• Repricing and aggregation services for billing networks
• Normalizing code sets for Electronic Health Transactions

Clearinghouses are covered entities in their own right. When they perform services for others, they can also act as business associates and must safeguard PHI accordingly.

HIPAA Compliance Requirements

Core rules you must implement

• HIPAA Privacy Rule: Governs permitted uses and disclosures of PHI, individual rights, and the Notice of Privacy Practices.
• HIPAA Security Rule: Requires administrative, physical, and technical safeguards for ePHI, risk analysis, and ongoing risk management.
• Breach Notification Rule: Mandates timely notification to affected individuals and, when applicable, regulators and the media after a breach of unsecured PHI.

Administrative Simplification and data standardization

• Use standard transactions and code sets for claims, eligibility, enrollment, premium payments, remittance, referrals, and authorizations.
• Adopt unique identifiers (e.g., National Provider Identifier) to streamline Electronic Health Transactions.
• Maintain consistent data quality practices that support interoperability across Health Information Technology systems.

Operational expectations

• Conduct a documented risk analysis and implement risk-based safeguards; review regularly.
• Designate privacy and security officials; train your workforce and apply sanctions for violations.
• Limit PHI under the minimum necessary standard; manage role-based access and audit logs.
• Execute business associate agreements before sharing PHI with vendors.
• Maintain written policies, incident response procedures, and required documentation.

Examples of Covered Entities

Health plans

• National and regional health insurers and HMOs
• Self-funded employer group health plans and third-party administrators
• Medicare Advantage and Part D plan sponsors
• State Medicaid managed care organizations

Health care providers

• Primary care and specialty practices, hospital systems, and ambulatory surgery centers
• Pharmacies, clinical laboratories, imaging centers, and home health agencies
• Behavioral health clinics and telehealth-only practices

Health care clearinghouses

• Claims clearinghouses and switching networks
• Medical billing and coding normalization services
• Repricing organizations and EDI gateways

Role of Covered Entities

Covered entities are stewards of PHI. Your role is to enable treatment, payment, and health care operations while protecting privacy, ensuring security, and supporting nationwide data standardization.

• Use and disclose PHI only as permitted by the HIPAA Privacy Rule, with authorizations when required.
• Honor individual rights to access, amendments, restrictions, confidential communications, and an accounting of disclosures.
• Oversee business associates and hybrid entity components to keep safeguards consistent.
• Leverage Health Information Technology responsibly to improve care quality and interoperability.

Privacy and Security Obligations

Privacy essentials

• Apply the minimum necessary standard and role-based access to PHI.
• Issue and maintain a Notice of Privacy Practices and document disclosures.
• De-identify data when feasible or use limited data sets with appropriate agreements.

Security safeguards

• Administrative: risk analysis, risk management, workforce training, and vendor oversight.
• Physical: facility access controls, device/media protection, and secure disposal.
• Technical: unique user IDs, multi-factor access where appropriate, encryption, audit controls, integrity monitoring, and transmission security.

Breach response

• Detect, investigate, and document incidents promptly.
• Perform a risk assessment to determine if PHI was compromised.
• Provide breach notifications without unreasonable delay as required by the Breach Notification Rule.

In summary, HIPAA covered entities—health plans, health care providers, and health care clearinghouses—must protect PHI under the HIPAA Privacy Rule and HIPAA Security Rule while using standardized Electronic Health Transactions. Embedding data standardization and strong safeguards into your operations is the most reliable way to stay compliant and build patient trust.

FAQs

What defines a HIPAA covered entity?

A HIPAA covered entity is either a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with a standard HIPAA transaction. Business associates are not covered entities, but they are directly liable for certain HIPAA provisions and must sign business associate agreements before handling PHI.

How do health care clearinghouses differ from providers?

Providers deliver care and generate PHI, while clearinghouses act as intermediaries that convert nonstandard data to standard HIPAA formats (and vice versa) to support Electronic Health Transactions. Clearinghouses rarely originate the clinical content; they ensure data standardization so providers and plans can exchange information reliably.

What are the compliance requirements for health plans?

Health plans must comply with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule; standardize Electronic Health Transactions and code sets; use unique identifiers; issue a Notice of Privacy Practices; honor member rights to access and amend PHI; conduct risk analysis and ongoing risk management; implement administrative, physical, and technical safeguards; train the workforce; and execute business associate agreements with vendors.