Under HIPAA, Covered Entities Include These—Not the Following: Compliance Guide

Health Plans as Covered Entities

Under HIPAA, health plans are covered entities. A health plan is any individual or group plan that pays for, or provides, the cost of medical care. If you sponsor or administer such coverage, HIPAA’s Privacy Rule and Security Rule apply to your handling of Protected Health Information (PHI).

Who counts as a health plan

• Employer-sponsored group health plans, including self-funded plans and multiemployer health and welfare funds.
• Health insurance issuers and HMOs, including Medicare Advantage and Part D plan sponsors.
• Government programs that pay for health care such as Medicare, Medicaid, and certain military or veterans’ programs.
• Dental, vision, and pharmacy benefit plans and employee assistance programs that provide medical care.

Key obligations

• Publish a Notice of Privacy Practices and enforce “minimum necessary” access to PHI for plan administration.
• Implement Security Rule safeguards for ePHI: risk analysis, access controls, audit logs, and contingency plans.
• Execute and manage each Business Associate Agreement (BAA) with TPAs, brokers, pharmacy benefit managers, cloud providers, and other vendors.
• Maintain breach response procedures and timely notifications.

Important nuances

• “Excepted benefits” (for example, workers’ compensation, liability, or disability-only coverage) are generally not health plans under HIPAA.
• Small or self-administered plans are still covered if they provide medical care; they must meet the same core requirements.

Health Care Providers' Responsibilities

Health care providers are covered entities when they transmit health information electronically in connection with standard transactions (such as claims, eligibility checks, or referrals). In practice, most modern providers meet this threshold.

Privacy Rule responsibilities

• Use and disclose PHI only as permitted (treatment, payment, operations) or as authorized by the patient; apply the minimum necessary standard where required.
• Offer a Notice of Privacy Practices and honor patient rights: access, restrictions, amendments, and an accounting of certain disclosures.
• Train your workforce and apply role-based access to PHI.

Security Rule responsibilities

• Protect ePHI with administrative, physical, and technical safeguards, including encryption, authentication, and device/media controls.
• Conduct periodic risk analyses and document risk management actions.

Done well, compliance enables health information portability—securely moving data to where care and coverage need it—without sacrificing privacy.

Roles of Health Care Clearinghouses

Health care clearinghouses process nonstandard health information they receive from another entity into standard formats (or the reverse). Because they sit at the data interchange layer, they are covered entities under HIPAA.

Typical clearinghouse functions

• Translating claim, eligibility, and remittance files between nonstandard and HIPAA-standard transactions.
• Data aggregation, normalization, and repricing for plans and providers.
• Serving as EDI gateways and value-added networks for health information exchange.

Compliance focus

• Apply Privacy Rule controls to all PHI processed, whether received directly from individuals or through other entities.
• Implement robust Security Rule safeguards due to high-volume, high-risk data flows.
• Use BAAs when services are provided on behalf of another covered entity, while maintaining clearinghouse-level controls.

Non-Covered Entities under HIPAA

Many organizations interact with health data but are not covered entities. HIPAA generally does not apply to them unless they perform covered functions or become business associates of covered entities.

• Employers in their role as employers (HR files, leave records) and labor unions.
• Life insurers, disability insurers, workers’ compensation carriers, and most property/casualty or auto insurers.
• Schools and school districts (student records are typically governed by other laws), camps, and daycares.
• Law enforcement agencies, courts, and many state or local government offices that do not provide health care.
• Consumer apps, fitness trackers, and personal health record services that are not acting on behalf of a covered entity.

These organizations may still be subject to other federal or state privacy and security laws. If they handle PHI for a covered entity, a Business Associate Agreement can extend HIPAA obligations to their services.

Understanding Hybrid Entities

A hybrid entity is a single legal entity that performs both covered and non-covered activities. Through a formal Hybrid Entity Designation, it identifies its health care components and applies HIPAA only to those parts that perform Covered Functions.

Covered Functions and segmentation

• Designate health care components (for example, a university health center or a city-run clinic) and document boundaries.
• Implement safeguards (“firewalls”) so workforce members outside the designated components do not access PHI inappropriately.
• Ensure BAAs cover vendors of the health care components, not the entire enterprise, when appropriate.

Examples include universities with medical centers, municipal governments that operate clinics, and retailers that run in-store clinics or pharmacies. The designation lets you target controls where HIPAA applies while preserving operational flexibility elsewhere.

Business Associates and HIPAA Compliance

Business associates are persons or organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity (or another business associate). Common examples include EHR vendors, billing and coding services, cloud and data hosting providers, legal and consulting firms, and shredding or mailing services.

Obligations and accountability

• Comply with the Security Rule for ePHI and relevant provisions of the Privacy Rule (permitted uses/disclosures and the minimum necessary standard).
• Sign and honor a Business Associate Agreement outlining permissible uses, safeguards, reporting duties, and termination terms.
• Flow down BAA obligations to subcontractors that handle PHI.
• Provide breach notification to the covered entity without unreasonable delay and maintain required documentation.

What a strong Business Associate Agreement includes

• Defined services and permitted PHI uses/disclosures aligned to the covered entity’s purposes.
• Administrative, physical, and technical safeguards; incident reporting and investigation timelines.
• Subcontractor requirements, right to audit/assess, and data return or destruction at termination.
• Clear remedies for noncompliance and cooperation terms for individual rights requests.

Conclusion

Under HIPAA, covered entities are health plans, health care providers that conduct standard electronic transactions, and health care clearinghouses. Many others—employers, schools, and most insurers outside medical coverage—are not covered, unless they perform Covered Functions or act as business associates. Using precise Hybrid Entity Designations, strong BAAs, and disciplined Privacy and Security Rule practices, you can protect Protected Health Information while enabling responsible health information portability.

FAQs.

What entities are excluded from HIPAA coverage?

Entities generally outside HIPAA include employers (acting as employers), life and disability insurers, workers’ compensation and most property/casualty or auto insurers, schools and school districts, law enforcement and courts, and many consumer health apps and devices that are not acting for a covered entity. They can, however, become subject to HIPAA if they perform covered functions or sign a Business Associate Agreement to handle PHI on behalf of a covered entity.

How are hybrid entities defined under HIPAA?

A hybrid entity is a single legal entity that conducts both covered and non-covered activities. It makes a formal Hybrid Entity Designation to identify the specific components that perform Covered Functions and applies HIPAA requirements only to those components, with safeguards to prevent inappropriate PHI sharing with the rest of the organization.

What obligations do business associates have under HIPAA?

Business associates must implement Security Rule safeguards for ePHI, comply with permitted-use and minimum-necessary standards under the Privacy Rule, sign and follow a Business Associate Agreement, ensure subcontractor compliance, and provide prompt breach notifications to the covered entity. They have direct liability for failing to meet these obligations.