Under the HIPAA Privacy Rule, Covered Entities Explained: Definition and Examples

Definition of Covered Entities

Under the HIPAA Privacy Rule, a covered entity is an organization or person that handles Protected Health Information (PHI) in specific roles. You are a covered entity if you are a health plan, a health care clearinghouse, or a health care provider who transmits health information electronically in connection with certain Electronic Health Transactions.

PHI includes individually identifiable information about a person’s health status, care, or payment for care, in any form or medium. While the Privacy Rule governs how PHI may be used and disclosed, the HIPAA Security Rule sets standards for protecting electronic PHI (ePHI). Together they require policies, procedures, and Privacy Safeguards proportionate to your risks.

Health Care Providers

A health care provider becomes a covered entity when it transmits health information electronically for standard administrative and financial transactions (for example, submitting claims or eligibility checks). Merely delivering clinical services is not enough; the trigger is participation in those electronic transactions.

• Examples: physicians, hospitals, clinics, urgent care centers, dentists, chiropractors, optometrists, pharmacies, laboratories, imaging centers, durable medical equipment suppliers.
• Modern telehealth practices and virtual care platforms almost always qualify because they routinely conduct Electronic Health Transactions.

Providers that never conduct such transactions electronically (a rarity today) may fall outside HIPAA’s covered entity definition, though other federal or state laws can still apply.

Health Plans

Health plans are covered entities because they pay for or provide the cost of medical care. This category spans public and private payers and most employer-sponsored arrangements that handle enrollment, premium payments, claims, or utilization review involving PHI.

• Examples: commercial health insurers and HMOs; self-funded and fully insured group health plans; Medicare, Medicaid, CHIP, and TRICARE; Medicare Advantage and Part D plan sponsors; certain long-term care insurers that pay for medical care; HRAs and many health FSAs.
• Some programs that only provide “excepted benefits” (such as certain disability, workers’ compensation, or property and casualty lines) are typically not HIPAA health plans, though they may receive PHI for limited purposes under separate rules.

Health Care Clearinghouses

Health care clearinghouses are covered entities that perform Nonstandard Data Processing for health information. They convert nonstandard data they receive from another entity into standard formats (and vice versa) to enable compliant transactions.

• Examples: medical billing services that normalize claim files; repricing organizations; value‑added networks; switch vendors that translate or route EDI transactions between providers and plans.

Clearinghouses often sit between a provider’s software and a payer, ensuring transactions conform to required standards while preserving PHI integrity.

Hybrid Entities

A hybrid entity is a single legal entity that performs both HIPAA‑covered and non‑covered activities. To comply, it must designate one or more covered health care components that perform Covered Functions (like operating a clinic or administering a health plan) and apply HIPAA only to those components—while protecting PHI from improper sharing with non‑covered parts.

• Common examples: a university with a medical center; a city government that runs an employee health plan and a public health clinic; a retailer that operates an on‑site pharmacy; a corporation with an occupational health clinic.

Hybrid designation reduces compliance burden outside the covered components but requires clear boundaries, workforce training, and safeguards to prevent unauthorized PHI flow across the entity.

Business Associates

Business associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity or provide certain services involving PHI. They are not covered entities by virtue of their role, but HIPAA applies to them through Business Associate Agreements (BAAs) and through direct liability provisions.

• Examples: claims processors and TPAs, EHR and practice management vendors, cloud and data hosting providers, e‑prescribing gateways and HIEs, billing and coding services, law firms and accountants handling PHI, data destruction and scanning vendors, analytics and consulting firms.

Business associates must implement Security Rule safeguards for ePHI, follow applicable Privacy Rule provisions, flow down BAAs to subcontractors that handle PHI, and report breaches to the covered entity.

Compliance Requirements

Privacy Safeguards and Policies

• Adopt written policies and procedures that address permitted uses and disclosures, the minimum necessary standard, workforce access, and Privacy Safeguards tailored to your operations.
• Designate a privacy official, train your workforce, apply sanctions for violations, and mitigate known harmful effects of improper uses or disclosures.

Individual Rights

• Provide timely access to PHI, allow amendments to records, offer confidential communications, honor reasonable restrictions when feasible, and maintain an accounting of certain disclosures.
• Issue a clear Notice of Privacy Practices to explain how you use PHI and the rights individuals have.

HIPAA Security Rule and ePHI

• Conduct a risk analysis, implement administrative, physical, and technical safeguards, and manage vendors to protect ePHI. Security measures must be reasonable and scalable to your risks and resources.

Business Associate Management

• Identify all vendors that handle PHI, execute BAAs before any PHI flows, monitor performance, and ensure subcontractors are bound to equivalent protections.

Breach Notification

• Detect, investigate, and document incidents; assess whether PHI was compromised; and provide required notifications to affected individuals, regulators, and, when applicable, the media within prescribed timeframes.

Documentation and Governance

• Maintain required documentation for the retention period, regularly review policies, and align internal audits, training, and incident response with evolving risks.

Electronic Health Transactions

• When conducting standard transactions (claims, eligibility, claim status, remittance, referrals/authorizations, enrollment/disenrollment, coordination of benefits, and premium payments), use required standards and code sets or work through a clearinghouse that converts nonstandard data to standard formats.

Conclusion

In short, covered entities include health plans, health care clearinghouses, and most providers that engage in Electronic Health Transactions. Hybrid entities must ring‑fence their Covered Functions, and business associates must protect PHI under BAAs and the HIPAA Security Rule. Strong, risk‑based safeguards and clear governance keep PHI protected and your organization compliant.

FAQs

What entities are classified as covered entities under HIPAA?

Three groups qualify: health plans, health care clearinghouses, and health care providers that transmit health information electronically for standard transactions such as claims or eligibility checks. If you are a provider that never conducts these transactions electronically, you may not be a covered entity, though this is uncommon today.

How do hybrid entities comply with HIPAA requirements?

They formally designate their covered health care components, apply HIPAA only to those components, and implement safeguards to prevent PHI from flowing to non‑covered parts. That includes role‑based access, workforce training, documented policies, and processes to route PHI sharing through permitted channels or Business Associate Agreements when needed.

What are the responsibilities of business associates under HIPAA?

Business associates must sign Business Associate Agreements, protect ePHI under the HIPAA Security Rule, follow relevant Privacy Rule provisions, limit uses and disclosures to what the BAA permits, oversee subcontractors that handle PHI, and notify the covered entity of breaches without undue delay.

What penalties exist for violations of the HIPAA Privacy Rule?

OCR can impose civil monetary penalties under a tiered structure that scales with the level of culpability and can require corrective action plans or monitoring. The Department of Justice may bring criminal cases for knowingly obtaining or disclosing PHI in violation of HIPAA, with fines and potential imprisonment that increase when offenses involve false pretenses or intent for commercial advantage, personal gain, or malicious harm.