Blog

What is a Covered Entity?

HIPAA
May 22, 2025
Before you can comply with HIPAA, you'll first need to understand who HIPAA applies to. Learn about what is and what isn't a Covered Entity.

Understanding what makes an organization a "covered entity" is critical for anyone working with healthcare data. The HIPAA covered entity definition determines who must follow strict rules to safeguard protected health information (PHI). If your business handles patient data, knowing these boundaries protects both your organization and the people you serve.

HIPAA sets clear standards for privacy and security, and not every healthcare-related organization is treated the same. There are specific types of covered entities—each with their own responsibilities and criteria. Whether you’re a medical provider, a health plan, or a clearinghouse, understanding your role is the first step toward compliance.

In this article, we’ll break down the core types of covered entities, explain the criteria for each, and highlight their main responsibilities under HIPAA. We’ll also clarify the difference between covered entities and business associates, so you know exactly where your organization stands.

If you’re unsure whether HIPAA applies to you, or what being a covered entity means for your daily operations, you’re in the right place. Let’s clear up the confusion and give you the practical knowledge you need to stay compliant and protect patient information.

Definition of HIPAA Covered Entity

The HIPAA covered entity definition is central to understanding who must comply with the law’s privacy and security requirements. Under HIPAA, a covered entity is any organization or individual that directly handles protected health information (PHI) through treatment, payment, or healthcare operations. This clear distinction helps define the scope of HIPAA compliance and outlines who is responsible for safeguarding sensitive patient data.

There are three primary types of covered entities:

  • Healthcare Providers HIPAA: This includes doctors, clinics, dentists, psychologists, hospitals, pharmacies, and other medical practitioners who electronically transmit health information related to certain transactions. If you deliver care and bill for it electronically, you fall into this category.
  • Health Plans HIPAA: Health insurance companies, HMOs, employer-sponsored health plans, government programs like Medicare and Medicaid, and similar organizations are considered health plans. They pay for medical care and therefore must comply with HIPAA rules.
  • Healthcare Clearinghouses: These are organizations that process nonstandard health information received from another entity into a standard format, or vice versa. They act as intermediaries, helping translate and organize data between providers and payers.

Covered entity responsibilities are significant. If your business fits one of these categories, you’re required to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of PHI. This means training staff, setting up secure systems, and having policies in place for how information is accessed, shared, and stored.

Understanding these definitions is the first step to HIPAA compliance. By knowing whether you’re a covered entity, you can take the right steps to protect your patients’ privacy and avoid costly penalties. If you’re unsure, it’s wise to review the HIPAA guidelines or consult with a compliance expert, as responsibilities under HIPAA are not optional—they’re the law.

Health Plans

Health plans are a core category in the HIPAA covered entity definition, playing a critical role in managing and protecting individuals’ health information. If you’re responsible for administering or providing access to health benefits, you’re likely operating as a health plan under HIPAA—and with that, you take on specific covered entity responsibilities.

So, what exactly qualifies as a health plan under HIPAA? These organizations pay for or arrange the payment of medical care, making them one of the main types of covered entities. Health plans handle large volumes of protected health information (PHI) as part of their operations, which is why HIPAA sets strict requirements for them.

  • Insurance companies: This includes private health insurers, HMOs, and company health plans that fund or reimburse medical care.
  • Government programs: Medicare, Medicaid, TRICARE, and other federal or state health plans are directly covered by HIPAA.
  • Employer-sponsored group health plans: When employers manage healthcare benefits for employees, those plans are considered covered entities.
  • Schools and universities: If a school or university offers a health plan for students or staff and handles PHI, it may fall under the health plans HIPAA category.

Being classified as a health plan comes with important responsibilities. Health plans must implement administrative, physical, and technical safeguards to keep PHI private and secure. They’re also required to provide individuals with a Notice of Privacy Practices, respond to requests for access to health data, and report breaches quickly and transparently.

If you’re part of a health plan, it’s essential to stay current on HIPAA rules. Understanding your obligations as a covered entity helps prevent costly violations and builds trust with the people whose information you protect. Regular training, up-to-date policies, and clear communication are the foundation of HIPAA compliance for health plans.

Healthcare Providers (Criteria)

Healthcare providers are a primary type of HIPAA covered entity, but not every provider automatically falls under HIPAA regulations. To be considered a covered entity, a healthcare provider must transmit any health information in electronic form in connection with a HIPAA transaction. This means that if you or your organization submit claims, eligibility requests, or referrals electronically, HIPAA applies to you.

The criteria for healthcare providers under HIPAA include:

  • Providing medical or health services, including care from doctors, dentists, psychologists, clinics, hospitals, pharmacies, nursing homes, and other licensed professionals.
  • Transmitting health information electronically in connection with standard transactions regulated by HIPAA—such as billing, claims, and eligibility inquiries.
  • Engaging in activities like diagnosis, treatment, and management of patient care.

It’s important to note that the key factor is electronic transmission of health information for specific transactions. For example, if a small medical practice only submits paper claims and never uses electronic systems for standard transactions, it might not meet the HIPAA covered entity definition. However, as most providers today use electronic systems, nearly all are covered entities.

Covered entity responsibilities for healthcare providers under HIPAA include:

  • Safeguarding patient health information from unauthorized use or disclosure.
  • Providing patients with information about their privacy rights and your privacy practices.
  • Ensuring staff are trained on HIPAA rules and the handling of protected health information (PHI).
  • Implementing security measures to protect electronic health records (EHRs) and other digital data.

We know navigating HIPAA can seem complex, but understanding how the law defines healthcare providers as covered entities is the first step. If your organization meets these criteria, it’s essential to take your HIPAA responsibilities seriously to protect your patients and your practice.

Healthcare Clearinghouses

Healthcare clearinghouses play a unique and essential role among the types of covered entities defined by HIPAA. While most people are familiar with healthcare providers and health plans, clearinghouses often operate behind the scenes, ensuring that health information flows smoothly and meets data standards.

According to the HIPAA covered entity definition, a healthcare clearinghouse is any organization that processes nonstandard health information it receives from another entity into a standard format, or vice versa. This usually involves converting billing information, claims, or other health data so it can be easily understood and properly transmitted between providers, health plans, and other covered entities.

Let’s break down what healthcare clearinghouses do and why they matter:

  • Data Translation: Clearinghouses translate health information from nonstandard formats (like paper records or proprietary electronic formats) into standardized electronic transactions as required by HIPAA.
  • Intermediary Services: They act as intermediaries between healthcare providers HIPAA covers and health plans HIPAA regulates, ensuring accurate and efficient communication of sensitive data.
  • Error Checking: Clearinghouses often check for errors or inconsistencies in transmitted data, helping prevent costly billing mistakes and ensuring claims are processed smoothly.
  • Privacy and Security: As covered entities, clearinghouses must comply with all HIPAA privacy and security rules. They are responsible for safeguarding PHI, just like healthcare providers and health plans.

If your organization processes health information on behalf of another covered entity—even if you’re not directly providing care or insurance—you might be a healthcare clearinghouse under HIPAA. This means you must meet covered entity responsibilities, such as protecting PHI, providing training to staff, and maintaining data security policies. Understanding your role ensures compliance and helps you build trust with clients and patients alike.

Specific Examples of Each Category

Let’s look at specific examples of each type of HIPAA covered entity so you can see how the definition applies in real-world settings. This will help clarify if you or your partners fall under these regulations and what your responsibilities may be when it comes to handling PHI.

Healthcare Providers (HIPAA Covered Entities)

  • Physician practices: Individual doctors, medical groups, and specialty clinics that diagnose or treat patients and bill electronically.
  • Hospitals and surgical centers: Acute care hospitals, outpatient surgery centers, and emergency rooms that store or transmit patient records.
  • Dental offices: General dentists, orthodontists, and oral surgeons submitting insurance claims electronically.
  • Pharmacies: Community, mail-order, and specialty pharmacies that process electronic prescriptions and insurance billing.
  • Nursing homes and home health agencies: Facilities and caregivers providing long-term or at-home care and maintaining electronic health records.

Health Plans (HIPAA Covered Entities)

  • Health insurance companies: Organizations providing health, dental, vision, or prescription drug plans to individuals or employers.
  • Health Maintenance Organizations (HMOs): Managed care organizations coordinating healthcare services for enrolled members.
  • Employer-sponsored health plans: Companies that offer group health benefits and manage enrollment or claims processing electronically.
  • Government health programs: Medicare, Medicaid, Veterans Health Administration, and military health plans handling PHI for beneficiaries.

Healthcare Clearinghouses (HIPAA Covered Entities)

  • Medical billing services: Companies that receive raw claims data from providers and translate it into standard formats for insurers.
  • Health information exchanges (HIEs): Organizations that facilitate the secure sharing of health data between different healthcare entities.
  • Value-added networks: Businesses acting as intermediaries to process or convert health information for other covered entities.

Understanding these categories is essential for compliance and risk management. If you recognize your organization in any of these examples, you have important covered entity responsibilities under HIPAA—especially when it comes to protecting patient privacy and ensuring data security every step of the way.

Core Responsibilities of Covered Entities

Covered entities under HIPAA have a unique set of responsibilities designed to protect patient privacy and ensure the security of health information. Whether you’re a healthcare provider, health plan, or healthcare clearinghouse, your role in managing and safeguarding protected health information (PHI) is critical. Let’s break down the essential covered entity responsibilities that apply under the HIPAA covered entity definition:

  • Safeguarding PHI: All types of covered entities must implement administrative, physical, and technical safeguards to protect PHI from unauthorized access, disclosure, or misuse. This means using secure systems, limiting access to authorized personnel, and regularly reviewing security protocols.
  • Providing Notice of Privacy Practices: Covered entities, especially healthcare providers under HIPAA, must inform patients about their privacy rights and how their information will be used. This is typically done through a Notice of Privacy Practices, which must be shared with patients at the first point of care or enrollment.
  • Allowing Access and Amendments: Patients have the right to access their own medical records and request corrections. Covered entities must have procedures for handling these requests promptly and securely.
  • Limiting Use and Disclosure: Only the minimum necessary PHI should be used or disclosed to accomplish a specific task. This “minimum necessary” standard is a core part of covered entity responsibilities and applies to most situations except for treatment purposes.
  • Training Staff: All employees and contractors who come into contact with PHI need to be trained on HIPAA rules and your organization’s privacy and security policies. Ongoing training helps ensure everyone remains vigilant.
  • Reporting Breaches: If a breach of PHI occurs, covered entities are obligated to notify affected individuals, the Department of Health and Human Services (HHS), and sometimes the media, depending on the size of the breach. Timely reporting is both a legal and ethical responsibility.
  • Maintaining Documentation: Healthcare providers and health plans under HIPAA must document their compliance efforts, including policies, procedures, staff training, and breach notifications. These records need to be kept for at least six years.

Understanding and meeting these covered entity responsibilities isn’t just about legal compliance—it’s about building trust with your patients and members. By following these principles, all types of covered entities reinforce a culture of privacy and respect, which benefits everyone in the healthcare ecosystem.

Key Differences from Business Associates

It’s easy to confuse covered entities with business associates under HIPAA, but the differences are essential for compliance and risk management. Understanding the unique roles and responsibilities of each helps ensure that everyone handling protected health information (PHI) knows exactly what’s expected of them.

Covered entities are the primary organizations regulated by HIPAA. They include healthcare providers, health plans, and healthcare clearinghouses. These entities create, receive, maintain, or transmit PHI as a core part of their operations. Their responsibilities are direct and comprehensive, requiring them to implement privacy and security safeguards, train employees, and respond to patient requests regarding their health information.

Business associates, in contrast, are not directly engaged in healthcare delivery or insurance. Instead, they provide services to covered entities—such as billing, IT support, or data analysis—that involve access to PHI. Business associates must also comply with HIPAA, but only because they work on behalf of covered entities.

  • HIPAA Covered Entity Definition: These are organizations whose main activities involve the use or transmission of PHI, such as healthcare providers and health plans.
  • Business Associates: These are vendors or subcontractors who support covered entities and may encounter PHI during their work.
  • Direct vs. Indirect Responsibilities: Covered entity responsibilities extend to every aspect of PHI handling, while business associates’ obligations are limited to the functions they perform for covered entities.
  • Regulatory Focus: HIPAA audits and enforcement actions usually target covered entities first, since they are the originators and stewards of PHI.
  • Agreements: A business associate can only handle PHI after signing a Business Associate Agreement (BAA) with a covered entity, spelling out both parties’ responsibilities.

In summary, if your organization falls under the HIPAA covered entity definition, your compliance responsibilities are broader and more direct. If you’re a business associate, your HIPAA obligations are tied to the services you provide to covered entities, and you must operate under a formal agreement. Knowing where you stand is the first step to protecting patient information—and your organization.

When Does an Organization Become a Covered Entity?

An organization becomes a HIPAA covered entity when its core activities fall within specific roles outlined by the law. According to the HIPAA covered entity definition, this includes any entity that transmits protected health information (PHI) in electronic form for transactions covered by the Department of Health and Human Services (HHS). It's not just about being involved in healthcare—it’s about how you interact with health data.

Here’s when an organization is considered a covered entity:

  • Healthcare providers HIPAA: If you’re a provider (like a doctor, dentist, pharmacy, hospital, or clinic) who transmits health information electronically in connection with HIPAA transactions—such as billing insurance or checking eligibility—you’re a covered entity. It doesn’t matter if you’re a solo practitioner or part of a large network.
  • Health plans HIPAA: If you provide or pay for medical care, you fall under the types of covered entities. This includes insurance companies, HMOs, employer-sponsored plans, Medicare, and Medicaid. Even schools or employers offering health coverage to employees or students may be included.
  • Healthcare clearinghouses: If your business processes or translates nonstandard health information from one format to another for other covered entities, you meet the HIPAA covered entity definition.

Covered entity responsibilities begin the moment your organization fits any of these criteria. This means you must implement safeguards, provide privacy notices, and ensure all staff understand how to handle PHI appropriately. If your organization only handles PHI as a service to a covered entity (without fitting into these primary categories), you’re likely a business associate instead.

To put it simply, your organization becomes a covered entity under HIPAA when it functions as a provider, health plan, or clearinghouse that electronically transmits health data for standard transactions. Recognizing this status is essential, as it directly impacts your legal obligations and the steps you must take to protect patient information.

Legal Implications of Being a Covered Entity

Being classified as a HIPAA covered entity carries significant legal obligations and potential consequences. Once your organization meets the HIPAA covered entity definition—whether as healthcare providers, health plans, or healthcare clearinghouses—you are legally required to comply with all relevant HIPAA regulations. This isn't just a best practice; it's the law, and the stakes for non-compliance can be high.

Covered entities must implement strict measures to protect patient data. This includes administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). These requirements are uniform across all types of covered entities, whether you’re part of a hospital, an insurance plan, or a data clearinghouse.

Failure to meet covered entity responsibilities can result in serious penalties. The U.S. Department of Health and Human Services (HHS) enforces HIPAA, and violations can lead to:

  • Substantial fines: Civil penalties can range from thousands to millions of dollars per violation, depending on the severity and whether the violation was intentional.
  • Criminal charges: In extreme cases, willful neglect or misuse of PHI can result in criminal prosecution, including possible jail time for individuals responsible.
  • Mandatory corrective actions: Organizations found in violation may be required to overhaul their privacy and security practices under government supervision.
  • Reputational damage: Beyond legal consequences, breaches can erode trust among patients, members, and business partners.

HIPAA also holds covered entities accountable for their relationships with business associates. You must ensure that any third parties handling PHI on your behalf sign a Business Associate Agreement and follow HIPAA standards. Neglecting this responsibility could expose your organization to liability for their actions as well.

We recommend proactively reviewing your policies, training your staff, and conducting regular risk assessments. Understanding your covered entity status—and acting on those responsibilities—not only keeps you compliant, but also safeguards the trust your patients and clients place in you every day.

Exceptions & Special Cases

While the HIPAA covered entity definition is broad, there are notable exceptions and special cases worth understanding. Not all organizations or individuals that handle health information are classified as covered entities, even if they operate in the healthcare space. Knowing these exceptions helps clarify your HIPAA obligations and avoid unnecessary compliance efforts.

Some of the most common exceptions and special cases include:

  • Employers: Simply maintaining employee health information for HR purposes—like managing sick leave or workplace injuries—does not make an employer a covered entity. Unless the employer operates a self-insured health plan or acts as a healthcare provider, HIPAA rules don’t directly apply.
  • Life Insurers and Workers' Compensation Carriers: These organizations may handle sensitive health data, but they are generally not considered covered entities under HIPAA. Instead, they operate under other state and federal privacy regulations.
  • Schools and Educational Institutions: Schools that maintain student health records for educational purposes fall under FERPA (Family Educational Rights and Privacy Act), not HIPAA, unless they directly provide healthcare services and bill electronically.
  • Health Apps and Wellness Programs: Many mobile health apps, fitness trackers, or employer wellness programs are not covered entities. Unless they are operated by or on behalf of a HIPAA-covered healthcare provider or health plan, they typically fall outside HIPAA’s scope.
  • Research Organizations: Academic or private research institutions that do not provide healthcare or process health information on behalf of a covered entity are not subject to HIPAA. However, if they partner with a covered entity, HIPAA may apply through a business associate agreement.

It’s also important to note that some healthcare providers may be partially exempt. For instance, a provider who does not transmit health information electronically in connection with standard transactions (like billing insurance) may not be covered by HIPAA, even if they fit the general healthcare providers HIPAA category.

Understanding these special cases helps organizations accurately determine their responsibilities. If you’re unsure about your status, review the types of covered entities and seek expert guidance to avoid compliance gaps. Remember, the right classification protects your organization and the patients or clients you serve by clarifying your covered entity responsibilities under HIPAA.

Understanding the HIPAA covered entity definition is the first step toward compliance and protecting sensitive patient information. Whether you’re part of a medical practice, an insurance provider, or a healthcare clearinghouse, your specific responsibilities depend on your organization’s role.

The types of covered entities—healthcare providers, health plans, and clearinghouses—all have unique obligations under HIPAA. Each must ensure proper safeguards are in place to keep protected health information (PHI) secure and confidential.

If you’re unsure where your business fits, explore the official HIPAA guidelines or seek expert advice to clarify your responsibilities. Taking the time to understand covered entity responsibilities helps build trust with patients and partners while avoiding costly compliance issues.

Staying informed and proactive about HIPAA requirements empowers us all to create safer, more reliable healthcare environments. By embracing these standards, we protect both our organizations and the individuals who rely on us for care.

FAQs

Who are considered Covered Entities under HIPAA?

Covered entities under HIPAA are organizations or individuals who must comply with the Health Insurance Portability and Accountability Act’s privacy and security rules. The HIPAA covered entity definition includes any party that handles protected health information (PHI) as part of providing healthcare services, processing health data, or paying for healthcare.

There are three main types of covered entities:

  • Healthcare providers (such as doctors, clinics, hospitals, dentists, and pharmacies) who transmit health information electronically in connection with certain standard transactions.
  • Health plans (including health insurance companies, HMOs, employer health plans, Medicare, and Medicaid) that pay for or provide medical care.
  • Healthcare clearinghouses that process nonstandard health information from another entity into a standard format, or vice versa.

If your organization falls into one of these categories, you have specific covered entity responsibilities under HIPAA to safeguard patient information and ensure privacy and security compliance. Understanding your role is the first step to effective HIPAA compliance.

Is a solo practitioner a Covered Entity?

Yes, a solo practitioner is considered a HIPAA covered entity. According to the HIPAA covered entity definition, any person or organization that provides healthcare services and transmits health information electronically in connection with certain transactions is a covered entity. This includes solo practitioners, regardless of the size of their practice.

Under the types of covered entities, healthcare providers HIPAA includes individuals such as doctors, dentists, therapists, and other professionals who deliver healthcare services. So, even if you work alone, you still have the same covered entity responsibilities as larger practices or clinics.

It’s important for solo practitioners to understand and implement HIPAA requirements because they handle protected health information (PHI) just like larger organizations. Taking steps to secure patient data and comply with HIPAA safeguards is essential, no matter the size of your practice.

What are the main duties of a Covered Entity?

Covered entities under HIPAA have a crucial responsibility: protecting patients’ health information. Whether you’re a healthcare provider, a health plan, or a healthcare clearinghouse, you’re required to maintain the privacy and security of all protected health information (PHI) that you handle. This means taking steps to prevent unauthorized access, use, or disclosure of sensitive data.

The main duties of a covered entity include developing and enforcing privacy policies, training staff about HIPAA rules, and ensuring that data is only shared for permitted purposes. Covered entities must also provide patients with notices of their privacy rights and respond promptly to requests for access or correction of their health records.

Additionally, if a data breach occurs, covered entities must follow strict procedures for reporting the incident and notifying affected individuals. By meeting these covered entity responsibilities, organizations demonstrate their commitment to patient trust and regulatory compliance.

Is my organization a Covered Entity?

Wondering if your organization is a HIPAA Covered Entity? The answer depends on the nature of your operations. According to the HIPAA covered entity definition, you are a covered entity if your organization falls into one of three main categories: healthcare providers, health plans, or healthcare clearinghouses.

If your organization delivers medical care or services (like hospitals, clinics, dentists, or pharmacies), processes health information, or provides health insurance (including company health plans and government programs such as Medicare), you’re likely considered a covered entity under HIPAA. Each of these types of covered entities has specific responsibilities to keep patient data secure and confidential.

However, if your organization only performs functions for a covered entity—such as billing or IT support—and doesn’t directly provide healthcare, insurance, or data processing, you’re probably classified as a business associate, not a covered entity. To be sure, review the nature of your services and how you handle protected health information.

Understanding your status is essential—covered entities have important obligations to protect health data and comply with HIPAA regulations. If you’re still uncertain, consider consulting the official HIPAA guidelines or seeking professional advice to confirm your organization’s responsibilities.

More from the Blog

Key HIPAA Regulation Requirements
HIPAA

Key HIPAA Regulation Requirements

Psychotherapy Notes & HIPAA
HIPAA

Psychotherapy Notes & HIPAA

Is Texting a HIPAA Violation?
HIPAA

Is Texting a HIPAA Violation?

Common HIPAA Violation Examples
HIPAA

Common HIPAA Violation Examples

HIPAA & Medical Debt on Credit Reports
HIPAA

HIPAA & Medical Debt on Credit Reports

Consequences of Not Following HIPAA Laws
HIPAA

Consequences of Not Following HIPAA Laws

HIPAA Data Security Rules: What is and Requirements
HIPAA

HIPAA Data Security Rules: What is and Requirements

HIPAA Compliant CRMs for Healthcare
HIPAA

HIPAA Compliant CRMs for Healthcare

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
chevron left
Expert guidance
chevron left
Build trust
chevron left
Dedicated Compliance Success Managers
chevron left
HIPAA Training
chevron left
Decrease risk
chevron left
Close more deals
Get Started Free
Talk To An Expert
schedule accountable demo
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of Compliance
Solutions
HIPAA Compliance SolutionGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password
star iconstar iconstar iconstar iconstar icon

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
Terms of ServicePrivacy Policy