What Is a HIPAA Covered Entity? Definition, Examples, and Requirements

Definition of Covered Entity

Under HIPAA’s Administrative Simplification provisions, a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions. If you fit one of these categories, you create, receive, maintain, or transmit Protected Health Information (PHI) and must meet HIPAA obligations.

Your status hinges on activities, not size or tax type. Organizations performing services for you are typically business associates; they must protect PHI under a contract but are not covered entities unless they also operate as a clearinghouse. Hybrid entities can designate health care components that are subject to HIPAA while other units are not.

Covered transactions (examples)

• Claims submission and payment remittance
• Eligibility and benefits inquiries
• Claim status requests
• Referral and prior authorization
• Coordination of benefits
• Electronic prescribing and related exchanges

Types of Covered Entities

HIPAA recognizes three types of covered entities. Each encompasses varied organizations and business models, but all must safeguard PHI and comply with the Privacy Rule and Security Rule.

• Health Care Providers: You become a HIPAA covered entity when you (or a vendor on your behalf) conduct standard electronic transactions.
• Health Plans: Entities that provide or pay the cost of medical care, including public programs and private insurers.
• Health Care Clearinghouses: Organizations that convert nonstandard health data to standard formats (and vice versa) for HIPAA transactions.

Nuances and edge cases

A provider that never conducts standard transactions electronically may not be a covered entity; the moment a billing service sends standard claims for you, HIPAA applies. Employers are not covered entities, but their group health plans are. Technology firms that support plans or providers are usually business associates; if they translate data formats, they may be clearinghouses.

Health Care Providers

Who qualifies

Any provider of medical or health services—such as hospitals, physicians, dentists, or pharmacies—qualifies as a covered entity when it transmits health information electronically in a standard transaction. If you e-prescribe, submit electronic claims, or check eligibility electronically, HIPAA applies to your handling of PHI and ePHI.

Common provider types

• Physician practices and clinics; hospitals and surgical centers
• Dentists and oral surgeons
• Pharmacies, including mail-order operations
• Laboratories and imaging centers
• Physical, occupational, and speech therapy practices
• Behavioral health and substance use treatment providers
• Chiropractors and optometrists
• Durable medical equipment suppliers
• Home health, hospice, and ambulance services
• Telehealth services operated by providers

What to verify

• Whether you or your vendor send standard transactions (claims, eligibility, remittance)
• That you use your National Provider Identifier and standard code sets as required
• That your policies align with the Privacy Rule and Security Rule
• That you conduct a Risk Assessment and implement PHI Safeguards

Health Plans

Definition and scope

A health plan is any individual or group plan that provides or pays the cost of medical care. The plan—not the employer sponsoring it—is the covered entity. Plans often rely on business associates, such as third‑party administrators and pharmacy benefit managers, to process PHI.

Examples

• Health insurance issuers and HMOs
• Employer-sponsored group health plans, including self-funded plans
• Medicare, Medicaid, CHIP, and Medicare Advantage plans
• TRICARE and certain Veterans Health Administration programs
• Federal Employees Health Benefits Program
• Dental and vision benefit plans
• Medicare supplement (Medigap) policies
• Long‑term care insurers that pay for medical care
• Employee Assistance Programs when they provide clinical services

Key responsibilities

• Distribute a Notice of Privacy Practices to members
• Execute Business Associate Agreements with vendors (e.g., TPAs, PBMs)
• Apply the minimum necessary standard and access controls
• Honor member rights to access and amend PHI
• Conduct Risk Assessment and implement Security Rule safeguards for ePHI
• Maintain required separation between plan administration and employer functions

Health Care Clearinghouses

What they do

Clearinghouses receive health information and convert nonstandard data to standard HIPAA transaction formats, or convert standard data to a requested nonstandard format. Because they transform and route PHI at scale, they are covered entities with direct compliance duties.

Examples

• Medical claims clearinghouses and switch networks
• Billing aggregation and repricing services
• Electronic data interchange (EDI) gateways
• Pharmacy e‑prescribing networks that translate message formats
• Community health information systems performing format conversion

Operational considerations

• Implement Security Rule controls, including access and audit controls
• Secure transmission (e.g., encryption) and integrity protections
• Accurate data mapping to prevent truncation or misrouting
• Business Associate Agreements with downstream vendors handling PHI

Requirements for Covered Entities

Privacy Rule: permitted uses, rights, and PHI Safeguards

The Privacy Rule governs when you may use or disclose PHI, usually for treatment, payment, and health care operations, or with individual authorization. You must apply the minimum necessary standard, limit incidental disclosures, and keep conversations and records protected with effective PHI Safeguards.

• Provide a Notice of Privacy Practices and adopt written policies
• Train your workforce and apply sanctions for violations
• Honor individual rights to access, request amendments, receive an accounting of disclosures, request restrictions, and obtain confidential communications
• Use de-identification where appropriate to reduce privacy risk

Security Rule: protect ePHI through Risk Assessment and controls

The Security Rule requires you to conduct a Risk Assessment, manage identified risks, and implement administrative, physical, and technical safeguards for ePHI. Safeguards must be reasonable and appropriate for your size, complexity, and threat environment.

• Administrative: security management process, assigned security responsibility, workforce training, contingency planning
• Physical: facility access controls, workstation/device security, media controls and secure disposal
• Technical: unique user IDs and access controls, audit controls, integrity protections, authentication, and transmission security (encryption is strongly recommended)

Breach Notification Rule: respond and notify

Maintain incident response procedures to investigate, document, and mitigate suspected incidents. If a breach of unsecured PHI occurs, evaluate the probability of compromise and provide required notifications to affected individuals and, when applicable, regulators and the media.

Administrative Simplification: standard transactions and identifiers

Use HIPAA standard electronic transactions and code sets and adopt required identifiers to streamline data exchange and reduce errors. Coordinate with billing systems and clearinghouses to maintain transaction integrity and acknowledgments.

• Conduct standardized claims, eligibility, remittance, and prior authorization transactions
• Use standard code sets (e.g., ICD‑10, CPT, HCPCS, NDC as applicable)
• Use the National Provider Identifier (NPI) and other required identifiers

Business Associates and vendor oversight

When vendors create, receive, maintain, or transmit PHI on your behalf, you must execute Business Associate Agreements that define permitted uses, required safeguards, breach reporting, and subcontractor flow‑down obligations. Perform due diligence and monitor performance.

• Maintain an inventory of business associates and their services
• Review security reports, attestations, and corrective actions
• Limit access to the minimum necessary and revoke promptly when no longer needed

Governance and accountability

Designate a Compliance Officer (you may appoint separate Privacy and Security Officials), maintain documentation, and review your program regularly. Continuous improvement reduces risk and strengthens patient and member trust.

• Retain required records for at least six years
• Conduct periodic audits and track remediation to closure
• Apply workforce sanctions and corrective actions when issues arise
• Test contingency and disaster recovery plans for ePHI systems

Conclusion

A HIPAA covered entity is a health plan, clearinghouse, or qualifying provider engaged in standard electronic transactions. To comply, you must uphold the Privacy Rule, Security Rule, and Administrative Simplification standards; perform Risk Assessment; implement robust PHI Safeguards; appoint a Compliance Officer; and manage vendors diligently. Building a mature, well-documented program turns compliance into a dependable operational asset.

FAQs.

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. If you only accept cash and never send standard transactions electronically, HIPAA may not apply; once a billing service submits standard claims on your behalf, you become a covered entity.

What types of organizations are considered health plans?

Health plans include private insurers and HMOs, employer-sponsored group health plans (including self-funded plans), and public programs such as Medicare, Medicaid, CHIP, TRICARE, and the Federal Employees Health Benefits Program. Dental, vision, Medigap, long‑term care insurers, and certain Employee Assistance Programs can also be health plans when they provide or pay for medical care.

What are the main compliance requirements for covered entities?

You must follow the Privacy Rule, Security Rule, and Breach Notification Rule, and adhere to Administrative Simplification standards for transactions and code sets. Core tasks include conducting a Risk Assessment, implementing PHI Safeguards, training your workforce, executing Business Associate Agreements, honoring individual rights, documenting policies, and designating a Compliance Officer.

How do health care clearinghouses process health information?

Clearinghouses translate nonstandard health data into standard HIPAA transaction formats and may convert standard data back to nonstandard formats when requested. They route and validate transactions, apply Security Rule controls (access, audit, integrity, transmission security), and enter Business Associate Agreements with downstream vendors that touch PHI.