What Is a HIPAA Covered Entity? Definition, Types, and Examples

Definition of Covered Entity

A HIPAA covered entity is any organization that falls into one of three categories—health care provider, health plan, or health care clearinghouse—and conducts HIPAA-covered transactions electronically. These transactions include activities like submitting claims, checking eligibility, processing remittance advice, and coordinating benefits.

Covered entities create, receive, maintain, or transmit protected health information (PHI), including electronic health information (ePHI). They must follow HIPAA’s administrative simplification rules, which set national standards for privacy, security, breach notification, transactions, code sets, and identifiers.

Covered entities vs. business associates

Business associates (for example, billing companies, IT vendors, and consultants) handle PHI on behalf of a covered entity. They are not covered entities themselves, but they must comply with HIPAA through business associate agreements. The covered entity remains ultimately responsible for PHI shared with these partners.

What “electronic” means under HIPAA

Electronic refers to transmitting health information via electronic media (such as EDI networks, secure internet connections, or encrypted file transfers) when performing HIPAA-covered transactions. If you conduct these transactions electronically, HIPAA applies to you as a covered entity.

Types of Covered Entities

HIPAA recognizes three types of covered entities. Each type must comply with privacy, security, and transaction standards when handling PHI and ePHI.

• Health care providers that transmit health information electronically in connection with HIPAA-covered transactions.
• Health plans that provide or pay for the cost of medical care, including employer-sponsored group health plans and government programs.
• Health care clearinghouses that convert nonstandard health information to standard formats (and vice versa) to support administrative simplification.

Health Care Providers

Health care providers become covered entities when they transmit electronic health information related to HIPAA-covered transactions. This group includes physicians, clinics, hospitals, dentists, pharmacies, laboratories, chiropractors, psychologists, nursing facilities, and home health agencies.

When a provider is covered

If you submit claims, eligibility checks, referrals, prior authorizations, or remittance files electronically, HIPAA applies. Even small practices that use an EHR, e-prescribe, or send claims through a billing service are typically subject to HIPAA.

Key obligations for providers

• Safeguard protected health information using administrative, physical, and technical controls.
• Use standard code sets and identifiers when performing HIPAA-covered transactions to support administrative simplification.
• Sign and manage business associate agreements with outside vendors involved in PHI processing.

Health Plans

Health plans include health insurers, HMOs, employer-sponsored group health plans, and government programs that pay for health care. Examples include commercial insurers and public programs that align with Medicare and Medicaid standards for standard transactions and code sets.

Scope and responsibilities

• Apply privacy and security safeguards to enrollment, premium payment, claims adjudication, and coordination of benefits data.
• Follow health insurance plans regulation and HIPAA transaction standards for electronic exchanges with providers, clearinghouses, and members.
• Limit uses and disclosures of PHI to permissible purposes and issue required notices to members.

Health Care Clearinghouses

Health care clearinghouses are organizations that translate nonstandard health data they receive from another entity into standard HIPAA formats—or the reverse. Examples include claims clearinghouses, medical billing networks, repricing organizations, and community health information systems.

How clearinghouses support compliance

• Convert claims, eligibility, claim status, and remittance data to standard X12 formats to enable HIPAA-covered transactions.
• Implement health care clearinghouse compliance by safeguarding PHI during intake, translation, storage, and transmission.
• Help trading partners meet administrative simplification requirements by enforcing code set and identifier standards.

Examples of Covered Entities

• Health care providers: a physician group that submits electronic claims, a hospital using an EHR, a retail pharmacy e-prescribing and billing payers.
• Health plans: a self-funded employer group health plan, an HMO, or a government health program that processes eligibility and claims electronically.
• Health care clearinghouses: a claims clearinghouse translating provider files to payer-standard formats and returning electronic remittance advice.

Conclusion

A HIPAA covered entity is a provider, plan, or clearinghouse that conducts HIPAA-covered transactions electronically and handles protected health information. By following administrative simplification standards—especially for privacy, security, and electronic transactions—you reduce risk, streamline operations, and meet expectations tied to Medicare and Medicaid standards and broader health insurance plans regulation.

FAQs

What qualifies an entity as a HIPAA covered entity?

An entity qualifies if it is a health care provider, health plan, or health care clearinghouse that creates, receives, maintains, or transmits PHI and conducts HIPAA-covered transactions electronically, such as claims submission, eligibility checks, or remittance processing.

What are the main types of HIPAA covered entities?

The three types are health care providers (that perform electronic standard transactions), health plans (including group health plans and government programs), and health care clearinghouses (which convert nonstandard data to standard formats and vice versa).

How do health care clearinghouses function under HIPAA?

Clearinghouses translate and route health information between providers and plans, converting files to HIPAA standard formats, enforcing code sets and identifiers, and protecting PHI in transit and at rest to meet health care clearinghouse compliance requirements.

What examples illustrate typical covered entities?

Typical examples include a dental clinic sending electronic claims, an HMO processing member eligibility, a self-funded employer group health plan exchanging enrollment data, and a claims clearinghouse delivering standardized claim status and remittance files.