What Is a HIPAA Covered Entity? Plus How Hybrid Entities and OHCAs Work

If you work with patient information, you need to know whether you are a HIPAA covered entity. This determines which parts of the HIPAA Privacy Rule and Security Rule apply to you, how you handle Electronic Protected Health Information (ePHI), and what contracts and safeguards you must have in place.

Below, you’ll learn the precise definition of a covered entity, how the three categories differ, how hybrid entities and Organized Health Care Arrangements (OHCAs) operate, and the core compliance steps tied to HIPAA’s Administrative Simplification activities.

Definition of HIPAA Covered Entities

A HIPAA covered entity is an organization that (1) is a health plan, a health care clearinghouse, or a health care provider, and (2) transmits health information electronically in connection with standard administrative transactions (such as claims, eligibility inquiries, or remittance advice). Coverage is based on the functions you perform—not your industry label alone.

HIPAA uses two key concepts: Protected Health Information (PHI), which includes individually identifiable health information in any form; and Electronic Protected Health Information (ePHI), which is PHI created, received, maintained, or transmitted electronically. The HIPAA Privacy Rule governs PHI overall, while the Security Rule sets specific safeguards for ePHI.

In practice, if your routine operations include standard transactions—directly or through a billing service or health care clearinghouse—you are likely a covered entity for those activities.

Categories of Covered Entities

Health plans

Health plans include health insurers, HMOs, government programs that pay for health care (for example, Medicare and Medicaid), employer-sponsored group health plans, and some self‑funded plans. Their covered functions revolve around paying for, arranging, or reimbursing the cost of care.

Health care providers

Health care providers become covered entities when they transmit health information electronically in standard transactions. This category spans physicians, dentists, therapists, pharmacies, clinical laboratories, hospitals, and telehealth providers that submit electronic claims or eligibility checks.

Health care clearinghouses

Health Care Clearinghouses convert nonstandard health information from one entity into standard formats (and vice versa). Examples include medical billing services and repricing organizations that translate data for claims and remittance processing. Clearinghouses are covered entities by definition, even when they serve other covered entities as business associates.

Understanding Hybrid Entities

A hybrid entity is a single legal entity that performs both HIPAA-covered and non-covered functions. To comply, it must formally identify its Covered Functions and designate its Health Care Components—also called Designated Health Care Components—that will follow HIPAA requirements.

Designated Health Care Components (DHCC)

• Only the DHCCs (and those supporting them as business associates) must comply with the Privacy and Security Rules; the rest of the organization is not a covered entity.
• Hybrid entities must implement safeguards—policy “firewalls,” role-based access, and separation of systems where reasonable—so non‑health components cannot impermissibly access PHI.
• If a non‑health component provides services to a DHCC that involve PHI (for example, IT, analytics, or HR support), a Business Associate Agreement (BAA) is required.

Practical examples

• A university that operates a medical center designates the hospital and clinics as DHCCs while keeping academic departments outside HIPAA’s scope.
• A city government that runs an employee clinic treats that clinic as a DHCC; other city offices remain non‑covered.
• An organization that also runs a Health Information Exchange (HIE) designates the HIE as a DHCC if it performs clearinghouse‑like data translation; otherwise, the HIE typically functions as a business associate to participating covered entities.

Role of Organized Health Care Arrangements

An Organized Health Care Arrangement (OHCA) is a legally recognized arrangement in which two or more covered entities participate in joint activities to deliver or manage care. Common OHCAs include a hospital and its medical staff, or a clinically integrated network of providers collaborating on quality improvement and shared operations.

What OHCAs allow

• Participants may share PHI for the OHCA’s treatment, payment, and health care operations without BAAs between the participants for those specific purposes.
• The OHCA can issue a joint Notice of Privacy Practices, simplifying transparency for patients who receive care from multiple participants.
• Joint operational functions—such as utilization review, quality assessment, and population health initiatives—can rely on shared PHI within the OHCA’s scope.

What OHCAs do not change

• Participants remain separate covered entities with their own compliance obligations and liability.
• Sharing PHI beyond the OHCA’s treatment, payment, and operations requires another legal basis (authorization or a BAA with a third party).
• Using an HIE for data exchange does not, by itself, create an OHCA; the HIE typically acts as a business associate to the participants.

Compliance Requirements for Covered Entities

Governance and documentation

• Adopt written Privacy Rule and Security Rule policies and procedures; review and update them when operations, systems, or risks change.
• Maintain records of risk analyses, training, incident response, sanctions, and Business Associate Agreements with vendors, subcontractors, and HIEs that handle PHI.

Security safeguards for ePHI

• Administrative safeguards: risk analysis and risk management, workforce security, contingency planning, and vendor oversight.
• Physical safeguards: facility access controls, workstation/device protections, and secure media handling and disposal.
• Technical safeguards: unique user IDs, multi‑factor authentication where feasible, role‑based access, audit logs, integrity controls, and encryption of ePHI in transit and at rest when reasonable and appropriate.

Privacy operations

• Provide a clear Notice of Privacy Practices and honor individual rights (access, amendments, restrictions, and confidential communications).
• Apply the minimum necessary standard to payment and health care operations; use and disclose PHI for treatment, payment, and operations as permitted, and obtain authorizations when required.
• Execute and manage Business Associate Agreements; ensure downstream subcontractors also sign BAAs when they receive PHI.

Incident response and breach notification

• Implement processes to identify, investigate, and document security incidents and privacy violations.
• Assess impermissible uses or disclosures for presumed breach, apply risk assessments, and provide timely breach notifications as required.

Privacy Rule Implications

The HIPAA Privacy Rule permits covered entities to use and disclose PHI for treatment, payment, and health care operations without authorization, and to disclose PHI when required by law. Disclosures for treatment are not subject to the minimum necessary standard; payment and operations are.

Individuals have rights to access their PHI (including ePHI) in the requested form and format if readily producible, obtain an accounting of certain disclosures, request amendments, and seek reasonable restrictions and confidential communications. You must respond to access requests within required timeframes and at reasonable, cost‑based fees.

De‑identification reduces privacy risk and facilitates data sharing. You may use either expert determination or the “safe harbor” method that removes specified identifiers. Limited data sets, combined with data use agreements, enable population‑level analysis while protecting identities.

When participating in a Health Information Exchange, ensure your sharing aligns with permitted purposes, respects patient preferences, and is supported by BAAs and appropriate role‑based access controls.

Administrative Simplification Activities

Standard transactions and code sets

• Adopt standard electronic transactions (for example, claims, eligibility, claim status, remittance, referrals/authorizations, enrollment, and premium payment) to streamline exchange with payers and clearinghouses.
• Use standard medical code sets (for example, ICD‑10, CPT/HCPCS, CDT, and NDC) to ensure consistent billing and analytics.

Unique identifiers and operating rules

• Use the National Provider Identifier (NPI) for providers and the Employer Identification Number (EIN) where required; align with adopted operating rules to enhance interoperability and reduce friction.
• Coordinate with Health Care Clearinghouses and trading partners to test, monitor, and remediate transaction errors efficiently.

Conclusion

In short, a HIPAA covered entity is defined by its role—health plan, provider, or clearinghouse—and whether it conducts standard electronic transactions. Hybrid entities must ring‑fence Designated Health Care Components, while OHCAs enable multiple covered entities to share PHI for joint care operations. Sound governance, Business Associate Agreements, and robust safeguards for ePHI keep you compliant with the HIPAA Privacy Rule and the broader Administrative Simplification framework.

FAQs.

What activities define a HIPAA covered entity?

You’re a covered entity if you are a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in standard administrative transactions (such as claims, eligibility, remittance, or authorizations). Coverage is tied to those Covered Functions, even if other parts of your organization do different work.

How do hybrid entities comply with HIPAA?

They formally identify Covered Functions, designate their Designated Health Care Components, and apply HIPAA Privacy and Security Rule requirements to those components. Hybrid entities implement policy and technical “firewalls,” train the workforce, and use Business Associate Agreements when non‑health components provide services that involve PHI.

What is the purpose of an OHCA?

An OHCA lets separate covered entities coordinate treatment, payment, and health care operations using shared PHI under a joint framework. Participants can issue a joint Notice of Privacy Practices and operate collaboratively without BAAs between them for those OHCA‑specific purposes, while remaining individually responsible for HIPAA compliance.

How does HIPAA apply to health care clearinghouses?

Health Care Clearinghouses are covered entities by definition. They must safeguard ePHI under the Security Rule, follow the Privacy Rule for permitted uses and disclosures, support standard transactions and code sets, and often act as business associates to providers or plans under BAAs when processing PHI on their behalf.