What Is Considered a Covered Entity Under HIPAA? Examples and Requirements

Health Plans as Covered Entities

Under HIPAA’s Administrative Simplification provisions, “health plans” are covered entities that pay for or provide the cost of medical care. This includes health insurance issuers, HMOs, government programs (such as Medicare and Medicaid), and many employer-sponsored group health plans. The plan—not the employer—is the covered entity.

Group health plans with fewer than 50 participants that are self-administered are generally not treated as HIPAA “health plans.” If a plan uses a third party to administer benefits or conducts Electronic Health Transactions, it falls squarely within covered entity status and must ensure Covered Entity Compliance.

Common health plan examples

• Commercial health insurers and HMOs
• Medicare Advantage organizations and prescription drug plans
• Medicaid managed care organizations and state programs
• Employer-sponsored group health plans (including self-funded plans administered by a TPA)

Plan-specific compliance focus

• Limit employer access to Protected Health Information (PHI) to plan administration functions.
• Issue a Notice of Privacy Practices and honor member rights (access, amendments, restrictions, and confidential communications).
• Use standard code sets and identifiers and support required Electronic Health Transactions.

Health Care Providers' Roles

A health care provider becomes a covered entity if it transmits health information electronically in connection with a standardized transaction (for example, claims, eligibility checks, or e-prescribing). Most hospitals, clinics, and practices meet this threshold, even if they also accept cash.

Providers must safeguard PHI in records and systems, disclose only what is necessary, and give patients timely access to their information. If you outsource billing, transcription, or cloud EHR hosting, you must have business associate agreements that bind those vendors to HIPAA obligations.

Provider examples

• Hospitals, physician practices, community health centers, and ambulatory surgery centers
• Dentists, chiropractors, therapists, and behavioral health providers
• Pharmacies, laboratories, imaging centers, and home health agencies

Operational priorities

• Post and distribute a Notice of Privacy Practices and obtain authorizations when required.
• Apply the minimum necessary standard for routine disclosures and implement role-based access.
• Maintain audit controls, secure messaging, and contingency plans for EHR downtime.

Health Care Clearinghouses Explained

Health care clearinghouses are organizations that convert nonstandard health information they receive from another entity into a standard format—or the reverse—for electronic transactions. Because they standardize data for claims and related exchanges, they are covered entities under HIPAA.

Examples include billing services, repricing companies, EDI gateways, and entities that translate claims, eligibility, or remittance files. A Health Information Exchange (HIE) may function as a clearinghouse if it translates or standardizes data between parties; otherwise, an HIE typically acts as a business associate.

Clearinghouse compliance essentials

• Separate clearinghouse functions from other lines of business or designate a hybrid entity structure.
• Protect PHI during intake, translation, routing, and storage with strict access controls and monitoring.
• Support standardized Electronic Health Transactions to enable Administrative Simplification.

HIPAA Privacy Rule Compliance

The HIPAA Privacy Rule governs how covered entities use and disclose PHI in any form. PHI is individually identifiable health information relating to health status, care, or payment, created or received by a covered entity or its business associate. De-identified data falls outside the rule.

Covered entities may use or disclose PHI without authorization for treatment, payment, and health care operations, and for specified public interest purposes. You must apply the minimum necessary standard, issue a Notice of Privacy Practices, and honor patient rights to access, amend, and receive an accounting of disclosures.

When working with vendors, you must execute business associate agreements that define permitted uses of PHI and require comparable safeguards. Disclosures should be tracked when required, and policies must clearly address incidental disclosures and workforce sanctions.

HIPAA Security Rule Requirements

The HIPAA Security Rule protects electronic PHI (ePHI). It requires a documented risk analysis and risk management process, supported by administrative, physical, and technical safeguards. Your goal is to ensure the confidentiality, integrity, and availability of ePHI.

Administrative safeguards

• Risk analysis and ongoing risk management
• Security official, workforce training, and sanction policies
• Contingency planning, including backups and disaster recovery

Physical safeguards

• Facility access controls and visitor management
• Device and media controls, secure disposal, and encryption at rest where reasonable and appropriate

Technical safeguards

• Unique user IDs, multi-factor authentication, and automatic logoff
• Audit controls, integrity monitoring, and transmission security (encryption in transit)
• Access control based on least privilege and role

Covered Entity Responsibilities

Beyond day-to-day privacy and security operations, covered entities must support HIPAA’s Administrative Simplification goals: standard identifiers, code sets, and Electronic Health Transactions. You should maintain policies and documentation for at least six years and update them as your systems and risks evolve.

• Designate privacy and security officials and maintain a governance framework.
• Execute and manage business associate agreements and oversee vendor performance.
• Implement minimum necessary policies, role-based access, and secure data sharing, including via Health Information Exchange networks.
• Monitor, detect, and respond to incidents; perform breach assessment and notification without unreasonable delay if required.
• Conduct periodic audits and training to ensure ongoing Covered Entity Compliance.

Examples of Covered Entities

Health plans

• Commercial insurers, HMOs, and pharmacy benefit programs attached to a health plan
• Medicare Advantage and Part D plans; Medicaid programs and managed care
• Employer group health plans, including self-funded plans administered by a TPA

Health care providers (if they conduct standard electronic transactions)

• Hospitals, clinics, and physician practices
• Dentists, psychologists, physical and occupational therapists
• Pharmacies, labs, imaging centers, and DME suppliers

Health care clearinghouses

• Claims clearinghouses and repricing companies
• EDI gateways that translate eligibility, claim status, and remittance files

What is typically not a covered entity

• Employers (in their role as employers), life insurers, workers’ compensation carriers, and schools—unless they separately perform covered entity functions
• HIE organizations acting purely as data exchange utilities; these are usually business associates unless they perform clearinghouse activities

Conclusion

Under HIPAA, covered entities are health plans, health care providers that perform standard electronic transactions, and health care clearinghouses. If you fit one of these categories, align your Privacy Rule and Security Rule programs, standardize electronic transactions, and maintain strong vendor and incident management to protect PHI end to end.

FAQs.

What entities qualify as covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standardized transactions (such as claims, eligibility checks, or e-prescribing). Organizations outside these categories may still be business associates if they handle PHI on behalf of a covered entity.

How do health care providers comply with HIPAA?

Providers comply by conducting a risk analysis, implementing Security Rule safeguards, applying Privacy Rule standards (minimum necessary, authorizations, and patient rights), using standard identifiers and code sets for Electronic Health Transactions, training staff, and managing vendors through business associate agreements.

What are the responsibilities of health plans under HIPAA?

Health plans must protect PHI, issue a Notice of Privacy Practices, limit employer access to PHI to plan administration, standardize transactions and code sets, maintain policies and documentation, manage business associates, and investigate and notify as required following any breach affecting members.

Can clearinghouses be considered covered entities?

Yes. A clearinghouse that translates, formats, or routes health data to or from standard transaction formats is a covered entity. If an HIE or other intermediary performs these standardization functions, it may be a clearinghouse; otherwise, it typically operates as a business associate.