What Organizations Are Covered Under HIPAA? Covered Entities and Business Associates Explained

Understanding what organizations are covered under HIPAA helps you determine who must protect Protected Health Information and how responsibilities differ. This guide explains covered entities, business associates, and practical boundaries so you can strengthen HIPAA Compliance and Health Information Privacy.

Identifying Covered Entities

Under HIPAA, a covered entity is one of three types: a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically in connection with standard transactions. If your organization falls into any of these categories, Covered Entity Requirements apply and PHI Safeguarding is mandatory.

Covered transactions include routine administrative exchanges such as claims and encounters, eligibility and benefits inquiries, prior authorizations, referrals, claim status, and remittance advice. When you send or receive these electronically, you are in HIPAA’s scope.

Being a covered entity triggers obligations to limit uses/disclosures to the minimum necessary (except for treatment), implement administrative, physical, and technical safeguards, maintain policies and workforce training, and, for many providers and plans, provide required notices and process individual rights requests.

Defining Health Plans

A health plan is any individual or group plan that provides or pays the cost of medical care. The plan—not the sponsoring employer—is the covered entity. Common examples include:

• Health insurers and HMOs.
• Employer-sponsored group health plans and self-funded plans.
• Government programs such as Medicare, Medicaid, and similar public coverage.
• Medicare Advantage and Part D plan sponsors and prescription drug plans.

Certain lines of coverage are typically not HIPAA health plans, such as workers’ compensation, automobile or other liability coverages that incidentally pay for care, and many property and casualty plans. When an employer sponsors coverage, the employer’s plan is the covered entity, while the employer as employer is not.

Recognizing Healthcare Providers

Healthcare providers include individuals and organizations that furnish, bill for, or are paid for health care—physicians, dentists, psychologists, pharmacies, hospitals, labs, clinics, and telehealth practices. A provider becomes a covered entity when it transmits health information electronically in a standard transaction (for example, electronic claims or eligibility checks).

Most modern providers meet this threshold. Providers that never conduct standard electronic transactions may fall outside HIPAA, but that is uncommon in practice. Once covered, providers must safeguard PHI, implement security controls, and comply with the Privacy and Security Rules.

Understanding Healthcare Clearinghouses

Healthcare clearinghouses process nonstandard health information they receive from another entity into a standard format (or vice versa). Examples include billing services, repricing companies, health information networks/switches, and community health management information systems.

Clearinghouses are covered entities when performing these functions, even if they do not directly deliver care. When they also perform services for a covered entity, the relationship may involve business associate responsibilities as well.

Defining Business Associates

A business associate is any person or organization that performs functions or provides services for or on behalf of a covered entity—and now, also for or on behalf of another business associate—that involve creating, receiving, maintaining, or transmitting PHI. Subcontractor Obligations flow down: subcontractors that handle PHI for a business associate are themselves business associates.

Typical business associates include claims processors and revenue cycle vendors; EHR, cloud hosting, data storage, backup, and analytics providers; e-prescribing and HIE/HIO services; legal, actuarial, accounting, consulting, accreditation, and auditing firms when they access PHI; IT support, call centers, mail-house/shredding vendors, and transcription services. By contrast, a mere conduit that only transmits data without persistent storage (like the postal service) is generally not a business associate.

Note that workforce members of a covered entity are not business associates. Disclosures for treatment between providers do not require Business Associate Agreements, but non-treatment services by third parties that involve PHI typically do.

Detailing Business Associate Agreements

When PHI is shared with a business associate, the parties must execute a Business Associate Agreement (BAA). A BAA sets permitted uses/disclosures, prohibits use beyond the contract or the law, and requires PHI Safeguarding aligned with the Security Rule. It also obligates the business associate to help the covered entity meet Privacy Rule duties.

Effective BAAs typically include the following:

• Scope of services and the specific PHI involved.
• Permitted uses/disclosures and minimum necessary standards.
• Administrative, physical, and technical safeguards; risk management; and workforce training.
• Breach and security incident reporting without unreasonable delay, plus cooperation on investigation and notification.
• Subcontractor Obligations requiring downstream BAAs for any subcontractors that handle PHI.
• Access, amendment, accounting support, and record retention to enable HIPAA Compliance.
• Return or destruction of PHI upon termination and rights to audit or receive assurances.

Clarifying Entities Not Covered by HIPAA

HIPAA does not cover every organization that touches health-related data. Commonly excluded entities include employers acting in their employer role, life insurers, workers’ compensation carriers, law enforcement agencies, and most schools/school districts where FERPA—not HIPAA—governs student records. Many consumer apps, wearables, and wellness services that collect data directly from individuals are outside HIPAA unless they act on behalf of a covered entity.

Some organizations are “hybrid entities” (for example, a university or city with a hospital). Only their designated health care components are covered entities; other components are not. When in doubt, map your functions: if you are not a health plan, clearinghouse, or provider conducting standard electronic transactions—and you are not performing PHI-related services for one—you are likely outside HIPAA.

Conclusion

To determine what organizations are covered under HIPAA, ask two questions: are you a health plan, healthcare clearinghouse, or a provider conducting standard electronic transactions; or do you perform PHI-related services for one of them? If yes, you must meet Covered Entity Requirements or sign and honor Business Associate Agreements, implement safeguards, and uphold Health Information Privacy across your operations.

FAQs.

What are the criteria for an organization to be a covered entity under HIPAA?

Your organization is a covered entity if it is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically in connection with standard administrative transactions. Meeting this threshold brings Privacy and Security Rule duties to safeguard Protected Health Information.

How do business associates differ from covered entities?

Covered entities deliver or pay for care, while business associates perform services or functions for covered entities (or other business associates) that involve PHI. Business associates must comply with contractual and regulatory safeguards but do not themselves become covered entities unless they also operate as a plan, provider, or clearinghouse.

What types of organizations must sign business associate agreements?

Any vendor or subcontractor that creates, receives, maintains, or transmits PHI on behalf of a covered entity—such as cloud hosts, EHR providers, billing and coding firms, analytics and backup vendors, legal or audit advisors accessing PHI, call centers, and shredding or mailing services—must sign Business Associate Agreements that specify HIPAA Compliance obligations.

What entities are explicitly excluded from HIPAA coverage?

Employers in their employer role, life insurers, workers’ compensation and many property/casualty insurers, most schools/school districts (where FERPA applies), law enforcement agencies, and many direct-to-consumer apps and wearables are not covered by HIPAA unless they act on behalf of a covered entity. Always assess function and data flow to confirm scope.