Which of the Following Is Not a Covered Entity Under HIPAA? (Examples and Quick Answer)

Quick answer: Employers, law enforcement agencies, most schools (when records are subject to FERPA), life and disability insurers, workers’ compensation and auto insurers, banks and credit card processors, personal injury law firms, consumer fitness and wellness apps, and many state agencies are not covered entities under HIPAA. They may still handle health data, but HIPAA regulations generally do not apply to them unless they operate or support a health plan, a qualifying health care provider, or a health care clearinghouse.

To decide which of the following is not a covered entity under HIPAA, start by checking the covered entity criteria: Does the organization act as a health plan, a health care clearinghouse, or a health care provider that performs standard electronic transactions? If not, HIPAA usually does not apply directly.

HIPAA Covered Entities Defined

Under HIPAA regulations, “covered entity” is a functional concept, not a label that follows every health-adjacent organization. An entity is covered if it is (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider that transmits health information electronically in connection with standard transactions. Business associates are regulated too, but they are not covered entities.

The three categories of covered entities

• Health plans: Insurers, HMOs, government programs like Medicare and Medicaid, and employer-sponsored group health plans.
• Health care providers: Any provider that conducts standard electronic transactions (for example, claims, eligibility, referrals) with a health plan.
• Health care clearinghouses: Organizations that translate nonstandard data to standard formats and vice versa.

Hybrid organizations (such as a state university with a hospital) can designate covered components; only those components must comply. Everyone else—vendors, apps, or agencies—must fit one of the categories above to be a covered entity.

Health Plans as Covered Entities

Health plans are covered because they finance or arrange medical benefits. This includes individual and group health insurance, HMOs, Medicare, Medicaid, Medicare Advantage, and employer-sponsored group health plans (including self-funded plans). Employee assistance programs and certain health FSAs can also be health plans.

What’s not a health plan

• Life and disability insurers (when providing those lines only).
• Workers’ compensation, auto, or property/casualty insurers.
• Employers themselves (the plan is covered; the employer is not).

Third-party administrators and benefits platforms typically act as business associates to health plans. They must protect PHI, but they are not covered entities unless they independently qualify as a health plan or clearinghouse.

Health Care Providers and Electronic Transmission

A health care provider becomes a covered entity only if it engages in electronic health information transmission for standard HIPAA transactions. Using an EHR or emailing a patient is not enough by itself; the trigger is conducting transactions like claims submission, eligibility checks, remittance advice, referrals, or prior authorizations in electronic form.

Provider scenarios

• Covered: A physician who submits claims electronically to a health plan.
• Covered: A pharmacy that bills plans electronically.
• Not covered: A cash-only clinic that never conducts standard transactions electronically (though state laws may still apply).

If a provider routes transactions through a billing service or clearinghouse, it still counts as electronic transmission. The operational reality—not job title—determines coverage.

Role of Health Care Clearinghouses

Health care clearinghouse operations focus on converting nonstandard data to standard formats (and back) to connect providers and health plans. Because they routinely process PHI for transactions, clearinghouses are covered entities by definition.

Some billing or revenue cycle firms function as business associates if they do not perform data translation. If they do translation or standardization, they are clearinghouses and therefore covered entities.

Examples of Non-Covered Entities

Here are common organizations that, standing alone, do not meet covered entity criteria—even though they might interact with health data:

• Employers and most HR departments (separate from the group health plan).
• Law enforcement agencies and courts.
• Most schools and universities for student education records (typically governed by FERPA, not HIPAA).
• Life, disability, workers’ compensation, and auto insurers.
• Banks, credit unions, and credit card processors handling medical payments.
• Consumer fitness trackers, wellness apps, personal health record apps, and many direct-to-consumer genetic or lab testing services when not acting on behalf of a covered entity.
• Personal injury attorneys and data brokers.
• Many state or local agencies that do not operate a health plan, clearinghouse, or qualifying provider function.

These entities may still be subject to other privacy laws or contracts, but they are not covered entities under HIPAA.

Distinguishing Employers and Law Enforcement

Employers are not covered entities. The employer’s HR files are not PHI, and employer health information privacy is generally governed by employment, disability, and genetic information laws—not HIPAA. However, the employer’s group health plan is a covered entity; the plan can share only limited data with the plan sponsor and must keep plan PHI walled off from routine HR use.

Law enforcement agencies are also not covered entities. HIPAA permits certain disclosures to them (for example, to comply with a court order or to report specific incidents), but those permissions regulate the disclosing covered entity, not the police. This is the core difference between being a covered entity and having law enforcement data access rights in narrow circumstances.

Non-Covered State Agencies and Schools

Many state agencies are outside HIPAA unless they run a health plan, a public hospital/clinic, or a clearinghouse. Public health departments, social services, and licensing boards often rely on state agency exemptions in the sense that they are not covered entities—but HIPAA still allows covered entities to disclose limited PHI to them for public health or oversight purposes.

Most schools are not covered entities because student education records fall under FERPA. A school-based clinic that bills a health plan electronically, however, is a covered provider for those treatment and billing records. The same school may therefore be a “hybrid entity,” with HIPAA applying to the clinic component while FERPA covers student records.

Conclusion

When you ask, “Which of the following is not a covered entity under HIPAA?” remember the simple test: Only health plans, health care clearinghouses, and providers that conduct standard electronic transactions are covered. Employers, law enforcement, most schools, many insurers outside health coverage, and consumer apps are generally not—though other laws and contracts may still protect the data they hold.

FAQs.

What criteria determine a HIPAA covered entity?

An organization is a covered entity if it is a health plan, a health care clearinghouse, or a health care provider that conducts standard electronic transactions (claims, eligibility, referrals, remittances, and similar). These covered entity criteria focus on functions and electronic transactions, not on whether the entity merely handles health-related information.

Which agencies are exempt from HIPAA coverage?

Agencies that do not operate a health plan, clearinghouse, or qualifying provider function—such as police, courts, child welfare, and many public health or licensing bodies—are generally not covered entities. Some are hybrid entities with specific components subject to HIPAA, and HIPAA permits limited disclosures to them for public health, oversight, or law enforcement needs.

How do employers handle protected health information?

The employer itself is not a covered entity; its HR records are not PHI. The employer’s group health plan is a covered entity, and plan PHI must be segregated and used only for plan administration. Outside the plan, employers typically rely on employee authorizations and follow other laws (like disability and genetic information rules) to protect health data received for work purposes.