Which Organizations Are Covered Under HIPAA? Practical Guide with Definitions and Tests

If you are asking, “Which organizations are covered under HIPAA?”, you are really looking for a precise Covered Entity Definition and a practical way to apply it. This guide explains the three covered-entity types, clarifies the role of business associates, and gives you step-by-step tests to determine status under the HIPAA Privacy Rule and HIPAA Security Rule.

Definition of Covered Entities

Under HIPAA’s Administrative Simplification provisions, a covered entity is one of the following:

• Health plan — An individual or group plan that provides or pays the cost of medical care.
• Health care clearinghouse — An organization that converts health information between nonstandard and standard formats for billing and related transactions.
• Health care provider — A provider that transmits health information electronically in connection with standard transactions (for example, claims or eligibility checks).

HIPAA protects Protected Health Information (PHI), including Electronic Protected Health Information (ePHI), held or transmitted by covered entities and their business associates. The Privacy Rule governs permissible uses and disclosures and patient rights; the Security Rule sets administrative, physical, and technical safeguards for ePHI.

Categories of Covered Health Plans

“Health plan” is broad and function-based: if a plan pays for medical care, it is generally covered. Common categories include:

• Commercial carriers and HMOs — Health insurance issuers and health maintenance organizations that underwrite or administer health benefits.
• Employer-sponsored group health plans — Self-funded or fully insured plans. A group health plan is a covered entity if it has 50 or more participants, or if it is administered by an entity other than the employer.
• Government programs — Medicare, Medicaid, Medicare Advantage, Children’s Health Insurance Program, TRICARE, and similar programs that pay for health care.
• Other plan types — Multiemployer plans, church plans, and issuers of Medicare supplemental policies.

Typical exclusions and edge cases

• Plans providing only “excepted benefits” (for example, accident-only, disability income, certain limited-scope dental or vision offered separately, workers’ compensation, auto medical payment, credit-only, and life insurance) are not HIPAA health plans.
• Plan sponsors (employers, unions) are not covered entities by virtue of sponsorship alone; the plan itself is.
• On-site employee clinics usually are not health plans, though they may be providers; analyze the provider test below.

Types of Covered Health Care Providers

A provider is a covered entity only if it conducts standard electronic transactions with a health plan. The definition is functional: it does not matter whether you are an individual practitioner or a large system.

Examples of providers that are covered when they transact electronically

• Hospitals, physician practices, clinics, FQHCs, telehealth practices
• Pharmacies and pharmacy benefit operations
• Dental, vision, chiropractic, behavioral health, physical therapy, DME suppliers, laboratories, imaging centers, home health and hospice

Transactions that trigger coverage

• Claims and encounters
• Eligibility inquiries and responses
• Claim status requests and responses
• Referrals and prior authorizations
• Remittance advice and payment

If you only submit paper claims and never use a clearinghouse or vendor to send HIPAA-standard transactions, you may not be a covered entity as a provider. Once you or your vendor submit those transactions electronically on your behalf, coverage attaches.

Role of Health Care Clearinghouses

Health care clearinghouses translate, edit, and route health information between providers and plans. Because they convert nonstandard data to standard formats (and the reverse), clearinghouses are covered entities regardless of whether they deliver care or pay claims.

Common examples include billing services, repricing firms, switch networks, and value-added networks that standardize transactions. Clearinghouses must safeguard PHI/ePHI they create, receive, maintain, or transmit and limit uses and disclosures to those permitted by the HIPAA Privacy Rule.

Business Associates and Their Responsibilities

Business associates are persons or organizations that perform functions or services for a covered entity involving PHI (or ePHI). They are not covered entities solely by virtue of this role, but they are directly liable under HIPAA for certain violations and must sign a Business Associate Agreement (BAA).

Typical business associates

• IT and cloud service providers, EHR vendors, data centers, backup and email services that store ePHI
• Billing companies, coding services, revenue cycle and prior-authorization vendors
• Consultants, actuaries, accountants, attorneys, accreditation bodies handling PHI
• Health information exchanges and data aggregation services

Core responsibilities

• Execute and honor BAAs, including subcontractor “flow-down” terms
• Implement Security Rule safeguards for ePHI; conduct risk analysis and risk management
• Use and disclose PHI only as permitted; apply the minimum necessary standard where applicable
• Report breaches and certain security incidents to the covered entity and assist with investigations
• Support individual rights when delegated (for example, access to ePHI, amendments)

The “conduit” exception is narrow (e.g., postal mail). Most persistent or cloud storage providers maintain ePHI and are business associates even if they never view the data.

Compliance Requirements for Covered Entities

Covered entities must establish a comprehensive compliance program spanning the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. Key obligations include:

Privacy Rule essentials

• Use/disclose PHI for treatment, payment, and health care operations; obtain authorization for marketing, most sales of PHI, and other nonroutine uses
• Apply the minimum necessary standard and role-based access controls
• Provide a Notice of Privacy Practices and honor individual rights (access within 30 days with one 30-day extension, amendment, restrictions where applicable, accounting of disclosures)
• Identify and comply with more stringent state privacy laws; HIPAA is a floor

Security Rule essentials (for ePHI)

• Perform an enterprise-wide risk analysis and implement a risk management plan
• Implement administrative, physical, and technical safeguards (access control, audit controls, integrity, transmission security)
• Address 'required' vs. 'addressable' standards; if an addressable control (e.g., encryption) is not implemented, document why and the alternative equivalent measures
• Develop contingency plans: backup, disaster recovery, and emergency operations

Breach Notification Rule

• Presume an impermissible use/disclosure is a breach unless a documented risk assessment shows a low probability of compromise
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery; notify HHS and, for larger breaches, prominent media; log smaller breaches for annual reporting

Program governance and operations

• Designate a privacy official and a security official; provide workforce training and apply sanctions
• Maintain BAAs; manage vendors and subcontractors handling PHI/ePHI
• Adopt written policies and procedures; retain documentation for at least six years
• Align billing and data flows with Administrative Simplification standards (transactions, code sets, and identifiers such as NPI)

Tests for Determining Covered Entity Status

Three-question screening

1. Do you provide or pay for medical care? If yes, you may be a health plan.
2. Do you convert health data between nonstandard and standard formats for others? If yes, you are likely a health care clearinghouse.
3. Do you furnish health care and send HIPAA-standard transactions electronically (directly or through a vendor/clearinghouse)? If yes, you are a covered health care provider.

Provider “transactions test”

• If you or your vendor submit electronic claims, eligibility inquiries, claim status checks, remittance advice, or prior authorizations, you are a covered entity provider.
• If you never conduct these electronically, you may not be covered as a provider; reassess if your processes change.

Health plan scope test

• Your plan is covered if it pays for medical care (self-funded or insured), especially with 50+ participants or third-party administration.
• If your arrangement offers only excepted benefits (for example, accident-only, disability income, certain standalone dental/vision), it is not a HIPAA health plan.

Clearinghouse function test

• If your core service is translating, validating, routing, or repricing transactions between providers and plans, you are a clearinghouse and thus a covered entity.

Business associate vs. covered entity

• If you perform services for a covered entity involving PHI but do not meet a covered entity category yourself, you are a business associate and must execute a BAA and comply with applicable HIPAA requirements.

Hybrid entity analysis

• Organizations with both covered and noncovered functions (for example, a university with a health clinic) may designate themselves as a hybrid entity so that only the health care component is subject to HIPAA, with appropriate firewalls and policies.

Organized Health Care Arrangement (OHCA)

• Legally separate covered entities (e.g., a hospital and its medical staff) can form an OHCA to share PHI for joint operations and a single Notice of Privacy Practices; each participant remains a covered entity.

Documentation and next steps

• Document your determination and rationale, identify PHI/ePHI systems, map data flows, and update BAAs and policies accordingly.
• Reevaluate status when you add new services, outsource functions, or change transaction methods.

Conclusion

To decide which organizations are covered under HIPAA, apply the Covered Entity Definition to your operations, verify the electronic transactions you conduct, and account for business associate relationships. Once status is clear, implement Privacy Rule and Security Rule controls to protect PHI and ePHI and maintain compliance over time.

FAQs

What entities qualify as covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. The status depends on what you do (provide/pay for care, convert data formats, or conduct HIPAA-standard transactions), not on your size or tax status.

How do business associates differ from covered entities?

Business associates perform functions or services for a covered entity that involve PHI. They must sign a Business Associate Agreement and are directly liable for Security Rule compliance and certain Privacy Rule obligations, but they are not covered entities unless they independently meet the definition of a health plan, provider (that transacts electronically), or clearinghouse.

What are the compliance obligations for covered entities?

Covered entities must follow the HIPAA Privacy Rule (permitted uses/disclosures, minimum necessary, patient rights), the Security Rule (safeguards for ePHI, risk analysis, access and audit controls), the Breach Notification Rule (timely notifications and documentation), vendor management through BAAs, workforce training, written policies, and documentation retention for six years, all under Administrative Simplification standards.

How can an organization determine if it is a covered entity?

Use a structured test: identify whether you pay for care (health plan), convert data for others (clearinghouse), or furnish care and conduct HIPAA-standard electronic transactions (provider). Exclude arrangements limited to excepted benefits. Consider hybrid entity designation if only part of the organization is covered, and treat vendors handling PHI as business associates with BAAs.