Which Organizations Are HIPAA Covered Entities? Definitions, Examples, and Requirements

Defining Covered Entities Under HIPAA

Under HIPAA Administrative Simplification, a “covered entity” is any organization that fits one of three categories and handles Protected Health Information (PHI). Knowing which bucket you fall into is the first step toward Privacy Rule Compliance and Security Rule Requirements.

• Health plans.
• Health care clearinghouses.
• Health care providers who transmit health information electronically in connection with Covered Transactions.

PHI is individually identifiable health information. When PHI is created, received, maintained, or transmitted electronically, it is “ePHI” and must meet the Security Rule Requirements.

Covered Transactions are standardized Electronic Data Interchange (EDI) activities such as claims submission, eligibility inquiries, claim status, remittance advice, enrollment/disenrollment, premium payment, and referral authorizations. If you conduct these electronically, HIPAA applies to you as a covered entity.

Business associates support covered entities (for example, billing, IT, or analytics) but are not themselves covered entities unless they independently qualify (e.g., as a clearinghouse). They must still meet HIPAA obligations through Business Associate Agreements.

Health Plans as Covered Entities

Health plans finance or pay for medical care and are explicitly HIPAA covered entities. If you administer or insure health benefits, you likely fall here.

• Commercial health insurers and HMOs.
• Employer-sponsored group health plans (regardless of size).
• Government programs such as Medicare, Medicaid, and military health plans.
• Medicare Advantage organizations and Part D sponsors.

The plan—not the employer—is the covered entity. Plan sponsors must erect safeguards so HR or employment functions cannot misuse plan PHI. Some “excepted benefits” are not health plans under HIPAA; see Exclusions from Covered Entity Status below.

Health Care Providers Covered by HIPAA

A provider becomes a HIPAA covered entity when it transmits health information electronically in a Covered Transaction. Most modern practices do this as part of routine operations.

• Hospitals, physician practices, clinics, and ambulatory surgery centers.
• Dental, vision, chiropractic, and behavioral health practices.
• Pharmacies, clinical laboratories, imaging centers, and DME suppliers.
• Telehealth and remote-care providers engaging in electronic claims or referrals.

Providers that never conduct Covered Transactions electronically (for example, fully paper-based and nonstandard processes) may not be covered entities. In practice, that scenario is rare.

Role of Health Care Clearinghouses

Health care clearinghouses are intermediaries that translate, edit, or route health information between other parties, converting nonstandard data to the standard EDI formats (and vice versa). Because they handle PHI at scale, they are HIPAA covered entities.

• Data “switches” that route claims and eligibility transactions.
• Billing and repricing services that standardize or scrub transactions.
• Entities that validate EDI, map code sets, and return acknowledgments.

When a clearinghouse performs services for a plan or provider, it also functions as a business associate and must meet contractual and regulatory requirements for safeguarding PHI.

Distinguishing Hybrid Entities

Some organizations perform both covered and non-covered functions. A Hybrid Entity Designation lets you formally identify the “health care components” subject to HIPAA while leaving unrelated lines of business outside HIPAA’s scope.

• Identify the covered components (e.g., a university health clinic or a city’s employee health plan).
• Document the Hybrid Entity Designation and define boundaries for PHI access and use.
• Implement administrative, physical, and technical safeguards (“firewalls”) to prevent inappropriate PHI sharing across components.
• Train the workforce so staff know when they operate inside a HIPAA-covered component.

Common hybrid entities include universities, municipalities, retailers with on-site clinics, and diversified enterprises housing both payer and provider operations under one legal entity.

Exclusions from Covered Entity Status

Many organizations handle health-related information but are not HIPAA covered entities unless they independently meet a covered-entity definition.

• Employers and HR departments in their employer role (the employer’s group health plan, however, is a covered entity).
• Life, disability, workers’ compensation, and auto insurers paying non-health benefits.
• Schools and school districts (unless they operate a clinic that conducts Covered Transactions).
• Law enforcement agencies and many public safety entities.
• Direct-to-consumer app or personal health record vendors that do not conduct Covered Transactions.
• Research organizations that do not provide treatment, payment, or clearinghouse services.
• Software or billing vendors that are not clearinghouses; these are typically business associates.

If you are not a covered entity, you may still have HIPAA duties when acting as a business associate for a plan, provider, or clearinghouse.

Compliance Requirements for Covered Entities

Privacy Rule Compliance

The Privacy Rule governs how you use and disclose PHI. You must issue a Notice of Privacy Practices, limit uses/disclosures to what is permitted or authorized, and apply the minimum necessary standard where applicable.

• Honor individual rights: access, amendments, accounting of disclosures, request for restrictions, and confidential communications.
• Adopt policies and procedures, train your workforce, and apply sanctions for violations.
• Safeguard PHI in any form and mitigate improper disclosures.

Security Rule Requirements

The Security Rule is risk-based and applies to ePHI. You must assess risks and implement reasonable and appropriate safeguards.

• Administrative: risk analysis, risk management, workforce security, contingency planning.
• Physical: facility security, device and media controls, secure disposal.
• Technical: access controls, unique user IDs, audit logs, integrity protections, transmission security (encryption is strongly expected when feasible).

Breach Notification

If unsecured PHI is compromised, you must evaluate whether a breach occurred and, if so, notify affected individuals without unreasonable delay (and within required timeframes). For large incidents, notify regulators and, in some cases, the media. Maintain documentation and a breach log for smaller events.

Transactions, Code Sets, and Identifiers

HIPAA Administrative Simplification also standardizes how you exchange data. Use the mandated EDI formats for Covered Transactions and recognized code sets and identifiers.

• Electronic Data Interchange: standardized claims, eligibility, claim status, remittance, enrollment, authorization, and premium transactions.
• Code sets: ICD-10-CM/PCS, CPT/HCPCS, and NDC, as applicable.
• Identifiers: National Provider Identifier (NPI) for providers; standard member and payer identifiers in transactions.

Business Associates and Vendor Management

Vendors that create, receive, maintain, or transmit PHI for you must sign Business Associate Agreements and safeguard PHI. You remain responsible for reasonable due diligence and oversight.

• Inventory vendors, assess risk, and execute BAAs before PHI flows.
• Limit disclosures to the minimum necessary and monitor performance.
• Flow down requirements to subcontractors handling PHI.

Governance, Training, and Documentation

Strong governance keeps HIPAA operational, not theoretical. Assign accountable leaders and embed compliance into daily work.

• Designate a Privacy Officer and a Security Officer.
• Provide role-based training and periodic refreshers.
• Establish incident response, complaint processes, and sanctions.
• Document policies, risk analyses, decisions, and training; retain records as required.

Summary

HIPAA covered entities include health plans, health care providers engaged in Covered Transactions, and clearinghouses. If your organization fits any of these roles—or is a hybrid entity with designated health care components—you must implement Privacy Rule Compliance, Security Rule Requirements, breach response, standardized EDI, and disciplined vendor management to protect PHI end to end.

FAQs

What types of organizations qualify as HIPAA covered entities?

Three categories: health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with Covered Transactions. If you do any standard EDI (claims, eligibility, remittance, referrals, enrollment), you likely qualify.

How do hybrid entities affect HIPAA compliance?

A hybrid entity uses a formal Hybrid Entity Designation to identify its HIPAA-covered components. Only those components are subject to HIPAA, but the organization must implement safeguards to prevent inappropriate PHI sharing across covered and non-covered components and train staff on their specific obligations.

Are health insurers considered covered entities under HIPAA?

Yes. Health insurers, HMOs, Medicare Advantage organizations, and similar payers are health plans, which are HIPAA covered entities. However, insurers of excepted benefits (such as life or workers’ compensation) are not covered entities for those lines.

What are the main compliance obligations for covered entities?

Implement Privacy Rule Compliance (uses/disclosures, patient rights, minimum necessary), meet Security Rule Requirements for ePHI (risk-based safeguards), follow breach notification rules, conduct standardized EDI for Covered Transactions, manage business associates through BAAs and oversight, and maintain governance, training, and documentation that prove your program works in practice.