Who Are Covered Entities Under HIPAA? The 3 Core Types and Common Edge Cases Explained

Health Plans Overview

Under HIPAA, a health plan is any individual or group plan that provides, or pays the cost of, medical care. Health plans are covered entities because they create, receive, maintain, and transmit Protected Health Information (PHI) to administer benefits and pay claims.

What counts as a health plan

• Health insurance issuers, HMOs, and managed care organizations.
• Employer-sponsored group health plans, including self-funded plans using third-party administrators.
• Government programs that pay for healthcare, such as Medicare, Medicaid, and similar public programs.
• Health FSAs and HRAs offered by employers when they reimburse medical care.
• Some long-term care insurers when they pay for healthcare services rather than fixed indemnity benefits.

Common edge cases

• The employer is not the covered entity; the employer’s group health plan is. Employment records are not PHI.
• Employee Assistance Programs that provide counseling typically function as health plans and are covered entities.
• Stop-loss insurers are usually not health plans; they act as business associates to the plan.
• Workers’ compensation insurers are generally not covered entities, though they may receive PHI under other legal allowances.

Healthcare Providers Defined

Healthcare providers are covered entities when they electronically transmit health information in connection with a standard transaction. This includes claims, eligibility inquiries, referrals, authorizations, remittance advice, and similar Electronic Data Interchange activities.

Who is included

• Physicians, dentists, hospitals, clinics, laboratories, and pharmacies.
• Therapists, DME suppliers, and other professionals who furnish, bill, or are paid for healthcare.
• Telehealth practices and online pharmacies when they submit or receive standard electronic transactions.

Provider edge cases

• Cash-only or concierge practices that never conduct standard electronic transactions may not be covered entities.
• School and university clinics can be covered entities; however, some student records may be governed by FERPA rather than HIPAA.
• On-site employer clinics may be covered entities if they conduct standard transactions electronically.

Role of Healthcare Clearinghouses

Healthcare clearinghouses are public or private entities that process nonstandard health information they receive from another entity into a standard format, or vice versa. They enable compliant Electronic Data Interchange between providers and health plans by translating, editing, or routing transactions.

What clearinghouses do

• Convert claims, eligibility, claim status, and remittance transactions between nonstandard and standard formats.
• Act as switches or networks that route standardized transactions between trading partners.
• Perform edits, validation, and sometimes repricing as part of transaction processing.

Clearinghouse edge cases

• Cloud storage or hosting vendors that merely store PHI are business associates, not clearinghouses.
• Health Information Exchanges often serve as business associates; they are clearinghouses only if they perform transaction translation functions.
• Analytics firms that do not transform standard transactions are typically business associates.

Understanding Hybrid Entities

A hybrid entity is a single legal entity whose business activities include both covered and non-covered functions. To qualify, the entity must make a formal Hybrid Entity Designation and identify its healthcare components that perform HIPAA Covered Functions.

How hybrid entities work

• The entity designates specific healthcare components (for example, a university’s medical center or an employer’s on-site clinic).
• HIPAA applies to those components—and to shared support units as needed—while non-health components stay outside HIPAA.
• Administrative safeguards must prevent improper PHI sharing between covered and non-covered components.

Typical examples

• Universities with hospitals and student health centers.
• Municipalities with public health departments and EMS.
• Retailers with in-store pharmacies.

Affiliated Covered Entities Explained

An Affiliated Covered Entity (ACE) is a group of legally separate covered entities under common ownership or control that chooses to act as a single covered entity for HIPAA purposes. An ACE can streamline policies, Notice of Privacy Practices, and operations across the affiliated group.

Affiliated Covered Entity Agreement

The affiliates document their relationship through an Affiliated Covered Entity Agreement. This record identifies the entities, demonstrates common ownership or control, and permits sharing PHI for treatment, payment, and healthcare operations across the ACE while maintaining HIPAA safeguards.

ACE edge cases

• Contracted networks without common ownership or control cannot form an ACE; they rely on business associate arrangements or other frameworks.
• Parent–subsidiary health systems often use ACE status to coordinate compliance and operations across hospitals, clinics, and health plans.

Business Associates and Their Compliance

Business associates (BAs) are persons or organizations that create, receive, maintain, or transmit PHI for a covered entity or another BA to perform services or functions. They are directly liable for HIPAA Security Rule compliance and specific Privacy Rule requirements.

Common business associates

• Third-party administrators, billing companies, and medical transcription services.
• Cloud service providers, data warehouses, and EHR vendors that host or process PHI.
• Consultants, attorneys, and auditors who need PHI to perform contracted work.
• Health Information Exchanges that facilitate clinical data sharing on behalf of covered entities.

Contracts and accountability

• Covered entities must execute Business Associate Agreements that define permitted uses/disclosures and require safeguards.
• BA subcontractors that handle PHI are also BAs and must sign downstream agreements.
• BAs must report breaches to the covered entity and are subject to enforcement for violations.

HIPAA Covered Entity Responsibilities

Whether you are a health plan, provider, or clearinghouse, HIPAA imposes core obligations to protect PHI and support patient rights. Strong governance and vendor management are as important as technical safeguards.

HIPAA Privacy Rule Compliance

• Use and disclose PHI only as permitted, applying the minimum necessary standard where required.
• Publish and distribute a Notice of Privacy Practices explaining uses, rights, and contacts.
• Honor individual rights: access, amendments, accounting of disclosures, restrictions, and confidential communications.

Safeguarding ePHI under the Security Rule

• Conduct a risk analysis; implement administrative, physical, and technical safeguards.
• Control access, authenticate users, and maintain audit logs; encrypt data as appropriate.
• Train your workforce and apply sanctions for violations.

Standard transactions and Electronic Data Interchange

• Adopt standard transactions for claims, eligibility, claim status, authorizations, and remittances.
• Coordinate with clearinghouses and trading partners to ensure compliant data formats.

Vendor and BA oversight

• Execute and manage Business Associate Agreements; review security practices and incident response.
• Ensure subcontractors meet the same obligations when they handle PHI.

Incident response and breach notification

• Assess incidents to determine if there is a breach of unsecured PHI.
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery, and complete other required notifications.

Conclusion

The three covered entities under HIPAA are health plans, healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses. Understanding hybrid entities, affiliated arrangements, and business associates helps you map data flows, apply safeguards, and maintain consistent compliance across all HIPAA Covered Functions.

FAQs.

What entities qualify as covered entities under HIPAA?

The three covered entities are health plans, healthcare providers that electronically conduct standard transactions, and healthcare clearinghouses. These organizations handle Protected Health Information in regulated ways and must meet HIPAA Privacy Rule Compliance and Security Rule requirements.

How do hybrid entities affect HIPAA compliance?

A hybrid entity formally designates its healthcare components through a Hybrid Entity Designation. HIPAA applies to those components and any shared support units as needed, ensuring PHI is walled off from non-covered parts of the organization while core HIPAA Covered Functions remain compliant.

Are business associates considered covered entities?

No. Business associates are not covered entities, but they are directly regulated when they create, receive, maintain, or transmit PHI for a covered entity. They must sign Business Associate Agreements, safeguard PHI, and support breach notification and other compliance duties.

What is an affiliated covered entity under HIPAA?

An Affiliated Covered Entity is a group of legally separate covered entities under common ownership or control that chooses to operate as one covered entity for HIPAA purposes. An Affiliated Covered Entity Agreement documents this status and permits sharing PHI for operations while maintaining required safeguards.