Who Are HIPAA Covered Entities? Definition and Examples of Providers, Health Plans, and Clearinghouses

Overview of HIPAA Covered Entities

Under HIPAA’s administrative simplification provisions, “covered entities” are the organizations directly regulated for how they handle protected health information (PHI). They include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard electronic health transactions, such as claims, eligibility inquiries, and remittance advice.

PHI is any individually identifiable health information related to a person’s health status, care, or payment for care. It can exist in any form—paper, verbal, or electronic (ePHI). If you operate as a covered entity, HIPAA compliance obligations attach to your workforce, your systems, and your processes for creating, receiving, maintaining, or transmitting PHI.

Business associates—vendors that create or handle PHI on behalf of covered entities—must also follow HIPAA via business associate agreements. However, the term “covered entity” applies only to the three categories above.

Health Plans as Covered Entities

Health plans encompass individual and group health insurers, HMOs, employer-sponsored group health plans, and government programs that pay for health care (for example, Medicare, Medicaid, and certain military or veterans’ plans). If you administer or sponsor a plan that pays for medical care, you are generally a covered entity subject to health plan regulations under HIPAA.

Key responsibilities for health plans

• Publish a Notice of Privacy Practices explaining how PHI is used and shared, and how members can exercise privacy rights.
• Limit uses and disclosures of PHI to treatment, payment, and health care operations unless an authorization or another HIPAA permission applies.
• Honor member rights: access, amendments, accounting of disclosures, and restrictions where applicable.
• Implement administrative, physical, and technical safeguards to protect ePHI and manage vendor relationships through business associate agreements.
• Conduct and document risk analyses, workforce training, and sanctions for violations.
• Support administrative simplification by using standard identifiers and code sets and by conducting compliant electronic health transactions with providers and clearinghouses.

Self-funded employer plans should also ensure plan documents restrict employer access to PHI and segregate plan functions from employment decisions, reinforcing privacy rule enforcement expectations.

Health Care Providers and Compliance

Health care providers—including physicians, hospitals, clinics, pharmacies, labs, dentists, therapists, DME suppliers, and many others—are covered entities when they conduct standard electronic health transactions (for example, submitting electronic claims or checking eligibility). If you only accept paper and never conduct standard transactions electronically, HIPAA may not apply in the same way; however, most modern practices use electronic systems that trigger coverage.

Provider obligations in practice

• Provide a Notice of Privacy Practices, obtain patient authorizations when required, and apply the minimum necessary standard for non-treatment disclosures.
• Implement role-based access, encryption, audit controls, and other safeguards for ePHI across EHRs, e-prescribing platforms, patient portals, telehealth tools, and billing systems.
• Respond to access requests promptly, correct records when appropriate, and maintain clear documentation of privacy decisions.
• Use standard transactions for claims, eligibility, referrals/authorizations, and remittances, coordinating with clearinghouses or billing services as needed.

Providers often rely on multiple vendors—EHR, cloud storage, revenue cycle, and telehealth platforms—so managing business associate agreements and vendor risk is a central part of HIPAA compliance.

Role of Health Care Clearinghouses

Health care clearinghouses are entities that process nonstandard health information they receive from another entity into a standard format—or vice versa—for purposes of billing and payment. If you operate a clearinghouse or similar EDI service, you are a covered entity even if you do not deliver clinical care or insurance benefits.

What clearinghouses do

• Map data between nonstandard formats and standard transactions to support administrative simplification (for example, claims, eligibility, and remittance files).
• Enforce health care clearinghouse standards for data quality, translation, and routing while maintaining the confidentiality, integrity, and availability of ePHI.
• Apply strong access controls, encryption, and audit logging across translation engines, data queues, and trading partner connections.
• Execute business associate agreements when performing services for providers or plans and ensure downstream vendors also protect PHI.

Because clearinghouses sit at the center of high-volume data exchange, their security posture, monitoring, and incident response capabilities are critical to sector-wide HIPAA compliance.

Privacy and Security Requirements

HIPAA establishes a cohesive framework for protecting PHI across covered entities. You must know and apply three core rule sets: the Privacy Rule, the Security Rule, and the Breach Notification Rule.

Privacy Rule essentials

• Define permissible uses and disclosures—treatment, payment, and health care operations—plus public interest exceptions and de-identification options.
• Adopt the minimum necessary standard for non-treatment disclosures and implement role-based access to reduce unnecessary exposure.
• Issue a Notice of Privacy Practices and support individual rights: access, amendment, restrictions (in certain cases), and an accounting of disclosures.
• Document policies, workforce training, and sanctions to support privacy rule enforcement and continuous compliance.

Security Rule essentials

• Perform ongoing risk analysis and risk management covering administrative, physical, and technical safeguards.
• Implement measures such as encryption at rest and in transit, unique user IDs, multi-factor authentication, automatic logoff, integrity controls, and audit trails.
• Secure devices and facilities—workstation standards, device/media controls, secure disposal, facility access, and contingency planning.
• Manage vendors via business associate agreements and evaluate their controls regularly.

Breach Notification Rule

• Identify and investigate security incidents promptly and assess whether impermissible access, use, or disclosure constitutes a breach of unsecured PHI.
• If a breach occurs, notify affected individuals and, where required, regulators and the media within prescribed timeframes and document the response.

Transactions, code sets, and identifiers

• Use standardized electronic health transactions for claims, eligibility, claim status, referrals/authorizations, and remittances to streamline billing.
• Adopt required code sets and identifiers (for example, NPI) to reduce errors and improve interoperability across plans, providers, and clearinghouses.

Compliance Challenges for Covered Entities

Real-world compliance is less about one-time policies and more about continuous risk management. Many organizations struggle with fragmented systems, complex vendor ecosystems, and evolving threats such as phishing and ransomware.

• Keeping pace with EHR upgrades, telehealth growth, and new integrations while maintaining security baselines and transaction integrity.
• Applying the minimum necessary standard consistently across analytics, quality reporting, and data sharing initiatives.
• Managing business associate inventories, due diligence, and contract lifecycle so that obligations flow to subcontractors.
• Maintaining thorough documentation—risk analyses, training logs, incident reports, and policy updates—to demonstrate HIPAA compliance.
• Ensuring timely patient access to records and cost-based copy fees, a frequent focus of privacy rule enforcement.
• Preparing for transaction standard updates and testing with trading partners to prevent claim denials and data leakage during format changes.

Enforcement and Penalties

HIPAA is enforced primarily by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). OCR investigates complaints, audits selected entities, and reviews breach reports. Outcomes can include corrective action plans, monitoring, and civil money penalties that scale with the nature and duration of noncompliance.

Penalty tiers reflect culpability—from a lack of knowledge to willful neglect not corrected—with per‑violation amounts that can reach tens of thousands of dollars and annual caps that can total in the millions. The Department of Justice may bring criminal actions for knowing, wrongful disclosures or obtaining PHI under false pretenses. State attorneys general can also pursue civil enforcement under HIPAA-related authorities.

Conclusion

Covered entities—health plans, providers, and clearinghouses—form the core of HIPAA’s regulatory model. By standardizing electronic health transactions and enforcing robust privacy and security safeguards for PHI, HIPAA aims to protect patients while enabling efficient payment and operations. Your strongest strategy is a living compliance program: measure risk continuously, train your workforce, manage vendors diligently, and document everything.

FAQs

What entities are classified as HIPAA covered entities?

HIPAA covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. If you operate in one of these categories and handle PHI, HIPAA compliance requirements apply to you.

How do health plans comply with HIPAA?

Health plans comply by issuing a Notice of Privacy Practices, limiting uses and disclosures of PHI, honoring individual rights, and implementing safeguards for ePHI. They also follow administrative simplification rules by using standardized electronic health transactions, identifiers, and code sets when exchanging data with providers and clearinghouses.

What responsibilities do health care clearinghouses have under HIPAA?

Clearinghouses must convert nonstandard data into standard transaction formats, maintain data integrity and confidentiality, and implement robust administrative, physical, and technical safeguards. They manage trading partner connections, execute business associate agreements when applicable, and ensure that health care clearinghouse standards are met across translation and routing processes.

What protections does HIPAA provide for patient information?

HIPAA protects patient information by setting rules for how PHI can be used and disclosed, granting individuals rights to access and amend their records, and requiring security controls for ePHI. If an impermissible disclosure occurs, the Breach Notification Rule compels timely notice to affected individuals and, when required, to regulators and the media.