Who Counts as a HIPAA Covered Entity? Definitions and Examples

Health Plans Under HIPAA

A HIPAA covered entity includes many types of health plans—any group or individual plan that provides or pays the cost of medical care. These plans handle protected health information as they enroll members, adjudicate claims, and manage benefits.

Common health plan classifications include:

• Public programs: Medicare, Medicaid, CHIP, and TRICARE.
• Private plans: commercial insurers and HMOs offering medical, dental, or vision coverage.
• Employer plans: fully insured or self-funded group health plans (including multiemployer plans) administered by a third party.

Not every program that pays benefits is a health plan. Excepted benefits—such as workers’ compensation, auto or liability coverage, and some limited-purpose policies—fall outside HIPAA’s health plan definition. A small group health plan with fewer than 50 participants that is self-administered by the employer may also be excluded.

Role of Health Care Clearinghouses

Health care clearinghouses are entities that process nonstandard health information into standard formats or the reverse. By translating data to meet health care clearinghouse standards, they enable providers and health plans to send and receive HIPAA-covered transactions reliably.

Examples include medical billing services, repricing companies, and community health management information systems that convert claim data between formats. Clearinghouses are HIPAA covered entities when they perform these standardization functions and must meet compliance with HIPAA privacy rule and HIPAA security requirements for the electronic health information they handle.

Health Care Providers Subject to HIPAA

Health care providers become HIPAA covered entities when they transmit health information in electronic form in connection with HIPAA-covered transactions. This group spans hospitals, physicians, clinics, pharmacies, laboratories, dentists, chiropractors, psychologists, durable medical equipment suppliers, and telehealth practices.

If you use a vendor or clearinghouse to submit claims, check eligibility, or obtain authorizations electronically on your behalf, you are treated as conducting electronic transactions and fall under HIPAA. Providers that operate solely on paper and never conduct standard electronic transactions may not be covered entities, though they may still handle PHI and should follow sound privacy practices.

Electronic Transactions and PHI

HIPAA establishes standard electronic transactions to streamline payment and administrative processes. Typical transactions include claim submission (837), remittance advice (835), eligibility inquiry and response (270/271), claim status (276/277), prior authorization and referral (278), enrollment and disenrollment (834), and pharmacy claims using NCPDP standards.

When you conduct these transactions, you create and exchange protected health information. PHI becomes electronic PHI when stored or transmitted electronically. Safeguards must protect identifiers, diagnoses, procedures, and payment details within this electronic health information across systems and networks.

Compliance Requirements for Covered Entities

Covered entities must implement compliance with HIPAA privacy rule: provide a Notice of Privacy Practices, limit uses and disclosures to the minimum necessary, obtain authorizations when required, and uphold individual rights to access, amendment, and an accounting of disclosures. Business associate agreements are required before vendors handle PHI on your behalf.

HIPAA security requirements apply to ePHI and include administrative, physical, and technical safeguards. Core actions include a documented risk analysis, role-based access, authentication, audit logging, encryption where appropriate, workforce training, vendor oversight, and security incident response. Breach notification obligations require timely notices to affected individuals (and, in certain cases, regulators and media).

Covered entities must also follow transaction and code set standards—such as ICD-10-CM, CPT, and HCPCS—and use the National Provider Identifier for standard transactions. Policies and procedures should be documented, reviewed periodically, and retained as required.

Scope of HIPAA Definitions

HIPAA distinguishes covered entities from business associates. A business associate is a service provider that creates, receives, maintains, or transmits PHI for a covered entity—examples include cloud hosts, billing companies, and IT vendors. Business associates are directly regulated by HIPAA, but they are not themselves covered entities unless they also operate as a health plan, provider, or clearinghouse.

Some organizations are hybrid entities—such as universities or municipalities—that perform both covered and non-covered functions. They must designate their health care components and apply HIPAA only to those components. Employers, schools, and most life insurers are not covered entities when performing their standard roles, and de-identified data is not PHI.

Examples of Covered Entities

• A self-funded employer group health plan using a third-party administrator to process claims.
• An HMO offering individual and small-group medical coverage.
• A hospital system that submits electronic claims and receives electronic remittances.
• A physician practice using an EHR and an external billing service to check eligibility and submit claims.
• A stand-alone pharmacy transmitting prescription claims using NCPDP standards.
• A health care clearinghouse that converts nonstandard claim files into standard X12 transactions.

In practice, most modern plans and providers meet the definition of a HIPAA covered entity because they rely on electronic transactions. Understanding your entity type—and the transactions you perform—helps you align policies, contracts, and safeguards with HIPAA’s requirements.

FAQs.

What entities are considered covered under HIPAA?

HIPAA covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with HIPAA-covered transactions. Many supporting vendors are business associates—directly regulated by HIPAA—when they handle PHI for a covered entity.

How do health care providers comply with HIPAA?

Providers comply by following the Privacy Rule (notices, minimum necessary, authorizations, and patient rights), implementing Security Rule safeguards for ePHI (risk analysis, access controls, encryption where appropriate, and audit logs), executing business associate agreements, training the workforce, and issuing breach notifications when required.

What is the role of health care clearinghouses in HIPAA?

Clearinghouses translate nonstandard data into standard electronic formats and vice versa so claims, eligibility, authorizations, and payments flow between providers and plans. They are covered entities in their own right and must meet privacy and security obligations while applying health care clearinghouse standards to the transactions they process.

Are all health plans subject to HIPAA regulations?

Most public and private health plans are covered entities, but some exceptions exist. Excepted benefits (like workers’ compensation or auto liability) are not HIPAA health plans, and a self-administered group health plan with fewer than 50 participants may be excluded. Employers themselves are not health plans, though their plan components are.