Who Does HIPAA Apply To? 2025 Guide to Covered Entities, Business Associates, Hybrid Entities, and Exceptions

Covered Entities Overview

HIPAA applies to specific organizations and people that handle Protected Health Information (PHI) to protect patient privacy and ensure HIPAA compliance. In 2025, the core covered entities remain health plans, certain health care providers, and health care clearinghouses.

Who counts as a covered entity

• Health plans: group health plans, health insurance issuers and HMOs, Medicare, Medicaid, Medicare Advantage, and many employer-sponsored plans that provide or pay for medical care.
• Health care providers: physicians, clinics, hospitals, pharmacies, dentists, therapists, labs, and on‑site workplace clinics—if they transmit health information electronically in connection with standard transactions.
• Health care clearinghouses: intermediaries that transform or route health data between providers and health plans (for example, converting nonstandard formats to standards).

PHI and scope

PHI is individually identifiable health information created or received by a covered entity or business associate that relates to a person’s health, care, or payment for care. PHI can be paper, verbal, or electronic (ePHI). Once you are a covered entity, HIPAA applies to PHI in all forms—not only to electronic data.

Trigger for providers

Providers become covered when they use Electronic Data Interchange (EDI) standard transactions (such as submitting electronic claims or eligibility checks). A provider that never conducts a covered electronic transaction is generally not a HIPAA covered entity, though state privacy laws may still apply.

Business Associates Responsibilities

Business associates (BAs) are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity or another BA. Typical examples include billing and coding companies, cloud hosting providers, claims processors, e‑prescribing gateways, third‑party administrators for group health plans, IT support, and secure messaging services.

Core responsibilities under HIPAA

• Use and disclose PHI only as permitted by the Business Associate Agreement (BAA) or as required by law.
• Implement administrative, physical, and technical safeguards for ePHI, including risk analysis, risk management, access controls, audit logging, and incident response.
• Provide breach notification to the covered entity without unreasonable delay and cooperate in investigations and mitigations.
• Flow down HIPAA obligations to subcontractors that handle PHI.
• Maintain policies, workforce training, and documentation to demonstrate HIPAA compliance.

The Business Associate Agreement

A BAA must be in place before PHI flows. It defines permitted uses/disclosures, required safeguards, reporting of incidents, subcontractor obligations, and how PHI will be returned or destroyed at contract end. Without a valid BAA, sharing PHI with a vendor is a HIPAA violation.

Hybrid Entities Designation

A hybrid entity is a single legal entity that performs both HIPAA‑covered and non‑covered functions (for example, a university with a medical center or a retailer with in‑store clinics). The entity may designate specific health care components that must comply with HIPAA, while the rest of the organization is not subject to the Privacy and Security Rules.

How to designate and govern

• Identify covered functions (e.g., clinics, pharmacies, group health plan) and designate them as health care components in writing.
• Establish “firewalls” to restrict PHI access to the designated components and workforce members who need it.
• Apply HIPAA policies, safeguards, and training to those components and to supporting business associates.
• Document designations and keep them current as services, systems, and vendors change.

Common examples

• Universities operating student health clinics or hospitals.
• Municipalities with public health or employee clinics.
• Large employers that sponsor a self‑insured group health plan alongside non‑health business units.

HIPAA Exceptions

Entities and information outside HIPAA

• Employers, life insurers, workers’ compensation carriers, schools and school districts (education records under FERPA), and law enforcement are not HIPAA covered entities unless they separately operate a covered function.
• Consumer health apps and personal health record services that act on behalf of the individual alone (not for a covered entity) typically are not subject to HIPAA, though consumer privacy laws may apply.
• Employment records held by a covered entity in its role as employer are not PHI.
• Education and treatment records maintained by schools under FERPA are not PHI.
• De‑identified data (meeting HIPAA’s Safe Harbor or Expert Determination methods) is not PHI, and information about a decedent more than 50 years after death is no longer PHI.

Limited‑purpose exceptions to authorization

HIPAA permits certain uses and disclosures of PHI without individual authorization—such as for treatment, payment, and health care operations; public health reporting; and disclosures required by law. These are not exemptions from HIPAA; they are narrowly defined permissions that still require safeguards and the minimum necessary standard where applicable.

Compliance Requirements

Whether you are a covered entity or a business associate, you need a documented HIPAA compliance program scaled to your size and risk. The following controls are cornerstone expectations in 2025.

Program foundation

• Appoint a privacy official and a security official with clear accountability.
• Publish policies and procedures addressing the Privacy, Security, and Breach Notification Rules.
• Train your workforce regularly and apply a sanctions policy for violations.

Security Rule essentials

• Conduct an organization‑wide risk analysis and implement risk management plans.
• Apply administrative, physical, and technical safeguards: role‑based access, strong authentication, encryption for data in transit and at rest, endpoint protection, audit controls, and contingency planning.
• Manage vendors with Business Associate Agreements and ongoing due diligence.

Privacy operations

• Follow the minimum necessary standard and maintain appropriate role‑based access to PHI.
• Provide individuals their privacy rights: access, amendment, accounting of disclosures, and confidential communications.
• Issue and maintain a Notice of Privacy Practices when required.

Breach response and documentation

• Assess incidents promptly, notify affected parties in a timely manner, and mitigate harm.
• Retain required documentation for at least six years from creation or last effective date.

Role of Health Plans

Health plans are always covered entities under HIPAA. This category includes group health plans (self‑insured or fully insured), health insurance issuers, HMOs, Medicare and Medicaid programs, Medicare Advantage plans, and many employer‑sponsored arrangements such as FSAs, HRAs, and EAPs that provide or pay for medical care.

What is not a health plan

• Excepted benefits such as workers’ compensation, accident‑only or disability income insurance, life insurance, and most property and casualty coverage.
• Wellness programs that do not provide or pay for medical care unless they are integrated with a health plan.

Plan sponsor boundaries

• The plan (not the employer) is the covered entity. Employers may receive only limited PHI for plan administration and must amend plan documents, restrict access to designated staff, and protect PHI from use in employment decisions.
• Plan sponsors may receive enrollment/disenrollment information and “summary health information” for premium bids or plan design changes, subject to minimum necessary rules.
• Third‑party administrators and benefits platforms that handle PHI for the plan are business associates and must sign BAAs.

Electronic Health Information Transmission

Electronic Data Interchange (EDI) is central to HIPAA’s Administrative Simplification standards. When providers use standard transactions, they are HIPAA covered entities, and ePHI must be safeguarded end‑to‑end.

Common standard transactions

• Claims and encounters (837) and payment/remittance advice (835).
• Eligibility inquiries and responses (270/271).
• Claim status requests and responses (276/277).
• Referral/authorization requests and responses (278).
• Benefit enrollment and maintenance (834) and premium payment (820).

Implications for coverage and security

• Once a provider conducts any covered EDI transaction, HIPAA applies to PHI in all media, not just the transactions.
• Health care clearinghouses that translate or route these transactions are covered entities and often serve as business associates to providers and plans.
• Secure transmission requires access controls, encryption, audit trails, vendor oversight, and documented risk analysis with ongoing risk management.

Key takeaways

• HIPAA applies to health plans, clearinghouses, and providers that use standard EDI; business associates that handle PHI must also comply.
• Hybrid entities can limit HIPAA to designated components, but they must maintain strong boundaries and documentation.
• Some entities and data sit outside HIPAA (e.g., FERPA records, employment records, de‑identified data), yet other laws may still protect privacy.
• Effective HIPAA compliance in 2025 hinges on rigorous risk analysis, sound safeguards, vendor management with BAAs, and timely breach response.

FAQs.

What defines a covered entity under HIPAA?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions. Once covered, the HIPAA Privacy Rule applies to PHI in any form (paper, verbal, or electronic), and the Security Rule applies to ePHI.

How do business associates differ from covered entities?

Covered entities deliver care, pay for care, or process health data; business associates are vendors that handle PHI for those entities. BAs must sign a Business Associate Agreement, implement safeguards (including risk analysis and risk management), and provide breach notifications, but they do not provide care or act as the health plan itself.

What are the criteria for hybrid entity designation?

A single legal entity that performs both covered and non‑covered functions may designate its health care components as a hybrid entity. It must document the designation, apply HIPAA only to those components (and supporting business associates), restrict PHI access across the boundary, and maintain policies, training, and controls to prevent improper sharing.

Are all employer health plans subject to HIPAA?

Most employer‑sponsored group health plans are HIPAA health plans, whether self‑insured or fully insured, including many FSAs, HRAs, and EAPs that provide or pay for medical care. Excepted benefits like workers’ compensation, accident‑only, disability, or life insurance are not HIPAA health plans. The plan—not the employer—is the covered entity, and plan sponsors must follow strict rules for any PHI they receive for plan administration.