Who Is a Covered Entity Under HIPAA? Definition and Examples

Definition of Covered Entity

Core criteria

Under HIPAA, a covered entity is an organization that handles Protected Health Information in specific, regulated ways. An entity is covered if it is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with designated Electronic Health Transactions (such as claims, eligibility checks, referrals, or payment and remittance activities).

What counts as Electronic Health Transactions

Transactions include submitting or receiving claims, checking eligibility and benefits, authorizing referrals, coordinating benefits, enrolling or disenrolling individuals in a plan, and receiving remittance advice. When these activities use standard electronic formats, HIPAA’s administrative simplification rules apply to the entity performing them.

Illustrative examples

Examples of covered entities include a physician practice e‑submitting claims, a hospital billing department exchanging claim status, a prescription drug plan adjudicating pharmacy claims, and a clearinghouse converting nonstandard formats into HIPAA standard formats.

Types of Health Plans

Public and government programs

Medicare, Medicaid, and other federal or state health benefit programs are covered health plans. These programs administer Health Plan Coverage and routinely conduct standardized electronic exchanges, which brings them squarely under HIPAA.

Commercial and employer-sponsored plans

Insurers, HMOs, and self-insured group health plans are covered entities. Employer-sponsored group health plans qualify when they provide or pay for medical care and conduct standard electronic transactions. The plan is the covered entity—not the employer that sponsors it.

Specialty and supplemental plans

Prescription drug plans and many dental or vision plans that pay for medical care are health plans under HIPAA. “Excepted benefits,” such as many standalone workers’ compensation, disability, or accidental injury policies, typically fall outside the health plan definition unless they operate like a medical plan.

Roles of Health Care Providers

Who qualifies

Hospitals, physician groups, clinics, pharmacies, laboratories, therapists, and other licensed professionals are covered entities when they transmit health information electronically for HIPAA-standard transactions. This status derives from activity, not size or specialty.

Trigger for coverage

Merely treating patients is not enough; coverage is triggered when the provider conducts electronic standard transactions, such as submitting electronic claims or verifying eligibility. Once triggered, HIPAA Privacy Rule and HIPAA Security Rule obligations apply to all PHI the provider maintains or transmits.

Health Care Provider Obligations

Providers must limit uses and disclosures to the minimum necessary, provide a Notice of Privacy Practices, obtain valid authorizations when required, maintain safeguards for electronic PHI, and execute business associate agreements with vendors that handle PHI on their behalf.

Function of Health Care Clearinghouses

Health Care Clearinghouse Operations

Clearinghouses receive nonstandard health information from another entity and translate it into standard formats—or the reverse. They route claims, normalize data, edit errors, and facilitate connectivity among providers and plans.

How clearinghouses handle PHI

Because clearinghouses transform and transmit PHI, they are covered entities. They often also act as business associates to providers and plans, which means they must implement robust safeguards, access controls, and data integrity measures while performing conversion and routing services.

Examples

Common clearinghouse services include claims scrubbing, eligibility verification hubs, pharmacy switch networks, and repricing or coordination-of-benefits platforms that standardize disparate data streams.

HIPAA Compliance Requirements

HIPAA Privacy Rule

Covered entities may use or disclose PHI for treatment, payment, and health care operations and for specific public policy purposes. They must apply the minimum necessary standard, issue a Notice of Privacy Practices, honor patient rights (access, amendment, accounting), and ensure appropriate authorizations for uses beyond permitted purposes.

HIPAA Security Rule

Entities that create, receive, maintain, or transmit electronic PHI must implement administrative, physical, and technical safeguards. Core steps include a documented risk analysis, risk management, workforce training, access controls, audit controls, integrity protections, and contingency planning.

Breach Notification

When unsecured PHI is compromised, covered entities must assess the incident, mitigate harm, and notify affected individuals without unreasonable delay, and in certain cases notify regulators and the media. Business associates must promptly inform the covered entity of breaches they discover.

Transactions and code sets

Covered entities that conduct Electronic Health Transactions must use designated standard formats and medical code sets. Adhering to these standards supports interoperability and reduces administrative burden across the health care ecosystem.

Business associates and contracts

Vendors that create, receive, maintain, or transmit PHI for a covered entity are business associates. Covered entities must execute business associate agreements that define permitted uses, required safeguards, breach reporting, and subcontractor flow-down obligations.

Exclusions from Covered Entities

Who is not a covered entity

Employers, schools, many life insurers, fitness apps, and personal health record services that are not acting for a covered entity generally are not covered entities. They may hold sensitive data, but HIPAA applies only when the organization is a health plan, a health care clearinghouse, or a qualifying provider performing standard transactions.

Edge cases and hybrid entities

Some organizations perform both covered and noncovered functions (for example, a university that operates a clinic). These “hybrid entities” must designate their health care components and apply HIPAA only to those components, while still protecting PHI shared across boundaries.

Regulatory Guidelines and Resources

Primary oversight and guidance

The Office for Civil Rights provides enforcement and interpretive guidance for the HIPAA Privacy and Security Rules, while other federal bodies issue standards related to transactions and identifiers. Their materials clarify definitions, permitted uses, safeguards, and enforcement expectations.

Operational best practices

• Map data flows to identify where PHI enters, moves, and leaves your environment.
• Perform a periodic risk analysis and document risk management actions.
• Implement role-based access, encryption where feasible, and robust audit logging.
• Train your workforce, manage vendors through business associate agreements, and test incident response plans.
• Review Health Care Provider Obligations and Health Plan Coverage policies yearly to reflect changes in operations or technology.

Conclusion

In HIPAA, covered entities are health plans, health care clearinghouses, and qualifying providers engaged in standard Electronic Health Transactions. Knowing where your organization fits—and applying the HIPAA Privacy Rule and HIPAA Security Rule accordingly—ensures lawful, trustworthy handling of Protected Health Information.

FAQs

What entities qualify as covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions (for example, claims, eligibility, and referrals). If an organization meets one of these categories and performs these activities, HIPAA applies to its handling of PHI.

How do health care clearinghouses operate under HIPAA?

Clearinghouses convert nonstandard health information into standard formats and vice versa, route transactions, and correct data issues. Because they create, receive, and transmit PHI, they are covered entities and must implement privacy and security safeguards while performing Health Care Clearinghouse Operations.

Are employers considered covered entities?

No. Employers are not covered entities simply by sponsoring a health plan. The group health plan itself can be a covered entity, and the employer may have obligations as a plan sponsor when it receives limited plan administration data, but the employer’s general business functions are not subject to HIPAA.