Who Is a Covered Entity Under HIPAA? Providers, Health Plans, and Clearinghouses Explained

Define Covered Entities

Under HIPAA, “covered entities” are the organizations directly regulated for their handling of protected health information (PHI). They fall into three categories: health plans, healthcare providers, and healthcare clearinghouses. Each must follow HIPAA’s privacy, security, and breach notification rules when they create, receive, maintain, or transmit PHI.

Coverage hinges on HIPAA-covered transactions—specific electronic data interchange (EDI) activities for which federal health information standards exist. If you conduct or cause such transactions to occur electronically, HIPAA’s standard transaction requirements apply to you.

HIPAA-covered transactions and standard transaction requirements

• Common transactions include claims and encounters, eligibility inquiries, claim status, referrals/authorizations, enrollment and disenrollment, coordination of benefits, premium payments, and remittance advice.
• Transactions must use adopted health information standards (for example, X12 and NCPDP formats), along with required code sets and identifiers. These standard transaction requirements ensure consistent EDI across the healthcare system.

What makes an organization a covered entity

• Health plans are covered by definition.
• Healthcare providers are covered if they transmit PHI electronically in any HIPAA-covered transaction, whether directly or through a vendor.
• Healthcare clearinghouses are covered when they convert data between standard and nonstandard formats for others.

Describe Health Plans

A health plan is any individual or group plan that provides or pays the cost of medical care. If you operate a plan that finances healthcare, HIPAA treats the plan as the covered entity even when a plan sponsor (such as an employer) funds it.

Organizations that typically qualify

• Commercial health insurers and HMOs.
• Employer-sponsored group health plans and multiemployer plans.
• Government programs that pay for care, such as Medicare, Medicaid, TRICARE, Veterans Health Administration, and state high-risk pools.
• Medicare Advantage and Medicare supplement plans, and most long-term care insurance that pays for medical care.

Common misclassifications

• Employers and plan sponsors are not health plans; the group health plan itself is the covered entity.
• Issuers that only offer “excepted benefits” (for example, accident-only or disability income) are not health plans under HIPAA.
• Property and casualty, auto medical payment, liability, and workers’ compensation carriers are generally not HIPAA health plans.

Explain Healthcare Providers

Healthcare providers include physicians, clinics, hospitals, dentists, chiropractors, psychologists, pharmacies, nursing homes, labs, and similar entities. You become a covered entity if you transmit PHI electronically in connection with a HIPAA-covered transaction—even if a billing service or clearinghouse sends the transaction for you.

When providers are covered

• Submitting electronic claims, eligibility checks, or referral authorizations triggers HIPAA coverage.
• Using a vendor to perform EDI on your behalf still counts as your electronic transmission.

When providers may not be covered

• If you never conduct HIPAA-covered transactions electronically (for example, you use only paper mail or phone), you may not be a covered entity. The moment you adopt EDI for a covered transaction, HIPAA applies.

Outline Healthcare Clearinghouses

Healthcare clearinghouses transform nonstandard health information into standard EDI transactions, and vice versa. If you operate a billing service, repricing company, community health management information system, or similar service that converts data formats, you are a covered clearinghouse.

Typical clearinghouse functions

• Format conversion between proprietary files and standard transactions.
• Editing, validation, and routing of claims and remittance messages.
• Facilitating electronic data interchange among providers, health plans, and other trading partners.

Compliance implications

• Clearinghouses must safeguard PHI they process and meet HIPAA Security Rule obligations for ePHI.
• When acting for a provider or plan, clearinghouses often also serve as business associates and must honor applicable contract terms.

Discuss Business Associates

Business associates are persons or organizations that perform services for a covered entity involving PHI—such as claims processing, data analysis, utilization review, quality reporting, cloud hosting, EHR support, legal, actuarial, accounting, or consulting. While not covered entities solely by virtue of that role, they are directly liable for meeting key HIPAA requirements.

Business associate agreements

If you are a covered entity, you must have a written business associate agreement (BAA) with each vendor that handles PHI on your behalf. BAAs define permitted uses and disclosures, require safeguards aligned with health information standards, mandate reporting of breaches, and flow down obligations to subcontractors.

When a business associate is also a covered entity

Some organizations wear two hats. For example, a clearinghouse or health plan may also provide services to another covered entity. In that separate role, it functions as a business associate and needs a BAA, but it remains a covered entity for its own operations.

Highlight Exceptions to Covered Entity Status

Not every organization that touches health-related data is a HIPAA covered entity. Employers, life insurers, workers’ compensation carriers, schools, many apps and personal health record vendors, and consumer wellness programs generally are not covered entities unless they also operate a health plan, clearinghouse, or provider that conducts HIPAA-covered transactions.

State law and Secretary exception requests

HIPAA usually preempts conflicting state privacy laws, but a state may submit Secretary exception requests asking HHS to let a conflicting state law stand (for example, to protect public health or for other compelling needs). If granted, you must follow the applicable state rule in addition to HIPAA’s health information standards.

Hybrid entities and designated components

A single legal entity that performs both covered and noncovered functions can designate specific health care components as its “hybrid entity.” If you adopt this structure, HIPAA applies to those designated components, while nonhealth components remain outside HIPAA—so long as you keep roles and access appropriately segregated.

Key takeaways

• Covered entities are health plans, providers that conduct HIPAA-covered transactions electronically, and healthcare clearinghouses.
• Business associates must sign business associate agreements and are directly liable, but they are not covered entities unless they separately qualify.
• Electronic data interchange drives when HIPAA applies; once you use standard transaction requirements, full compliance is expected.

FAQs

What is a covered entity under HIPAA?

A covered entity is either a health plan, a healthcare clearinghouse, or a healthcare provider that transmits PHI electronically in connection with a HIPAA-covered transaction. These organizations must follow HIPAA’s privacy, security, and breach notification rules.

Which organizations qualify as health plans?

Health insurers and HMOs, employer-sponsored group health plans, Medicare, Medicaid, TRICARE, and similar government programs qualify. Entities that offer only excepted benefits (such as accident-only or disability income) and most property and casualty or workers’ compensation insurers are not HIPAA health plans.

What roles do healthcare clearinghouses play?

Clearinghouses convert data between nonstandard formats and standard electronic data interchange transactions, validate and route claims, remittance, eligibility, and related messages, and help trading partners meet HIPAA’s health information standards.

Can business associates be considered covered entities?

Business associates are not covered entities solely because they handle PHI for others. However, an organization may be both—such as a clearinghouse or plan that also provides services to another covered entity—depending on the role it performs in each context.