Who Is Covered by HIPAA (and Who Isn’t)? Covered Entities, Business Associates, and Examples

Covered Entities Overview

HIPAA applies to covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with standard transactions. If you are performing claims, eligibility checks, referrals, or remittance advice using HIPAA-adopted standards, you are likely a covered entity.

Health plans include insurers, HMOs, government programs (like Medicare and Medicaid), and employer-sponsored group health plans. Healthcare providers range from hospitals and physician practices to pharmacies and laboratories—so long as they conduct standard electronic transactions. Healthcare clearinghouses transform nonstandard health data into standard formats (or vice versa) for other organizations.

Some organizations are hybrid entities. In that case, only their designated healthcare components are subject to HIPAA. Providers and plans can also participate in organized health care arrangements to streamline operations while maintaining Privacy Rule responsibilities.

Business Associates Definition

A business associate is any person or organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity—or for another business associate—to perform functions regulated by HIPAA. Typical functions include claims processing, data analysis, quality reporting, IT hosting, and legal or consulting services that involve PHI.

Business associates must enter into Business Associate Agreements (BAAs) that set permitted uses and disclosures, require safeguards, mandate breach reporting, bind subcontractors, and ensure PHI is returned or destroyed when work ends. Business associates are directly liable for meeting applicable HIPAA Compliance Requirements.

The conduit exception is narrow. Common carriers that merely transmit information (like the postal service) without persistent storage are not business associates. However, cloud service providers that store ePHI—even if encrypted and inaccessible to them—are business associates and need BAAs.

Non-Covered Entities Description

Many organizations in the health and wellness space are not covered by HIPAA. Employers (acting as employers), life insurers, workers’ compensation carriers, gyms, fitness trackers, and most consumer health apps are non-covered entities. Their handling of personal data may be governed by other federal or state privacy laws, but not HIPAA.

Schools and school districts generally fall under FERPA for student education records, including most school health records. Direct-to-consumer genetic testing companies, personal health record vendors, and wellness apps are outside HIPAA unless they are performing services for a covered entity or business associate and sign a BAA.

Remember the context rule: data becomes PHI when it is individually identifiable and handled by a covered entity or its business associate. The same information held solely by a non-covered entity is not PHI under HIPAA.

Protected Health Information Handling

What counts as PHI

PHI is individually identifiable health information that relates to an individual’s health status, care, or payment for care, created or received by a covered entity or business associate. It includes common identifiers like names, addresses, full-face photos, contact details, device identifiers, and account numbers when linked to health information.

De-identified data and limited data sets

Data is not PHI if de-identified. Under safe harbor, you remove specified identifiers (such as names, detailed geographies, and all elements of dates except year) and have no actual knowledge that remaining data could identify the individual. Limited data sets allow certain indirect identifiers for research, public health, and operations, but require a data use agreement.

PHI Disclosure Limitations and Minimum Necessary Standard

Use and disclose PHI only as permitted: treatment, payment, and healthcare operations; public health reporting; and other disclosures required by law. Many other purposes require the individual’s authorization, such as marketing or the sale of PHI. These are core PHI Disclosure Limitations.

Outside of treatment and a few exceptions, you must apply the Minimum Necessary Standard—use, disclose, and request only the least PHI needed to accomplish the task. Role-based access, data segmentation, and redaction help operationalize this principle.

Compliance Responsibilities

Covered Entity Obligations

Covered entities must implement administrative, physical, and technical safeguards; conduct risk analyses; manage vendors via Business Associate Agreements; train workforce members; document policies; and honor patient rights such as access, amendments, and accounting of disclosures. They must provide breach notifications without unreasonable delay and no later than 60 days after discovery when required.

Privacy and Security Officers should oversee governance, audit logging, access control, encryption at rest and in transit, and incident response. Periodic evaluations, sanctions for violations, and documentation retention are central HIPAA Compliance Requirements.

Business associate obligations

Business associates must safeguard ePHI, limit uses and disclosures to contract terms, ensure subcontractor compliance, support access and accounting requests when applicable, and notify covered entities of breaches promptly. They share liability for Security Rule safeguards and for impermissible uses and disclosures.

Examples of Each Category

Covered entities

• A hospital system submitting electronic claims and eligibility checks.
• A physician practice verifying coverage electronically with a health plan.
• A retail pharmacy processing e-prescriptions and electronic remittances.
• A national insurer administering group health plans.
• Healthcare clearinghouses that convert batch claim files to standard formats.

Business associates

• EHR and practice management vendors hosting patient records.
• Cloud storage, data centers, and backup providers maintaining ePHI under BAAs.
• Medical billing and revenue cycle management companies.
• Telehealth platforms, call centers, and medical transcription services handling PHI.
• Analytics, quality reporting, and utilization review firms using PHI for operations.

Non-covered entities

• Consumer fitness apps and wearable device manufacturers operating outside BAAs.
• Life insurers and disability carriers evaluating underwriting risk.
• Employers maintaining personnel files (separate from a group health plan).
• Schools managing student health records under FERPA.
• General search engines, ISPs, and postal carriers acting as conduits.

Distinctions and Exceptions

HIPAA permits incidental disclosures if reasonable safeguards are in place. Employment records kept by a covered entity in its employer role are not PHI, and education records under FERPA are excluded. PHI of decedents remains protected for 50 years after death.

Workers’ compensation programs may receive PHI when required by law, but they are typically not covered entities. Research may use de-identified data freely; limited data sets require a data use agreement; and fully identifiable PHI often requires authorization or another Privacy Rule permission.

For complex organizations, hybrid entity designations can confine HIPAA to specific components. Be cautious with the conduit exception—persistent storage or routine access usually converts a service provider into a business associate requiring a BAA.

Conclusion

In short, HIPAA covers health plans, healthcare clearinghouses, and providers using standard electronic transactions—and the business associates that handle PHI for them. Many wellness and consumer tech companies are not covered unless they act on behalf of a covered entity under a BAA. Knowing these boundaries helps you manage PHI lawfully, apply the Minimum Necessary Standard, and meet HIPAA Compliance Requirements efficiently.

FAQs.

What entities are considered covered under HIPAA?

Covered entities include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions (such as claims or eligibility checks). Hybrid entities may designate covered components, but only those components are subject to HIPAA.

Who qualifies as a HIPAA business associate?

Any organization or individual that creates, receives, maintains, or transmits PHI on behalf of a covered entity—or another business associate—for regulated functions qualifies as a business associate. Examples include EHR vendors, billing companies, cloud hosting providers, analytics firms, and transcription services, each operating under Business Associate Agreements.

Are all healthcare-related organizations covered by HIPAA?

No. Many health-related entities—like wellness apps, wearable device makers, life insurers, employers (in their employer role), and schools—are not covered entities. They may fall under other privacy laws, and they only become subject to HIPAA if they perform services for a covered entity or business associate and sign a BAA.

How can non-covered entities be involved in HIPAA compliance?

Non-covered entities can become business associates when they handle PHI for a covered entity or another business associate. They then must sign a BAA and implement appropriate safeguards, access controls, breach notification processes, and other Security and Privacy Rule measures consistent with HIPAA Compliance Requirements.