What Are Covered Entities Under HIPAA?

Examples of covered entities under HIPAA include qualifying health plans, health care clearinghouses, and healthcare providers that transmit Protected Health Information electronically for an activity regulated by HIPAA for which the Department of Health and Human Services (HHS) has adopted standards.

It is important to understand which individuals, institutions, and organizations qualify as covered entities under HIPAA because these entities are required to comply with all applicable HIPAA compliance standards and implementation specifications. Generally, covered entities under HIPAA fall into three main categories:

1. Health Plans

Health plans that provide healthcare coverage as their principal activity are required to comply with HIPAA. Examples of covered entities under HIPAA in this category include health insurance companies, health maintenance organizations, publicly funded healthcare programs (i.e., Medicare), and military and veterans’ health programs.

Insurance companies that pay for health care as a secondary benefit are not covered entities under HIPAA. For example, if an auto insurance policy pays healthcare costs when a policyholder is injured in an auto accident, the auto insurance provider is not a covered entity under HIPAA because the payment of healthcare costs is a secondary benefit of the auto insurance policy.

2. Health Care Clearinghouses

Health care clearinghouses are organizations that translate nonstandard data into standard formats and vice versa. The primary purpose of a health care clearinghouse is to accelerate claims, eligibility checks, electronic remittance advices, and other HIPAA-regulated transactions when providers and payers have incompatible systems.

Health care clearinghouses also perform error checking functions to ensure transactions are complete and valid before sending them to health plans. HIPAA code sets are complex, and providers often have limited in-house technical capabilities. If errors are made when a provider submits an eligibility check, it could delay treatment being provided to a patient.

3. Healthcare Providers

Healthcare providers include hospitals, clinics, doctors, psychologists, dentists, chiropractors, nursing homes, pharmacies, home health agencies, and other providers of healthcare that transmit Protected Health Information electronically in connection with a regulated activity for which HHS has adopted standards in Part 162 of HIPAA.

Not all healthcare providers qualify as covered entities under HIPAA. For example, a physician that bills patients directly, or that submits claims to payers via the mail, does not fulfil the criteria to qualify as a covered entity under HIPAA. Other providers that may not qualify as covered entities under HIPAA include massage therapy, yoga therapy, and wellness centers that do not bill insurers electronically.

What are HIPAA Covered Transactions?

HIPAA covered transactions are transactions for which HHS has adopted standards in 45 CFR Part 162. They include:

• Transmissions of healthcare claims
• Payment and remittance advice
• Healthcare status
• Authorizations for treatment
• Coordination of benefits
• Enrollment and disenrollment
• Eligibility checks
• Healthcare electronic fund transfers
• Referral certification and authorization

What are HIPAA Regulated Activities?

HIPAA regulated activities are activities that involve the use or disclosure of Protected Health Information and fall within the scope of HIPAA. Generally, these activities are limited to treatment, payment, and healthcare operations, honoring patients’ rights, and administrative functions such as HIPAA training.

When an activity does not involve a use or disclosure of Protected Health Information or falls outside the scope of HIPAA, the activity is not regulated by HIPAA. To help determine which activities are regulated and which are not, it is important to understand what Protected Health Information is and when information collected by a covered entity is neither protected nor regulated.

One of the best examples of an activity that is not regulated is when a hospital collects vehicle license numbers and details of credit cards used to pay for parking. Hospital parking is beyond the scope of HIPAA and, provided the license numbers and credit card details are not stored in data sets which also include information about a patient’s health, treatment, or payment, they do not qualify as Protected Health Information.

Use any form on this page to have a copy of our HIPAA Checklist For Covered Entities sent to your email address and mitigate the risk of HIPAA violations.

Other Types of Entities Under HIPAA

As a rule, if a qualifying health plan, health care clearinghouse, or healthcare provider conducts any HIPAA regulated activity, the whole organization qualifies as a covered entity under HIPAA and each component within the organization is required to comply with all applicable HIPAA compliance standards and implementation specifications.

Hybrid Entities

However, an organization that conducts both regulated and non-regulated activities has the option to isolate regulated activities from those that are not subject to HIPAA and operate as a hybrid entity. Organizations for which operating as a hybrid entity might be an option include:

• State health departments that provide HIPAA regulated healthcare services and non-regulated social services.
• University campuses that provide medical services to students (regulated by FERPA) and members of the public (regulated by HIPAA).
• Departments of corrections that provide medical services (regulated by HIPAA) and custody operations (not regulated by HIPAA).
• Non-health corporate wellness programs that bill insurers for medical services provided to members of the workforce.
• Public health labs that provide a wide range of testing services, but that bills insurers for (for example) blood tests.

Partial Entities

Although not a formal HIPAA designation, the term partial entity is used to describe a situation in which Protected Health Information is sometimes used by a team or individual, but not as part of their ordinary role. This situation most often occurs when an employer administers a self-insured health plan.

In this situation, the employer must have access to Protected Health Information in order to administer the self-insured health plan or to act as an intermediary between employees, healthcare providers, and the health plan even though the health plan is the covered entity and the employer is not.

The employer cannot qualify as a business associate for the self-insured health plan because the employer and the plan are the same legal entity and HIPAA does not permit a covered entity to be a business associate to itself. Instead, the employer must certify that Protected Health Information will be safeguarded as required by HIPAA, only used to administer the health plan, and not used for employment-related activities.

Affiliated Entities

An affiliated entity is when legally separate covered entities under common ownership or control operate as a single covered entity for Privacy and Security Rule compliance. This structure is especially useful for large healthcare systems, multi‑state hospital networks, and corporate families that include multiple health plans or provider groups.

Affiliated entities share a unified compliance framework, meaning they can adopt one set of HIPAA policies, centralize privacy and security functions, and treat Protected Health Information as if it flows within a single covered entity. Effectively, an affiliated entity links multiple legal entities into a single HIPAA‑regulated unit.

To qualify as an affiliated entity under HIPAA, the organizations must demonstrate common ownership or control. Once designated, affiliated entities may share PHI freely for HIPAA‑permitted purposes without needing separate Business Associate Agreements between them to simplify compliance, reduce administrative burden, and support integrated care delivery across complex organizational families.

Organized Health Care Arrangements

An Organized Health Care Arrangement (OHCA) differs from an affiliated entity inasmuch as an OHCA allows legally separate covered entities under HIPAA to share Protected Health Information for joint treatment, payment, and healthcare operations without requiring each unit of the Arrangement to enter into a Business Associate Agreement.

OHCAs exist to support coordinated care, shared operational activities, and integrated service delivery among entities that are not under common ownership or control. Unlike affiliated entities, which operate as a single covered entity, OHCA participants remain independent covered entities but collaborate for specific, shared purposes.

As well as being beneficial for clinically integrated care settings, OHCAs can be used for joint activities such as utilization reviews and quality improvements, to improve communications between group health plans, associated insurers, and HMOs, or to simplify operations between multiple group health plans under the same plan sponsor.

Business Associates

A business associate can be an individual or company that provides services to a HIPAA covered entity which requires them to have access to, store, use, or transmit Protected Health Information. The list of business associates is long, and the range of individuals or companies included under the definition of a business associate is diverse.

Business associates of HIPAA covered entities include third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms – for both electronic and physical data – EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and some medical device manufacturers.

Prior to a business associate collecting, receiving, maintaining, or transmitting Protected Health Information for or on behalf of a HIPAA covered entity, they must enter into a HIPAA-compliant Business Associate Agreement with the covered entity. A business associate agreement is a contract in which the responsibilities of the business associate with respect to HIPAA and Protected Health Information are described.

Please note that the requirement to enter into a Business Associate Agreement does not apply if the organization providing a service for a covered entity only has temporary and transient access to Protected Health Information. For example, the US Postal Service is not required to enter into a Business Associate Agreement to deliver test results to a patient on behalf of a hospital.

Covered Entities under HIPAA FAQs

Is a school that provides healthcare services for students a HIPAA covered entity?

A public school that provides healthcare services only for students is not a HIPAA covered entity because student health information is classified as “education records” under the Family Educational Rights and Privacy Act (FERPA). As FERPA pre-empts HIPAA, student health information is not Protected Health Information under HIPAA, and most public schools are not HIPAA covered entities.

Are employers covered entities under HIPAA if they maintain employee health records?

Employers are not covered entities under HIPAA if they maintain employee health records in their role as an employer because employee health records maintained by an employer are not used for HIPAA-covered transactions (i.e., a request to a health plan for payment in respect of the provision of healthcare). An employer could be regarded as a “partial entity” if it administers a self-insured health plan; and, in this case, the employer would have to implement safeguards to ensure PHI collected and maintained by the self-insured health plan is not used for work-related operations and activities.

When might state laws affect who is a covered entity under HIPAA?

State laws do not affect who is a covered entity under HIPAA. However, some states have passed legislation which provides a different definition of a covered entity under the state law. The best example of this is in Texas, where the Medical Records Privacy Act classifies every organization or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits health information in any form as a covered entity – including schools and employers.

Does a covered entity have to sign a Business Associate Agreement to use Gmail?

A covered entity cannot sign a Business Associate Agreement to use the free version of Gmail because Google will not enter into a Business Associate Agreement for free services. If PHI is disclosed in an email sent from a personal Gmail account (not to a Gmail account), it is a violation of HIPAA. Covered entities should only use Gmail as their email provider if the email service is included in a Workspace or Cloud Identity account covered by a Business Associate Addendum to Google’s Service Agreement.

When might a criminal penalty be imposed on a covered entity?

A criminal penalty can be imposed on a covered entity if the covered entity has knowingly and wrongfully disclosed individually identifiable health information under false pretenses with the intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm. In such cases, HHS’ Office for Civil Rights has the authority to refer the case to the Department of Justice, who can pursue a fine of up to $250,000 and/or a jail term of up to ten years.

Who is covered by HIPAA?

Who is covered by HIPAA are health plans, health care clearinghouses, and qualifying healthcare providers – along with any business associates that provide a service for or on behalf of a covered entity that involves the creation, receipt, storage, or transmission of PHI. Vendors of personal health records are also covered by HIPAA to the extent that they must report breaches of unsecured individually identifiable health information to the Federal Trade Commission.

Under HIPAA a Covered Entity CE is defined as?

Under HIPAA, a covered entity (CE) is defined as a health plan, a health care clearinghouse, or a healthcare provider – provided the healthcare provider transmits health information in electronic form in connection with a transaction covered under 45 CFR Part 162 (typically payment and remittance advices, eligibility, claims status, authorizations for treatment, etc.).

Why are pharmacies classified as healthcare providers?

Pharmacies are classified as healthcare providers because the definition of healthcare in the HIPAA General Requirements includes: “The sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription”. Due to this definition, pharmacies are classified as healthcare providers and required to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

What is a health care clearinghouse?

A health care clearinghouse is a business that manages transactions between health plans and healthcare providers to ensure they are submitted accurately. There are thousands of elements that can complicate the transaction process, and health care clearinghouses minimize the risk of errors to accelerate transactions such as eligibility checks, authorizations, and payments.

Are all healthcare providers covered entities under HIPAA?

Not all healthcare providers are covered entities under HIPAA because not all conduct “covered transactions” in electronic format. If (for example) a chiropodist bills clients directly or conducts covered transactions over the phone (phone calls are not considered electronic transactions under HIPAA), the chiropodist does not qualify as a covered entity under HIPAA.

Do business associates have to comply with the same HIPAA Rules as covered entities?

Business associates have to comply with the same HIPAA Security and Breach Notification Rules as covered entities. Compliance with the HIPAA Privacy Rule (or part thereof) and the Administrative Requirements (Part 162) depends on the service being provided to or on behalf of the covered entity and the provisions of the Business Associate Agreement between the business associate and covered entity.

What happens if a healthcare provider that does not qualify as a covered entity provides a service on behalf of a healthcare provider that does qualify as a covered entity?

If a healthcare provider that does not qualify as a covered entity provides a service on behalf of a healthcare provider that does qualify as a healthcare provider, the non-qualifying healthcare provider provides the service as a business associate of the qualifying covered provider and has to comply with the HIPAA Security and Breach Notification Rules as well as any HIPAA Privacy Rule standards that apply to the service being provided.

If a healthcare provider conducts covered transactions for some patients, but not for others, do they qualify as a full or partial covered entity?

If a healthcare provider conducts covered transactions for some patients, but not for others, they qualify as a full covered entity regardless of the number of covered transactions conducted (e.g., one covered transaction is sufficient to qualify a healthcare provider as a covered entity). This means that the privacy and security protections of HIPAA apply to all patient records.

Do covered entities have to comply with every HIPAA Rule?

Covered entities have to comply with every applicable HIPAA Rule. If, for example, a covered entity outsources eligibility checks, authorizations, and claims to a third party acting as a business associate, the covered entity does not have to comply with Part 162 of the HIPAA Rules because this Part is not applicable. In addition, many of the HIPAA General Rules apply to either health plans, or health care clearinghouses, or healthcare providers, so it is unlikely a covered entity would have to comply with every General HIPAA Rule.

Can individuals be considered covered entities under HIPAA?

Individuals can be considered covered entities under HIPAA if they are solo practitioners (for example, dentists, therapists, psychologists, etc.) that transmit PHI in connection with a transaction for which HHS has published standards. Individuals that work for a covered entity are not considered covered entities under HIPAA, but have to comply with the policies and procedures developed by their employers to comply with HIPAA.

Are all insurance companies that provide health benefits considered covered entities under HIPAA?

Not all insurance companies that provide health benefits are considered covered entities under HIPAA – only those that provide healthcare coverage as a principal activity. For example, if you have an auto insurance policy that pays your healthcare costs if you are injured in an auto accident, the auto insurance provider is not a covered entity under HIPAA because the payment of your healthcare costs is a secondary benefit of the auto insurance policy.