What Are Covered Entities Under HIPAA?
In this Article:
What Is a Covered Entity?
How HIPAA Defines a Covered Entity
Why Covered Entities Matter Under HIPAA
The Three Types of HIPAA Covered Entities
Covered Entities vs. Business Associates
How to Know If You're a HIPAA Covered Entity
How Healthcare Compliance Pros Supports Covered Entities
Foundational Steps to Stronger Privacy
What Is a Covered Entity?
In simple terms, a covered entity is an organization or individual that must follow the rules and regulations of the Health Insurance Portability and Accountability Act (HIPAA). These entities handle protected health information (PHI) and are legally required to keep that information secure and confidential. This often includes medical records, billing information, and data related to health conditions and treatment.
How HIPAA Defines a Covered Entity
According to the U.S. Department of Health and Human Services (HHS), a covered entity is any health care provider, health plan, or health care clearinghouse that electronically transmits health information in connection with certain transactions. These standard transactions can include billing, claims, benefit eligibility checks, or referral authorizations.
In other words, under HIPAA, a covered entity is defined as any organization that uses or discloses identifiable health information while carrying out health care operations. This definition is important because it determines who must comply with HIPAA compliance regulations and privacy standards.
Covered Entities and Their Responsibility to Protect PHI
Covered entities have a clear legal and ethical obligation to protect PHI. This includes everything from medical records and lab results to insurance information and treatment history. If identifiable health information is lost, stolen, or shared without proper authorization, the consequences can be serious. Violations may result in steep financial and criminal penalties and a loss of patient trust.
Understanding whether you qualify as a HIPAA covered entity is the first step in building a strong compliance program. It also helps clarify what safeguards need to be in place to keep sensitive information protected and how to avoid risks such as willful neglect, which can lead to significant actions.
For a deeper dive into what qualifies as PHI, check out PHI and You: The Basics You Need to Know.
The Three Types of HIPAA Covered Entities
Understanding the different types of covered entities under HIPAA is essential for any organization working with protected health information. HIPAA regulations apply to a specific group of organizations and individuals that fall into one of three categories: healthcare providers, health plans, and healthcare clearinghouses.
Each group has distinct responsibilities, but all must comply with the same core privacy regulations and security rules.
1. Healthcare Providers
This category includes individuals and organizations that provide healthcare services and transmit health information electronically in connection with certain standard transactions. These activities are considered health care operations under HIPAA. Common examples include:
Doctors and specialists
Dentists and orthodontists
Psychologists and licensed therapists
Clinics and hospitals
Pharmacies and nursing homes
These covered health care providers are considered HIPAA covered entities when they handle PHI in electronic form, such as submitting insurance claims or checking patient eligibility online.
2. Health Plans
Health plans are organizations that pay for medical care or offer health benefits. These plans are responsible for safeguarding the PHI of individuals they insure. Examples of health plans include:
Health insurance companies and HMOs
Employer-sponsored health plans
Government agency programs such as Medicare, Medicaid, and military health programs
Because they manage large volumes of identifiable health data, including details about health conditions and treatments, health insurance companies must ensure strict compliance with HIPAA's privacy rule. These plans also have obligations around providing patients with an accounting of disclosures if requested.
3. Healthcare Clearinghouses
Clearinghouses are entities that process health information received from other organizations into a standardized format. While they may not interact with patients directly, they play a critical role in ensuring data flows securely between systems as part of health care activities. Examples include:
Billing services that convert paper claims to electronic transactions
Data processors that translate information between provider and payer systems
Third-party administrators that support health plans
Despite being less visible, nonstandard health data is often transformed by clearinghouses into standard formats. That role makes them covered entities under HIPAA. When a clearinghouse works with a non-covered entity or business associate, a proper business associate contract may also be required to maintain compliance and protect PHI.
By identifying what entities are covered under HIPAA, organizations can take the first step in building a strong privacy and security program. If your business or practice falls into one of these categories, it's essential to understand your responsibilities and ensure all privacy rule requirements are met and all health care operations are conducted in line with HIPAA's requirements.
Covered Entities vs. Business Associates
When discussing HIPAA compliance, it's important to understand the difference between a covered entity and a business associate. Covered entities directly provide or pay for healthcare services. Business associates, on the other hand, perform tasks on behalf of covered entities and access PHI during these health care operations.
To work together legally, a business associate contract or Business Associate Agreement (BAA) must be signed. This outlines the responsibilities of the business associate in safeguarding data and clarifies roles between covered entities and non-covered entities that may still touch protected health information (PHI) indirectly.
Covered Entity Definition Under HIPAA
Under HIPAA, a covered entity is any healthcare provider, health plan, or healthcare clearinghouse that transmits identifiable health information in electronic form in connection with standard transactions. These organizations are directly regulated by HIPAA and are responsible for maintaining the privacy standards of patient information.
Covered entities include:
A doctor who submits electronic transactions like insurance claims
A hospital managing electronic health records
A pharmacy checking patient eligibility for a prescription
These organizations are often part of larger health care components within a business or health agency structure.
What Is a Business Associate?
A business associate is a person or organization that performs certain functions or services on behalf of a covered entity, and in doing so, has access to identifiable health data. Unlike covered entities, business associates do not provide healthcare services directly. Instead, they support the work of covered entities in areas such as technology, administration, or compliance.
Examples include:
An IT provider that manages secure data storage for a clinic
A billing company that processes patient claims
A legal consultant who advises a hospital on privacy regulations
A cloud vendor hosting a patient portal
They must sign a Business Associate Agreement (BAA) with the covered entity. Learn more about these agreements in our Business Associate Solutions guide.
Key Differences and Why It Matters
Understanding the distinction between a covered entity vs business associate is critical for risk management. While both are responsible for protecting PHI, covered entities have a direct relationship with patients, whereas business associates support them behind the scenes.
Each party has specific compliance requirements. Covered entities must implement full HIPAA programs internally, while business associates must follow security rules and meet contractual obligations. If either fails to protect PHI, both can be held accountable—including through criminal penalties.
Not Sure If You're a Covered Entity?
Many organizations fall into a gray area, especially those offering both healthcare and general wellness services. If you're unsure, assess whether your organization engages in health care activities or health care operations involving protected health information or PHI.
Even solo providers or health care components within a larger organization may be subject to HIPAA. If you handle patient data (even infrequently) and transmit it electronically, you likely qualify as a covered entity.
Use the HHS covered entity decision tool as a starting point. If you're still unsure, Healthcare Compliance Pros can guide you through the process and assess whether you're a non-covered entity, a covered entity, or a business associate.
Why There's Confusion
Some healthcare-related businesses operate in a gray area. For instance, a wellness clinic might offer both medical services and general health education. A third-party service provider might manage only certain parts of patient data.
Even small private practices or solo providers who only submit a few insurance claims electronically each month may be considered covered entities under HIPAA. Similarly, hybrid organizations, such as university health centers or companies with both clinical and administrative branches, might only have certain departments that fall under the definition.
Because HIPAA compliance depends on how PHI is created, received, stored, or transmitted, it's essential to get a clear understanding of your organization's role.
Use the Covered Entity Decision Tool
To help clarify your status, the U.S. Department of Health and Human Services (HHS) offers a free online resource known as the covered entity decision tool. This tool walks you through a series of questions about your healthcare services and electronic form of PHI.
It's a helpful starting point, especially for those who are unsure whether they need to comply with HIPAA rules. While it does not replace legal guidance or professional consulting, it can point you in the right direction.
If you're still uncertain after using the tool, consider reaching out to a healthcare compliance expert. At Healthcare Compliance Pros, our team works with organizations of all sizes to help them understand their responsibilities and implement the safeguards required by law.
How Healthcare Compliance Pros Supports Covered Entities
At Healthcare Compliance Pros, we help health insurance companies, providers, and clearinghouses simplify HIPAA compliance. Our tools streamline training, policies, and documentation, giving your team more time to focus on patients and health care operations.
To support full compliance with HIPAA as enforced by the Office for Civil Rights (OCR), we offer tools like our Security Risk Analysis and other assessments that help meet requirements for accounting of disclosures, breach notifications, and employee training.
All-in-One Compliance Software
Our online compliance platform simplifies the compliance process. It centralizes your policies, procedures, and training records, making it easy to manage everything from one secure location. Automated reminders, tracking tools, and customizable reports help you stay ahead of deadlines and audits. This approach is especially valuable for covered entities that need consistent documentation to demonstrate compliance.
If you're wondering how to stay HIPAA compliant without disrupting patient care, our software was built with that challenge in mind.
Customized HIPAA Covered Entity Support
No two organizations are exactly the same. That's why HCP provides customized HIPAA compliance covered entity support tailored to your size, structure, and risk areas. From the start, you'll work with a dedicated compliance advisor who will help you build or refine your HIPAA program. We assist with identifying gaps, implementing required safeguards, and updating your policies to reflect the latest regulations.
Our team stays current with federal and state-level changes, so you don't have to. That way, your compliance program remains proactive, not reactive.
Ongoing Staff Training and Education
Covered entities must train employees on privacy standards, breach prevention, and healthcare operations. HCP offers built-in employee training modules that are easy to assign, track, and complete. These trainings cover HIPAA basics, breach prevention, patient rights, and more.
We also offer refresher courses, updates on new rules, and role-specific content to keep your team informed and accountable throughout the year.
When it comes to HIPAA covered entity support, Healthcare Compliance Pros is here to help. Our tools are built to prevent problems before they occur, saving you time, money, and stress. If you're ready to simplify compliance and protect your organization, we're ready to support you every step of the way.
Foundational Steps to Stronger Privacy
Understanding whether your organization is a covered entity under HIPAA is more than a regulatory checkbox. It's a foundational step toward meeting national standards for privacy rule enforcement and patient trust. Covered entities are held to specific standards because they manage sensitive health information - such as medical records, health conditions, and treatment data - that must be protected through compliant health care operations.
Safeguarding protected health information (PHI) is not just a legal responsibility; it's a matter of patient trust. When organizations clearly understand their role, whether as a covered entity, non-covered entity, or health care component, they can take meaningful steps to prevent breaches, maintain compliance, and build a culture of accountability. Establishing proper policies, documenting accounting of disclosures, and maintaining secure business associate contracts are essential strategies in preventing willful neglect and ensuring long-term HIPAA compliance.