by Hoala Greevy Founder CEO of Paubox
Article filed in

What are the 3 categories of Covered Entities?

by Hoala Greevy Founder CEO of Paubox

What are the 3 Categories of Covered Entities? - Cathlynn Nigh, Beyond LLC


Table of Contents:



What is a Covered Entity?

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, covers both individuals and organizations. Those who must comply with HIPAA are referred to as Covered Entities.

The 3 categories of HIPAA Covered Entities are:

  • Health Plans: Health Insurance companies; HMOs (Health Maintenance Organizations); Employer-sponsored health plans; and Government programs that pay for healthcare (Medicare, Medicaid, and military and veterans’ health programs)
  • Healthcare Clearinghouses: Organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.
  • Certain Healthcare Providers: Providers who submit HIPAA transactions, like electronic claims. Common examples are Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing homes, and Pharmacies

As you can see from the above, Covered Entities can be institutions, organizations, or persons.

Learn more: Covered Entities [HHS]

Who must comply with HIPAA privacy standards?

By law, the HIPAA Privacy Rule applies only to Covered Entities.

Most Covered Entities however, do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other organizations.

If these services involve the use of protected health information, it means that organization is a Business Associate.

In summary, HIPAA compliance regulations apply to both Covered Entities and the Business Associates that serve them.

What is a Business Associate?

A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity.

In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.

Read full article: What does it mean to be a Business Associate?

What is a Business Associate Agreement?

A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a Business Associate Agreement (BAA).

If you are a covered entity entrusting protected health information to a third party, then a Business Associate Agreement is required by law.

Read full article: Business Associate Agreement Provisions

Is an Employer a Covered Entity under HIPAA?

If an employer provides any of the following to their employees, they are considered a Covered Entity:

  • Self-funded or self-administered health insurance benefits to their employees
  • Certain wellness programs
  • Employee assistance programs
  • Medical reimbursement accounts
  • On-site clinics (if operated by the employer)

Here’s another important distinction: If an employer receives protected health information while performing services for a Covered Entity or Business Associate, the employer is then itself considered a Business Associate.

Is a Pharmacy a Covered Entity?

Yes, pharmacies are classified as Healthcare providers under HIPAA.

Healthcare providers are one of the three categories of Covered Entities.

Is a TPA a Covered Entity?

A TPA, or Third Party Administrator, is typically a company that processes insurance claims and employee benefit plans for a separate entity.

According to HHS, the answer is no, TPAs are not considered Covered Entities. A TPA may however, be classified as a business associate instead.

As a caveat, if a TPA also provides other services like group health insurance, it then meets the definition of a Covered Entity.

Are Health Insurance companies Covered Entities?

Yes, Health Insurance companies are classified as Health Plans under HIPAA.

Health Plans are one of the three categories of Covered Entities.

Are you a Covered Entity?

Not sure if you’re a Covered Entity? The Center for Medicare and Medicaid Services (CMS) put out a useful pdf flowchart called the Covered Entity Guidance tool.

To determine if a person, business, or government agency is a Covered Entity, answer the questions in the guidance tool. If you are uncertain about which set of questions applies, answer all of them.

Not sure what to do next? Try Paubox for FREE and make your email HIPAA compliant today.