How to know if you're a covered entity

Understanding whether your organization qualifies as a covered entity under HIPAA is a first step toward compliance with federal healthcare privacy and security regulations. This guide is intended to help understand what differentiates organizations that fall under this classification. 

What is a covered entity under HIPAA?

A covered entity under HIPAA refers to individuals or organizations that electronically transmit protected health information (PHI) in the course of healthcare-related activities. According to educational material on the HIPAA Privacy Rule from the U.S. Department of Health and Human Services (HHS), “Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.”

The educational material goes on to state, “Covered entities can be institutions, organizations, or persons.” These entities are subject to HIPAA’s Privacy Rule and Security Rule, which require implementing safeguards to protect the confidentiality, integrity, and availability of PHI.

Why does it matter if you’re a covered entity?

HIPAA protects the security of medical information on behalf of patients. The Journal of the Medical Library Association study ‘Balancing between two goods: Health Insurance Portability and Accountability Act and ethical compliancy considerations for privacy-sensitive materials in health sciences archival and historical special collections’ notes, “The law should not only protect close relationships, but also protect people ‘as against the world’.” This means that understanding whether or not an organization is a covered entity helps protect the data handled correctly. This classification triggers specific obligations to safeguard PHI, implement privacy policies, train staff, and appoint privacy officers. 

Covered entities face accountability for maintaining the confidentiality, integrity, and security of sensitive health data during electronic transactions, such as billing or claims processing. Non-covered entities, by contrast, are not bound by these federal requirements, although they could still be subject to other privacy laws. Knowing whether an organization is a covered entity helps ensure HIPAA compliance and avoid risks related to privacy violations.

The three main categories of covered entities 

Healthcare Providers

These include doctors, hospitals, clinics, dentists, psychologists, pharmacies, and other medical practitioners or organizations that provide health care services. To be considered a covered entity, they must electronically transmit any health information in connection with standard transactions such as billing, claims, or eligibility verification. Their role involves directly providing treatment or services to patients.

Health plans

This category covers entities that pay for or provide health care coverage or benefits. Examples include private health insurers, health maintenance organizations (HMOs), employer-sponsored health plans, and government programs like Medicare, Medicaid, and Veterans Affairs. Health plans manage claims and benefits for insured individuals and are responsible for processing health information related to coverage and payment.

Healthcare clearinghouses

These are organizations that process or facilitate the processing of nonstandard health information received from a provider into a standard electronic format, or vice versa. Their function is mainly administrative and includes services like billing intermediaries and claims processing companies. Clearinghouses serve as intermediaries that help health care providers and plans exchange standardized data efficiently.

The responsibilities of a covered entity 

Covered entities are responsible for implementing administrative, physical, and technical safeguards to protect PHI from unauthorized access, use, or disclosure. An Academic Forensic Pathology study on HIPAA and access to medical information states, “A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and... is limited to the relevant requirements of such law.”

They are required to provide patients with access to their health information upon request and must maintain an accounting of disclosures made for activities such as treatment, payment, and healthcare operations. Covered entities may share PHI with business associates only through formal agreements (business associate agreements) that stipulate compliance requirements.

What’s the difference between a covered entity and a business associate?

A chapter from StatPearls on HIPAA compliance provides that, “HIPAA permits covered entities to disclose PHI to business associates that may not be covered entities through business associate agreements that require no further disclosure from the business associate.”

Covered entities bear primary responsibility for complying with HIPAA's Privacy and Security Rules. A business associate is any person or organization that performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI but is not part of the covered entity’s workforce. Examples include billing companies, cloud service providers, legal consultants, and third-party administrators.

Covered entities have a broader scope of obligations and accountability to both patients and the HHS, including ensuring that their business associates comply with HIPAA. Business associates, while subject to HIPAA compliance, have responsibilities that arise primarily from contracts with covered entities, and their liability is often contractually tied.

When does an organization become a covered entity?

Transactions that classify a covered entity typically involve activities such as billing, payment, claims processing, eligibility inquiries, and referrals. A hospital or medical provider that sends electronic claims directly to a health plan qualifies as a covered entity from the point it engages in such electronic transmissions. Covered entities include health care providers, health plans, and health care clearinghouses that engage in these standardized electronic transactions. 

Beyond the Privacy Rule: Enhancing Privacy, Improving Health Through Research Chapter 4 on the Privacy Rule and how it applies to healthcare research, “If an entity that meets one of the categories of a covered entity also performs functions unrelated to health care, it can become a hybrid entity by designating in writing its 'health care components.' Only these health care components are then bound by the Privacy Rule.” Simply providing healthcare services or holding health information is not sufficient to become a covered entity, the defining trigger is the electronic transmission of PHI in connection with required standard transactions.

What happens if you're not sure?

If you are unsure whether your organization qualifies as a covered entity under HIPAA, it is necessary to conduct a thorough assessment of your healthcare-related activities and electronic transactions involving PHI. This uncertainty poses risks because only covered entities are legally required to comply with HIPAA's Privacy and Security Rules. Failure to correctly determine your status can result in unintentional noncompliance. 

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Does HIPAA protect genetic information?

Yes, genetic data is considered PHI and is protected under HIPAA's Privacy Rule, requiring safeguards and patient consent for most disclosures.

What happens if a covered entity violates HIPAA rules?

Violations can result in civil and criminal penalties, including fines and imprisonment, depending on the severity and whether the violation was corrected promptly.

Can research use protected health information under HIPAA?

Yes, but research must comply with specific HIPAA provisions such as obtaining authorization or waivers, using de-identified data, or applying limited data sets, with oversight by Institutional Review Boards (IRBs).