Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

What is a covered entity under HIPAA?

What is a covered entity under HIPAA?

A covered entity under HIPAA encompasses individuals or organizations engaged in electronically creating, receiving, maintaining, or transmitting protected health information (PHI). The three main categories include health plans, healthcare clearinghouses, and certain healthcare providers that electronically transmit PHI for specified transactions. Determining covered entity status is the first step toward compliance with HIPAA regulations, ensuring the secure handling of sensitive health data and maintaining patient privacy.


HIPAA regulations explained

HIPAA's significance lies in its two pillars: the Privacy Rule and the Security Rule. 

  • The Privacy Rule establishes standards for safeguarding individually identifiable health information.
  • The Security Rule sets guidelines for securing electronic PHI. 


What are covered entities under HIPAA?

The definition of a covered entity under HIPAA includes individuals or organizations engaged in the electronic creation, reception, maintenance, or transmission of PHI. This term encompasses:

  1. Health plans, such as insurance companies and healthcare programs.
  2. Healthcare clearinghouses serving as intermediaries for data exchange.
  3. Healthcare providers, including clinics and hospitals.

Health plans as covered entities

Health plans, as defined under HIPAA, refer to entities providing coverage for medical expenses. These encompass a diverse range of organizations:

  • Health insurance companies: These entities offer insurance coverage for individuals or groups, providing financial protection against medical expenses.
  • Health maintenance organizations (HMOs): HMOs are a specific type of health insurance plan where members choose a primary care physician and obtain referrals for specialists.
  • Government health programs
  • Medicare: A federal health insurance program for individuals aged 65 and older.
  • Medicaid: A joint federal and state program providing health coverage for individuals with low income.
  • Military and veterans health programs: Including health plans for active-duty military personnel, veterans, and their families.
  • Employer-sponsored health plans: These are health insurance plans provided by employers for their employees, contributing to comprehensive healthcare coverage.

Healthcare clearinghouses

These entities serve as intermediaries, processing non-standard health information into standardized formats. Healthcare clearinghouses contribute to the efficiency of transactions related to claims processing, payment, and healthcare operations by facilitating seamless data exchange between covered entities.


Healthcare providers

Healthcare providers, as defined under HIPAA, encompass a broad range of institutions and individual practitioners involved in delivering medical services:

  • Hospitals: Institutions providing comprehensive medical services, including emergency care, surgeries, and specialized treatments.
  • Clinics: Facilities that offer medical services, often focusing on specific areas of healthcare, such as primary care or specialized clinics.
  • Nursing homes: Residential facilities providing long-term care for individuals with medical needs, especially older adults or those with chronic conditions.
  • Doctors: Medical practitioners with expertise in diagnosing and treating illnesses.
  • Dentists: Professionals specializing in oral health and dental care.
  • Psychologists: Experts in mental health and behavioral sciences.
  • Therapists: Professionals providing various forms of therapy, including physical, occupational, and mental health therapy.

Determining covered entity status

Navigating the labyrinth of determining covered entity status involves considering several factors:

  1. Nature of services: Evaluate whether your organization provides healthcare services, such as medical treatment, and falls within the scope of covered entities.
  2. Handling of PHI: Assess if your organization creates, receives, maintains, or transmits PHI electronically.
  3. Health insurance coverage: Determine if your organization provides health insurance coverage or administers employer-sponsored health plans.
  4. Clearinghouse functions: Evaluate whether your organization serves as a healthcare clearinghouse, processing non-standard health information for standardized data exchange.

Read more: How to know if you’re a covered entity


The importance of HIPAA compliance for covered entities

Compliance with HIPAA is a commitment to upholding patient privacy and the secure handling of sensitive health information. HIPAA compliance is a legal obligation and a cornerstone in building and maintaining public trust in the healthcare system. The consequences of noncompliance range from fines to reputational damage. 



Do healthcare providers exclusively offering telehealth services fall under the definition of covered entities?

Yes, telehealth providers qualify as covered entities under HIPAA if they electronically transmit protected health information for specific transactions.


Are health and wellness apps that collect user health data considered covered entities under HIPAA?

Generally, health and wellness apps are not covered entities, but if they electronically transmit protected health information for specific healthcare transactions, they may fall under HIPAA.


Do nonprofit organizations providing healthcare services need to comply with HIPAA as covered entities?

Yes, nonprofit healthcare organizations are subject to HIPAA regulations if they electronically transmit protected health information for qualifying transactions.


Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.