What are the 3 categories of covered entities?

Featured image

Share this article

What are the 3 Categories of Covered Entities? - Cathlynn Nigh, Beyond LLC


Table of Contents:



What is a Covered Entity?

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, covers both individuals and organizations. Those who must comply with HIPAA are referred to as Covered Entities.

The 3 categories of HIPAA Covered Entities are:

  • Health Plans: Health Insurance companies; HMOs (Health Maintenance Organizations); Employer-sponsored health plans; and Government programs that pay for healthcare (Medicare, Medicaid, and military and veterans’ health programs)
  • Healthcare Clearinghouses: Organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.
  • Certain Healthcare Providers: Providers who submit HIPAA transactions, like electronic claims. Common examples are Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing homes, and Pharmacies

As you can see from the above, Covered Entities can be institutions, organizations, or persons.

Learn more: Covered Entities [HHS]

Who must comply with HIPAA privacy standards?

By law, the HIPAA Privacy Rule applies only to Covered Entities.

Most Covered Entities however, do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other organizations.

If these services involve the use of protected health information, it means that organization is a Business Associate.

In summary, HIPAA compliance regulations apply to both Covered Entities and the Business Associates that serve them as defined in 45 CFR 160.103.

If an organization does not meet this criteria, then they do not have to comply with HIPAA rules.

What is a Business Associate?

A Business Associate is a person or entity that performs certain functions or activities regulated by the HIPAA Administrative Simplification Rules that involve the use or disclosure of protected health information for a Covered Entity.

In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.

Read full article: What does it mean to be a Business Associate?

What is a Business Associate Agreement?

A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a Business Associate Agreement (BAA).

If you are a covered entity entrusting protected health information to a third party, then a Business Associate Agreement is required by law.

Read full article: Business Associate Agreement Provisions

Is an Employer a Covered Entity under HIPAA?

If an employer provides any of the following to their employees, they are considered a Covered Entity:

  • Self-funded or self-administered health insurance benefits to their employees
  • Certain wellness programs
  • Employee assistance programs
  • Medical reimbursement accounts
  • On-site clinics (if operated by the employer)

Here’s another important distinction: If an employer receives protected health information while performing services for a Covered Entity or Business Associate, the employer is then itself considered a Business Associate.

Is a Pharmacy a Covered Entity?

Yes, pharmacies are classified as Healthcare providers under HIPAA.

Healthcare providers are one of the three categories of Covered Entities.

Is a TPA a Covered Entity?

A TPA, or Third Party Administrator, is typically a company that processes insurance claims and employee benefit plans for a separate entity.

According to HHS, the answer is no, TPAs are not considered Covered Entities. A TPA may however, be classified as a business associate instead.

As a caveat, if a TPA also provides other services like group health insurance, it then meets the definition of a Covered Entity.

Are Health Insurance companies Covered Entities?

Yes, Health Insurance companies are classified as Health Plans under HIPAA.

Health Plans are one of the three categories of Covered Entities.

Are you a Covered Entity?

Not sure if you’re a Covered Entity? The Center for Medicare and Medicaid Services (CMS) put out a useful pdf flowchart called the Covered Entity Guidance tool as did the Department of Health and Human Services (HHS).

To determine if a person, business, or government agency is a Covered Entity, answer the questions in the guidance tool. If you are uncertain about which set of questions applies, answer all of them.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022