HIPAA covers three types of organizations: healthcare providers, health plans, and healthcare clearinghouses. But not every organization that handles health information falls into one of these categories, and even within them, there’s an important qualifier that catches people off guard. Healthcare providers, for instance, are only covered if they transmit health information electronically for certain standard transactions.
Healthcare Providers
The first category of covered entities includes any provider of medical or health services. This covers a wide range of professionals and facilities:
- Doctors and clinics
- Dentists
- Psychologists
- Chiropractors
- Nursing homes
- Pharmacies
The list is broad, but there’s a critical catch. A healthcare provider only becomes a HIPAA covered entity if they transmit any information in electronic form in connection with a transaction for which the Department of Health and Human Services (HHS) has adopted a standard. In practice, this means submitting insurance claims electronically, checking a patient’s eligibility with an insurer, or processing electronic referrals and authorizations.
A provider who does everything on paper and never submits electronic claims is technically not a covered entity. That said, this exception is increasingly rare. Almost every provider who accepts insurance submits claims electronically, which pulls them under HIPAA’s requirements.
The Electronic Transactions That Trigger Coverage
HHS has adopted standards for a specific set of financial and administrative transactions. If a healthcare provider sends or receives any of these electronically, they become a covered entity. The standard transactions include:
- Health claims or equivalent encounter information
- Payment and remittance advice
- Claims status inquiries
- Enrollment and disenrollment in a health plan
- Eligibility checks for a health plan
- Health plan premium payments
- Referral certifications and authorizations
- Coordination of benefits
The key word is “electronic.” Calling an insurance company to check a patient’s eligibility doesn’t count. But if you use a computer system or online portal to run that same check, it does. Since billing software handles most of these functions automatically, the vast majority of providers who interact with insurers are covered entities whether they realize it or not.
Health Plans
The second category covers organizations that pay for medical care. This includes both private insurance and government programs. Health plans under HIPAA include individual and group health insurance, dental and vision plans, HMOs, Medicare, Medicaid, Medicare supplement insurers, and long-term care insurers. Employer-sponsored group health plans also qualify.
Unlike healthcare providers, health plans don’t need to meet an electronic transaction threshold to be covered. If you are a health plan, HIPAA applies to you.
One area that trips people up: a self-insured employer’s group health plan is a covered entity, but the employer itself is not. The plan and the employer are legally distinct under HIPAA, even though the employer funds and administers the plan. This matters because it affects what employee health data the employer can access and how it must be handled.
Healthcare Clearinghouses
Clearinghouses are the least well-known category. These are organizations that sit between providers and insurance companies, translating health data from one format into another. When a doctor’s office submits a claim through its billing software, a clearinghouse often converts that data into the standardized electronic format insurers require for processing.
A clearinghouse is the only type of covered entity that can translate between standard and non-standard transaction formats. They function as intermediaries, making it possible for providers using different software systems to communicate with payers who require specific data formats. Companies like Availity, Change Healthcare, and Trizetto are well-known examples in the industry.
Who Is Not a Covered Entity
Many organizations handle sensitive health information but fall outside HIPAA’s reach entirely. Workers’ compensation insurers, workers’ compensation administrative agencies, and employers are not covered entities (unless they also happen to operate a health plan or provider organization). Life insurers are not covered. Neither are schools, most law enforcement agencies, or municipal offices, even when they collect health-related information.
This distinction matters most in the digital health space. Fitness trackers, wellness apps, and consumer health tools that you download on your own typically are not covered entities. An app becomes subject to HIPAA only if it is provided by or on behalf of a covered entity, or if the app developer qualifies as a business associate handling protected health information for a covered entity. The fitness tracker on your wrist, logging your heart rate and sleep patterns, generally operates outside HIPAA entirely. HHS offers a guidance tool for app developers to help them determine whether their product falls under HIPAA or other federal regulations.
Business Associates Are Not Covered Entities
A business associate is a person or company that performs services for a covered entity and needs access to protected health information to do so. Think billing companies, IT contractors, cloud storage providers, or law firms that handle medical records. Business associates have their own obligations under HIPAA, but they are legally distinct from covered entities.
The relationship works through a contract called a business associate agreement. A covered entity must have this agreement in place before sharing protected health information with any outside vendor. The agreement spells out what the business associate can and cannot do with the data, and it makes the business associate directly liable for HIPAA violations. Since 2013, business associates face the same penalties as covered entities for breaches, including fines that can reach into the millions for willful neglect.
Hybrid Entities
Some large organizations perform both covered and non-covered functions. A university, for example, might run a hospital (covered) and an engineering school (not covered). These organizations can designate themselves as hybrid entities, which means only the components that perform covered functions are subject to HIPAA’s full requirements. The rest of the organization operates outside HIPAA, as long as proper safeguards separate the covered components from the non-covered ones.
This designation isn’t automatic. The organization must formally identify which parts of its operation are covered healthcare components and implement policies that prevent protected health information from flowing into the non-covered parts. For large employers and universities, this distinction keeps HIPAA from applying to every department and employee across the entire organization.