A covered entity under HIPAA is any organization or individual that falls into one of three categories: health care providers who transmit information electronically, health plans, or health care clearinghouses. If an entity doesn’t fit one of these three definitions, HIPAA’s privacy and security rules don’t apply to it. The distinction matters because covered entities carry specific legal obligations to protect patient health information and grant individuals rights over their own records.
The Three Categories of Covered Entities
HIPAA draws a firm line. Only three types of entities are covered, and each has its own qualifying criteria.
Health care providers include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies. But there’s an important catch: a provider only becomes a covered entity if it transmits health information electronically in connection with a standard transaction. A therapist who operates entirely on paper records and doesn’t submit electronic claims is technically not a covered entity. In practice, though, nearly every provider today files electronic claims, sends electronic referrals, or checks insurance eligibility online, which pulls them under HIPAA’s umbrella.
Health plans are the second category. This covers a broad range of organizations that pay for or provide the cost of medical care: private health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and Medicare supplemental (Medigap) policies. Long-term care policy issuers and multi-employer welfare benefit plans also qualify. One notable exception: a self-administered group health plan with fewer than 50 participants is not a covered entity.
Health care clearinghouses are the least familiar category for most people. These are organizations that sit between providers and insurers, translating health care data from nonstandard formats into the standardized electronic formats required for claims processing and payment. They’re the only type of covered entity specifically authorized to convert between standard and nonstandard transaction formats.
What Counts as an Electronic Transaction
The electronic transaction requirement is what trips up many providers trying to figure out their status. HIPAA doesn’t mean “uses a computer.” It refers specifically to a set of standard transactions adopted by HHS for the electronic exchange of health care data. These include:
- Claims and encounter information
- Payment and remittance advice
- Eligibility inquiries
- Claim status requests
- Enrollment and disenrollment
- Referrals and authorizations
- Coordination of benefits
- Premium payments
If a health care provider conducts even one of these transactions electronically, they qualify as a covered entity. The standard is low. Submitting a single insurance claim electronically is enough. This is why the vast majority of practicing providers in the U.S. are covered entities, even small solo practices.
Business Associates Are Not Covered Entities
HIPAA also regulates a second group called business associates, but they’re legally distinct from covered entities. A business associate is any person or company that performs a service for a covered entity involving access to protected health information. Think billing companies, IT contractors who maintain electronic health records, cloud storage providers, or shredding companies that destroy paper records.
The relationship works through contracts. A covered entity must have a written business associate agreement that spells out what the associate is hired to do and requires them to protect health information under HIPAA’s rules. Business associates are also directly liable for certain HIPAA provisions, meaning they can face penalties on their own, not just through the covered entity that hired them.
The distinction matters for accountability. If you’re trying to determine whether your organization needs to comply with HIPAA, the first question is whether you’re a covered entity. The second is whether you’re a business associate. If the answer to both is no, HIPAA’s rules don’t apply to you.
Hybrid Entities
Some organizations perform both covered and non-covered functions under one legal entity. A university, for example, might operate a medical clinic (covered function) and a research lab that doesn’t engage in standard electronic transactions (non-covered function). HIPAA allows these organizations to designate themselves as hybrid entities.
A hybrid entity must formally define which parts of the organization make up its “health care component.” Only those components are subject to HIPAA’s Privacy and Security Rules. Employees working in a non-covered component, like a research lab excluded from the health care component designation, don’t have to follow HIPAA’s requirements. If the organization chooses not to designate itself as a hybrid entity, then the entire organization and all of its components must comply with HIPAA in full.
Who Is Not a Covered Entity
Many organizations handle health-related information but fall entirely outside HIPAA. Life insurance companies, employers (in their role as employers, not as plan sponsors), workers’ compensation carriers, schools, law enforcement agencies, and fitness apps are not covered entities. An employer that collects sick notes or medical information for leave requests is not bound by HIPAA in that capacity, though other privacy laws may apply.
This is a common source of confusion. People often assume any organization that touches their health data must follow HIPAA. That’s not the case. HIPAA’s scope is deliberately limited to the three categories of covered entities and their business associates. If an entity doesn’t meet any of those definitions, it has no obligation under HIPAA’s rules.
How to Determine Your Status
CMS provides a decision tool that walks through a series of yes-or-no questions tailored to each category. For providers, the key questions are whether you furnish, bill for, or receive payment for health care in the normal course of business, and whether you transmit any covered transactions electronically. For clearinghouses, the tool asks whether you process health information between standard and nonstandard formats on behalf of another legal entity. For health plans, the questions branch based on whether you’re a private benefit plan, government-funded program, HMO, or another plan type, with specific exceptions carved out for small self-administered plans and plans that provide only certain limited benefits.
If you’re uncertain about your organization’s status, the CMS decision tool is the most direct way to get a definitive answer. It follows the same legal definitions that HHS uses for enforcement.