A HIPAA covered entity is any organization or individual the federal government legally requires to follow the Health Insurance Portability and Accountability Act. The phrase shows up in compliance training, audit checklists, and Office for Civil Rights enforcement letters โ but the actual definition lives in one regulatory paragraph: 45 CFR ยง160.103. Get that paragraph wrong, and you either drown a small dental office in paperwork it doesn't need, or leave a hospital billing department exposed to six-figure penalties. Neither is good.
So let's clear it up. Three groups qualify as covered entities. Healthcare providers who transmit health information electronically. Health plans. Healthcare clearinghouses. That's the entire list. Everybody else โ business associates, hybrid entities, employers, schools โ sits in a different bucket with different rules. This guide walks through each category, the gray areas, the most common misclassifications, and exactly what a covered entity has to do once it knows it qualifies.
If you're studying for a compliance certification, brushing up before an audit, or just trying to figure out whether HIPAA laws apply to your business at all, the next ten minutes will save you weeks of guessing.
Federal regulators didn't pick three categories by accident. They picked them because each one touches protected health information โ PHI โ in a fundamentally different way. A surgeon orders a scan. A health plan pays for it. A clearinghouse reformats the bill so the plan can read it. Three different jobs, three different risk profiles, all under one roof called HIPAA.
Here's the part most training videos skim past: being a healthcare provider alone doesn't make you a covered entity. The provider has to transmit health information electronically in connection with a HIPAA-covered transaction. A small-town acupuncturist who only takes cash, hands out paper receipts, and never bills insurance? Technically not covered. The moment that acupuncturist submits one electronic claim to a payer, the entire HIPAA framework switches on.
The same nuance applies to health plans and clearinghouses. We'll break each one apart so you can pinpoint exactly where your organization lands โ and what to do about it. For the full statutory backbone, the what is HIPAA overview pulls together the 1996 act and the rules that grew out of it.
Any provider who transmits health info electronically for a covered transaction.
Organizations that pay for medical care.
Middlemen translating health data between providers and plans.
Healthcare providers form the largest and most visible group of covered entities. Hospitals, doctor offices, dental practices, chiropractors, nursing homes, pharmacies, urgent care centers, optometrists, podiatrists, home health agencies, ambulance services, mental health practitioners โ all qualify if they bill electronically. Even solo practitioners in rural areas get pulled in once they file a claim through a clearinghouse or directly with Medicare.
What counts as a covered transaction? Eight specific exchanges: claim submission, eligibility verification, referral certification, claim status, enrollment, premium payment, coordination of benefits, and remittance advice. Send any of these electronically and the provider is covered. Send them on paper only? Not covered โ but good luck running a modern practice without electronic billing. In practice, almost every provider in the United States qualifies.
One trap worth flagging. Some providers think they escape HIPAA by hiring a billing service. They don't. The billing service becomes a business associate (more on that below), but the provider remains the covered entity. Outsourcing the transaction doesn't outsource the responsibility. Many of the HIPAA violation examples on record involve providers who assumed their vendor would handle compliance for them.
Health plans cover anyone in the business of paying for healthcare. That includes HMOs, PPOs, individual and group health insurance policies, Medicare, Medicaid, Medicare supplemental plans, long-term care insurance issuers, and most employer-sponsored group health plans with 50 or more participants. Veterans' health programs, Indian Health Service, and the Children's Health Insurance Program (CHIP) all count too.
A few specialty insurance products sit outside the definition. Workers' compensation isn't a HIPAA health plan. Neither is automobile medical payments coverage, disability income insurance, or pure life insurance. Why? Because Congress drew the line at insurance products designed primarily to pay for healthcare services โ not products that happen to touch medical bills along the way.
Self-insured employer plans deserve their own paragraph. When a company pays employee medical claims directly out of its own funds (instead of buying insurance), the plan itself becomes a covered entity. The company isn't covered, but the plan it administers is. That's a critical distinction for HR departments โ and one of the easiest places to mess up training scope. The HIPAA Privacy Rule spells out the dividing line in detail.
Healthcare clearinghouses are the least-known covered entity type because most patients never see them. A clearinghouse is the middleman that translates health data from one format to another so providers and plans can talk to each other. Think of them as compliance-grade interpreters for the messy world of medical billing.
The regulation names five specific functions. Billing services that convert nonstandard claims into the standard X12 format. Repricing companies that adjust charges based on contracted rates. Community health management information systems. Value-added networks (VANs) that route transactions. And switches that direct data between providers and payers. Any organization performing those translation services qualifies.
Clearinghouses face a unique compliance challenge. They handle enormous volumes of PHI but usually don't have a direct patient relationship. That makes patient notification harder during a breach. Many clearinghouses run almost entirely as business associates of their provider or plan customers โ but the moment they create or maintain PHI on their own account, they cross the line into covered entity territory and inherit the full HIPAA Security Rule obligations.
Claim submission, claim status inquiries, remittance advice, and coordination of benefits all qualify as covered transactions. A provider who sends any of these electronically pulls itself fully into HIPAA scope โ including the Privacy Rule, Security Rule, and Breach Notification obligations that flow from covered entity status.
Eligibility verification, enrollment and disenrollment, premium payments, and referral certification round out the list. Most modern practice management software handles these automatically, which is why almost every active healthcare provider in the country ends up classified as a covered entity in practice.
Phone calls, fax (in many jurisdictions), and paper-only workflows fall outside electronic transaction definitions. A provider that exclusively uses paper claims is technically not a covered entity โ but the moment any of the 8 transactions go electronic, the whole organization becomes covered. There is no partial coverage.
Business associates aren't covered entities. They're a separate category โ but the distinction matters less than you'd think, because the 2013 HITECH Omnibus Rule pulled BAs into direct liability for most of the same Privacy and Security Rule requirements. A BA is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity.
Classic examples? Cloud storage providers, IT support contractors, medical transcription services, third-party billing companies, claims processors, accountants and lawyers who handle PHI during their work, shredding services, data analytics firms, and software vendors whose products touch medical records. Even something as routine as a courier service moving paper charts between offices can qualify.
Two things make a BA relationship official. First, a Business Associate Agreement (BAA) โ a written contract spelling out permitted PHI uses, safeguards, and breach notification duties. Second, actual handling of PHI. No PHI exposure means no BA status, even if the contract says otherwise. The Office for Civil Rights has slapped both covered entities and BAs with fines when one party assumed the other was handling something. Don't assume. Get it in writing.
Subcontractors that handle PHI on a BA's behalf become BAs themselves. The compliance chain runs as deep as the data flows. For a deeper walkthrough of the obligations triggered when you sign one, the HIPAA compliance guide breaks down the operational pieces.
Some organizations only do healthcare work in part of their operation. A state university runs a medical school clinic. A large corporation runs an in-house clinic for employees. A correctional facility provides inmate medical services. These organizations can designate themselves as hybrid entities โ meaning only the healthcare-touching components are subject to HIPAA, not the entire organization.
The hybrid designation isn't automatic. It requires a formal written declaration identifying which components handle PHI, called healthcare components, plus internal firewalls that prevent PHI from leaking into the non-covered side of the house. A university that runs a teaching hospital can't share patient records with the admissions office just because they share a parent organization.
The benefit? Compliance scope shrinks dramatically. The risk? Sloppy firewalls turn the entire organization into one giant covered entity by accident โ which usually surfaces during an OCR investigation triggered by an unrelated complaint. Hybrid entities have to take their internal walls seriously or skip the designation entirely.
The list of who isn't covered surprises people. Employers, in their role as employers, are not covered entities โ even if they hold mountains of employee medical information for FMLA leave, ADA accommodations, or workers' comp claims. Employment records sit under different federal statutes. Only when an employer sponsors a self-insured group health plan does the plan itself become covered.
Schools? Not HIPAA. They fall under FERPA, the Family Educational Rights and Privacy Act, which has its own rules for student health records held by school nurses. Life insurance carriers, workers' comp insurers, automobile insurance โ none are HIPAA covered entities. Fitness apps, wearable trackers, and most direct-to-consumer health platforms aren't either, unless they enter into a BAA with a covered entity.
Marketing companies, advertising agencies, and most research organizations sit outside the rules unless they receive PHI directly from a covered entity. Even genetic testing services that operate on a consumer pay-per-use basis often dodge HIPAA โ though the FTC and state laws (California's CMIA, for example) have started filling that gap. The bottom line: HIPAA is narrower than reputation suggests. Plenty of organizations holding sensitive health data face no HIPAA obligations whatsoever.
Once an organization confirms it's a covered entity, the compliance to-do list runs long. Three primary rulebooks apply: the Privacy Rule, the Security Rule, and the Breach Notification Rule. Each one carries its own checklist.
Under the Privacy Rule, covered entities must give patients a Notice of Privacy Practices, allow patient access to their own records within 30 days, honor amendment requests, track most disclosures, and limit PHI use to the minimum necessary for the task at hand. Marketing communications need authorization. Fundraising appeals need opt-out language. Psychotherapy notes get extra protection.
The Security Rule layers on technical and administrative safeguards specifically for electronic PHI. Access controls, audit logs, encryption (or documented reasoning for why it's not used), automatic logoff, integrity controls, and transmission security all show up on the list. Administrative pieces include workforce training, risk analysis, contingency planning, and a written security management process. The HIPAA training requirement isn't optional โ every workforce member with PHI access needs documented education, refreshed regularly.
The Breach Notification Rule kicks in the moment unsecured PHI is exposed. Covered entities have 60 days to notify affected individuals, the Secretary of HHS, and (if 500+ people are affected in one state) prominent media outlets. Smaller breaches get logged and reported annually. The notification clock starts on discovery โ not when the entity feels ready to talk about it.
Beyond the rules themselves, every covered entity must designate a Privacy Officer and a Security Officer (the same person can hold both roles in small organizations), maintain written policies and procedures, retain documentation for six years, and conduct regular risk assessments. None of this is optional. None of it can be outsourced to a BA. The covered entity owns the accountability.
An employee, audit, or external party identifies that unsecured PHI may have been disclosed without authorization. The clock starts at the moment any workforce member could reasonably have known about the incident, not when leadership is briefed.
Conduct a four-factor risk assessment under ยง164.402: nature and extent of PHI involved, who used or received it, whether PHI was actually acquired or viewed, and the extent to which risk has been mitigated. Document every conclusion.
Lock down the breach source, revoke credentials, recover stolen devices where possible, and patch the underlying vulnerability. Engage forensics if the breach involved an electronic intrusion or ransomware event.
Send written notification to every affected individual via first-class mail (or email if previously authorized). Include description, dates, PHI types involved, mitigation steps, and OCR contact information. Do not exceed the 60-day cap.
Report breaches of 500+ records to HHS Secretary and prominent local media within 60 days. Smaller breaches go into an annual log submitted no later than 60 days after calendar year end.
Update risk analysis, retrain affected workforce, revise policies, and document lessons learned. Many OCR settlements reference inadequate post-breach review as an aggravating factor.
Common compliance failures cluster around predictable mistakes. Missing or stale Business Associate Agreements top the list โ covered entities sign with new vendors and forget to update the paperwork, leaving PHI flowing through uncontracted channels. Unencrypted laptops and lost USB drives still account for an embarrassing share of OCR-investigated breaches in 2026, despite a decade of warnings.
Other regulars include weak access controls (everyone sharing one login), no risk analysis on file, untrained new hires touching PHI on day one, social media leaks from clinical staff who forget the policy when scrolling Instagram, and ransomware attacks against organizations that skipped backups. Each of these failure modes has cost covered entities six- and seven-figure settlements. None of them are exotic. They're the same problems showing up in OCR enforcement summaries year after year.
The pattern? Covered entities tend to nail the visible pieces โ Notice of Privacy Practices on the wall, training videos completed โ and miss the operational pieces that actually prevent breaches. Real compliance lives in workflow, access provisioning, vendor management, and incident response, not in laminated posters.
Worth noting: the Office for Civil Rights has shifted its enforcement focus over the past few years. Patient right-of-access complaints โ situations where a person can't get a copy of their own records within the 30-day window โ now produce a steady stream of settlements in the $30,000 to $200,000 range. These aren't catastrophic breaches; they're operational failures that snowball into regulatory action because someone ignored a request. Covered entities should treat access requests with the same urgency they'd give a complaint from a state board.
And then there's the BA-side chain reaction. When a business associate suffers a breach, the covered entity's name still ends up on the OCR Wall of Shame (the public breach portal at 500+ records). Patients sue the covered entity, not the BA. Reputation damage falls on the covered entity.
That's why vendor due diligence has stopped being a paperwork exercise and started becoming an actual security review โ checking SOC 2 reports, asking about penetration testing, requiring breach insurance. A signed BAA is the floor, not the ceiling. For a closer look at how penalties scale across violation tiers, the HIPAA violations reference walks through the four levels and the fine ranges attached to each.
Ready to test what you've absorbed? The questions on this topic show up across nearly every healthcare compliance certification โ RHIA, CHPS, CHC, certified HIPAA professional credentials, and most onboarding modules at hospitals and health plans. Recognizing the three covered entity categories is usually a gimme question; spotting hybrid entities and BA subcontractor chains is where exams separate the prepared from the rest.
A handful of scenarios trip up even experienced professionals. The dental office that hires a teen receptionist to scan paper records. The yoga studio attached to a chiropractic clinic. The pharmacy benefit manager that swears it's just processing data. Each one forces a careful read of who is doing what with which PHI, under which contract, for whose benefit. Those are the questions OCR investigators ask, and they're the same questions exam writers love.
The fastest way to build genuine fluency isn't rereading regulation text. It's repeated exposure to scenario questions where you have to classify an organization, identify whether a BAA applies, and pick the right notification timeline. Take the practice quiz when you're ready โ fifteen minutes of scenarios will lock in more than another hour of reading.