What Is a Covered Entity Under HIPAA? 2024 Guide

A HIPAA covered entity refers to a specific type of organization or individual that must comply with the Health Insurance Portability and Accountability Act (HIPAA) rules and regulations to protect health information. Covered entities generally fall into three primary categories: healthcare providers, health plans, and health care clearinghouses. These entities are responsible for safeguarding electronically transmitted health information through the implementation of strict privacy and security measures.

In this article, we will delve deeper into the specifics of each category of HIPAA covered entities, as well as the responsibilities and requirements they must uphold to maintain compliance with HIPAA standards.

What is a HIPAA Covered Entity?

A HIPAA covered entity refers to an individual, institution, or organization that handles protected health information (PHI) electronically and is subject to the regulations outlined under the Health Insurance Portability and Accountability Act (HIPAA). These entities play a critical role in maintaining the privacy and security of individuals' health information.

HIPAA Covered Entity Definition

Under HIPAA, covered entities are defined as health plans, health care clearinghouses, and certain health care providers who transmit electronic health information in transactions for which the Department of Health and Human Services (HHS) has established standards. Some examples of these covered entities include:

  • Health insurance companies
  • Physicians
  • Employers with employer-sponsored health plans
  • Medicare and Medicaid programs

Covered entities must adhere to the administrative simplification regulations set forth by HIPAA, which include privacy, security, enforcement, and breach notification rules. Additionally, covered entities are required to provide individuals with certain rights concerning their health information, such as access to their records or the ability to request amendments.

Who are Covered Entities Under HIPAA?

This section will discuss the three main types of covered entities: Health plans, Health care providers, and Healthcare clearinghouses.

Health Plans

Health plans typically include, but are not limited to:

  • Health insurance companies
  • Health maintenance organizations (HMOs)
  • Employer-sponsored health plans
  • Government programs (e.g., Medicare, Medicaid)
  • Military and veterans’ health programs

These entities are responsible for financing and managing health care services for their members. Health plans must adhere to HIPAA regulations to safeguard the privacy and security of protected health information.

Health Care Providers

Health care providers comprise individuals and organizations that provide health care services to the general public. Covered entities in this category include, among others:

  • Physicians
  • Clinics
  • Dentists
  • Pharmacists
  • Psychologists
  • Chiropractors
  • Nursing homes

Healthcare Clearinghouses

Healthcare clearinghouses are entities that process health information from one format to another according to the specific needs of a receiving entity. Examples of clearinghouses are:

  • Billing services
  • Re-pricing companies
  • Value-added networks (VANs)
  • Claims management companies

These entities play a crucial role in the healthcare industry by ensuring efficient and accurate data exchange. As they handle sensitive health information, they must also adhere to HIPAA guidelines.

Exemptions from HIPAA: Who Would Not Be Considered a Covered Entity Under HIPAA?

While HIPAA does regulate many entities involved in healthcare, several exceptions and exemptions exist for certain organizations and individuals. HIPAA exempts public schools, colleges, and other educational Institutions that provide medical services for students and staff (as a work benefit) from being considered covered entities under HIPAA.

Regarding health plans, exceptions include self-funded and self-administered employer health plans with fewer than 50 participants. Additionally, state-funded health programs might not strictly adhere to HIPAA requirements due to distinct state-level regulations.

Excepted benefits, such as accident, disability, dental, or vision-only coverage, are another category exempt under HIPAA. These benefits usually stand alone and do not have to comply with the same standards as comprehensive health plans.

Consultants, such as independent medical transcriptionists, who do not meet the criteria of being a covered entity or a business associate, are not required to comply with HIPAA regulations. However, if they access protected health information (PHI) while providing services to a covered entity, they may still be considered a business associate and consequently need to comply with the related requirements.

In some cases, rural ambulance services and other healthcare providers who do not transmit PHI electronically are also excluded from the definition of HIPAA covered entities. This is because the HIPAA Privacy Rule applies mainly to providers who electronically transmit health information in connection with certain transactions.

Is an Employer a HIPAA Covered Entity?

In certain circumstances, HIPAA may apply to employers, particularly those who sponsor employer-sponsored group health plans for their employees. While employers themselves are not considered covered entities under HIPAA, they may be bound by the same rules as a HIPAA covered entity in specific situations.

Employers that directly handle or transmit protected health information (PHI) through their sponsored health plans could find themselves subject to HIPAA regulations. It is crucial for employers to understand these circumstances to avoid potential violations of HIPAA. If an employer is not involved in any healthcare-related transactions, it is less likely that they will be classified as a covered entity.

Employer-sponsored group health plans are generally required to comply with HIPAA privacy and security requirements. This includes providing employees with rights over their PHI and safeguarding electronic protected health information (ePHI). Moreover, employer-sponsored health plans must adhere to the privacy, breach notification, and security provisions of the HIPAA rules.

Here are the types of employers that may be subject to HIPAA:

  • Employer-sponsored group health plans: These plans often involve employers handling sensitive information about their employees' health, such as insurance enrollment or coordination of healthcare benefits. It is essential for employers to implement adequate privacy and security measures to protect this data.

  • Fully-insured group health plan: This form of health plan is more complicated because the insurance carrier carries the responsibility of ensuring HIPAA compliance. However, if the employer receives PHI from the insurance provider, they must still adhere to HIPAA requirements when it comes to safeguarding the information.

Remember that not all employers will be considered covered entities under HIPAA. Still, it is always a good practice for organizations to remain informed about the HIPAA compliance requirements and ensure that their employees' health information is adequately protected.

Are Pharmacies Classified as Healthcare Providers?

Pharmacies play a crucial role in the healthcare system, as they are responsible for the dispensing of medications, providing health advice, and offering various health services. Given their importance in the sector, it is essential to understand whether pharmacies are classified as healthcare providers and if they fall under the Health Insurance Portability and Accountability Act (HIPAA) regulations.

As per the HIPAA guidelines, healthcare providers encompass a diverse range of medical facilities, including hospitals, clinics, doctors, psychologists, dentists, chiropractors, nursing homes, home health agencies, and pharmacies. Therefore, pharmacies are considered healthcare providers in the context of HIPAA. This classification is due to their involvement in furnishing, billing, or receiving payment for healthcare services.

Moreover, the Administrative Simplification Regulations define healthcare as including the "sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription." This definition clearly encompasses the primary functions of a pharmacy, reinforcing their classification as healthcare providers.

Since pharmacies qualify as healthcare providers, they fall under the jurisdiction of the HIPAA Privacy Rule (45 C.F.R. 160 and 164 (A) and (E)), which requires them to have appropriate safeguards to ensure the protection of protected health information (PHI). These safeguards apply to all facets of their operations, including the storage, transmission, or access to patients' PHI.

If a pharmacy engages with business associates, HIPAA mandates the establishment of a business associate agreement (BAA) between the parties to ensure both entities comply with data privacy and security requirements.

Are Schools Providing Healthcare Services HIPAA Covered Entities?

Schools often employ healthcare providers, such as school nurses, physicians, and psychologists. However, they are generally not considered HIPAA covered entities if they primarily provide services to students. This is because HIPAA (Health Insurance Portability and Accountability Act of 1996) typically covers entities that engage in specific electronic transactions, like billing health plans for their services.

In some cases, a school or university might become a HIPAA covered entity. This occurs when the institution offers healthcare services to the public or non-student employees and conducts electronic transactions that the Department of Health and Human Services (HHS) has adopted standards for. Schools that provide healthcare services and are identified as covered entities must adhere to HIPAA regulations to protect the privacy and security of health information and grant certain rights to individuals regarding their health information.

On the other hand, educational institutions also need to comply with the Family Educational Rights and Privacy Act (FERPA) for the protection of student records. FERPA is a federal law that governs the privacy of student education records. It gives parents and students specific rights concerning these records and sets limits on how schools can disclose such information.

There is some overlap between HIPAA and FERPA, specifically concerning personal health information within student records. In general, FERPA takes precedence over HIPAA in educational settings. HIPAA's privacy rules allow covered healthcare providers to share personal health information with school nurses, physicians, and other healthcare providers employed by the institution.

Key Takeaways on Covered Entity HIPAA Definition & Examples

Covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are responsible for protecting the privacy and security of individuals' health information. These entities include health plans, healthcare clearinghouses, and specific healthcare providers who submit electronic transactions related to individuals' health records.

By understanding the definitions and examples of covered entities, we can better grasp their role in maintaining the privacy and security of individuals' health information under HIPAA regulations.


Who should HIPAA complaints be directed to within the covered entity?

If you have a HIPAA complaint, it should be directed to the covered entity's privacy officer or the designated contact person responsible for HIPAA compliance. This individual is in charge of ensuring the organization's policies and procedures align with HIPAA privacy, security, and breach notification rules. If the issue is not resolved internally, you can file a complaint with the Office for Civil Rights (OCR).

What is the difference between a HIPAA Covered Entity and a Business Associate?

A HIPAA Covered Entity is an organization that must comply with HIPAA regulations to protect the privacy and security of health information. Covered entities include health plans, health care clearinghouses, and certain health care providers.

A Business Associate, on the other hand, is an organization or individual that performs services on behalf of a covered entity, involving access to protected health information (PHI). Business associates are required to sign a written business associate agreement, outlining their responsibilities to safeguard PHI and comply with HIPAA rules.

Do state laws affect who is a covered entity under HIPAA?

State laws can supplement, but not contradict, HIPAA regulations. In some cases, state laws may provide additional privacy protections for health information, or designate additional entities as covered entities under state law. However, all entities that meet the federal definition of a covered entity under HIPAA must still comply with HIPAA rules, regardless of state laws.

Can a business associate be a covered entity?

Yes, a business associate can also be a covered entity if they perform services that meet the definition of a covered entity under HIPAA. In such cases, the organization is subject to both the requirements of a business associate and a covered entity, and must ensure compliance with all applicable regulations.

What is a healthcare clearinghouse?

A healthcare clearinghouse is an organization that processes nonstandard health information received from another entity into a standard format for data content or electronic transactions, such as claims processing and utilization reviews. Examples of healthcare clearinghouses include billing services, repricing companies, and claims management organizations. As a HIPAA Covered Entity, healthcare clearinghouses must comply with the privacy, security, and breach notification rules set forth by HIPAA.

Start automating your
healthcare workflows

Free trial account
Cancel anytime
Get started free