Who would not be considered a covered entity under HIPAA?

by | Apr 4, 2023 | HIPAA News and Advice

Entities that would not be considered covered entities under HIPAA include most employers, life insurance companies, and workers’ compensation carriers, as they generally do not engage in the electronic transmission of healthcare information for purposes of payment, treatment, or healthcare operations. Under HIPAA, the term “covered entity” is important as it pertains to entities subject to its stringent regulations.

Entities Not Considered Covered Entities Under HIPAAExplanation
EmployersThe primary focus is not on healthcare provision.
Life Insurance CompaniesTheir purpose is insurance, not healthcare.
Workers’ Compensation CarriersPrimarily involved in claims adjudication.
Property and Casualty InsurersTheir focus is on property and casualty coverage.
SchoolsTheir primary role is education, not healthcare.
Correctional FacilitiesTheir main function is incarceration, not healthcare.
Law Enforcement AgenciesThey are primarily focused on law enforcement.
PharmaciesTheir core function is pharmaceutical dispensation.
RetailersThe main focus is retail, not healthcare services.
Religious OrganizationsThe primary role is religious and spiritual guidance.
Fitness Centers and GymsPrimarily focused on physical fitness and wellness, not healthcare treatment.
Table: Overview of Entities that Do Not Qualify as Covered Entities under HIPAA

HIPAA serves as a legislative framework aimed at safeguarding the privacy and security of individually identifiable health information, often referred to as protected health information (PHI). It achieves this objective by defining and categorizing entities into covered entities and business associates. A covered entity is an important cog in this regulatory framework, as it includes healthcare providers, health plans, and healthcare clearinghouses. These entities are obligated to comply with the HIPAA Privacy, Security, and Breach Notification Rules, which are instrumental in ensuring the confidentiality and integrity of PHI. Not all entities that interact with healthcare data are considered a covered entity. The categorization of a covered entity is contingent upon the nature of an entity’s involvement with PHI and its operational functions. Entities that neither engage in the electronic transmission of healthcare information for purposes of payment, treatment, or healthcare operations are typically excluded from the classification of a covered entity under HIPAA.

Three specific categories of entities are commonly not qualified as covered entities under HIPAA. Employers, irrespective of their size or industry, are generally not considered covered entities under HIPAA. This exclusion is predicated on the fact that their primary role is not the provision of healthcare services or the administration of health plans. While employers may possess certain healthcare-related information about their employees, such as medical leave records or health insurance enrollment data, the primary purpose of collecting and maintaining this information is not for healthcare treatment, payment, or operational activities. The mere possession of employee health-related information does not automatically transform an employer into a covered entity. Employers must exercise due diligence in safeguarding the privacy of employee health information and should be mindful of other legal frameworks such as the Americans with Disabilities Act (ADA) and the Family and Medical Leave Act (FMLA), which govern the handling of certain employee health information. However, they need not adhere to the HIPAA compliance requirements imposed on covered entities.

Life insurance companies, while dealing with policies that may involve health-related assessments, do not qualify as covered entities under HIPAA. The point of this exemption lies in their principal function, which is the underwriting of life insurance policies rather than the provision of healthcare services or the administration of health plans. Life insurance companies may request health-related information from policy applicants to assess risk and determine premium rates. However, their use of this information primarily pertains to the underwriting process, which is distinct from the objectives of healthcare treatment, payment, or operational activities governed by HIPAA. They are not subjected to the same regulatory requirements as covered entities.

Workers’ compensation carriers, entities responsible for providing compensation to employees injured on the job, are another category that is generally excluded from the definition of covered entities under HIPAA. While the medical records and healthcare information of injured workers are undoubtedly relevant to workers’ compensation claims, the main function of these entities is not the provision of healthcare services or the administration of health plans. Workers’ compensation carriers typically request healthcare information to determine the extent of an employee’s injury, assess eligibility for compensation, and calculate the appropriate benefits. This utilization of healthcare information is primarily for claims adjudication and does not fall within the scope of HIPAA-regulated activities.


Healthcare professionals, organizations, and other stakeholders need to know the boundaries of HIPAA’s applicability. Covered entities, as defined by HIPAA, pertain to healthcare providers, health plans, and healthcare clearinghouses, all of which engage in electronic transactions related to healthcare information for specific purposes. However, entities like employers, life insurance companies, and workers’ compensation carriers, whose primary functions are not rooted in the provision of healthcare services or health plan administration, typically do not meet the criteria for classification as covered entities under HIPAA.

Despite their exemption from the strict rules of HIPAA, these non-covered entities are not absolved of all responsibilities related to the protection of healthcare information. They must still adhere to other pertinent laws and regulations governing privacy and data security, all while maintaining a steadfast commitment to safeguarding the sensitive health information entrusted to them. While they may not be covered entities, they remain important components of the healthcare ecosystem, each with its distinct role and set of obligations in health information management.

HIPAA Covered Entity Topics

What is the definition of a HIPAA-covered entity?
How does an organization determine if it is a HIPAA-covered entity?
Are all healthcare providers considered HIPAA-covered entities?
What obligations does an entity covered by HIPAA have concerning patient data?
Do insurance companies fall under the category of entities covered by HIPAA?
What is a covered entity under HIPAA?
Who would not be considered a covered entity under HIPAA?
Is an employer a covered entity under HIPAA?
Who should HIPAA complaints be directed to within the covered entity?
What are the penalties for a HIPAA-covered entity that breaches patient confidentiality?
Are health technology companies automatically considered HIPAA-covered entities?
What distinguishes a HIPAA entity from non-covered entities?
Can a HIPAA-covered entity share medical records with another such entity without patient consent?
How often should HIPAA-covered entities review their compliance procedures?
What types of training must employees of an entity covered by HIPAA undergo?
How do entities covered by HIPAA handle data breaches?
What is the role of a privacy officer in a HIPAA-covered entity?
Are dental practices considered HIPAA-covered entities?
Can a patient sue a HIPAA-covered entity for a data breach?
How are HIPAA-covered entities audited for compliance?
What are the reporting obligations of a HIPAA entity in case of data exposure?
How do third-party vendors interact with HIPAA-covered entities?
Can a business associate be considered a HIPAA-covered entity?
How should a HIPAA entity respond to unauthorized access to protected health information?
What security measures must entities covered by HIPAA implement?
Are there exemptions for certain types of entities covered by HIPAA?
How long must a HIPAA-covered entity retain medical records?
What patient rights are recognized by entities covered by HIPAA concerning their personal data?
Are telemedicine platforms typically classified as HIPAA-covered entities?
What distinguishes business associates from HIPAA-covered entities?
How can patients file complaints against a HIPAA entity?
What is the significance of the Notice of Privacy Practices for a HIPAA-covered entity?
How do international medical tourism practices intersect with HIPAA-covered entities?
Are there specific encryption standards that a HIPAA-covered entity must adhere to?
How do federal and state laws regarding patient privacy relate to HIPAA-covered entities?
How do HIPAA-covered entities handle minor patient information?
Are pharmacies and drug stores universally categorized as HIPAA-covered entities?
How can a HIPAA-covered entity ensure compliance when integrating new technologies?
What are the key differences between a HIPAA-covered entity and a HIPAA business associate?
Are research institutions always considered HIPAA-covered entities?
What are the boundaries of marketing activities for an entity covered by HIPAA?
Can cloud service providers be classified as HIPAA-covered entities?
How should a HIPAA entity prepare for an official audit or review?
What documentation is essential for a HIPAA-covered entity’s compliance processes?
How often do regulations impacting HIPAA-covered entities get updated?
Do educational institutions fall under the scope of entities covered by HIPAA?
How do mobile health apps and digital health tools intersect with HIPAA-covered entities?
What is the role of electronic health record systems in a HIPAA-covered entity?
How does the Health Information Exchange (HIE) network impact HIPAA-covered entities?
Are mental health professionals bound by the same rules as other HIPAA-covered entities?
How do mergers and acquisitions impact the status of a HIPAA-covered entity?
Can patients access all their health data held by a HIPAA-covered entity?
Are billing and invoicing data handled differently by entities covered by HIPAA than medical data?
3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy