What is a covered entity under HIPAA?

by | Mar 24, 2023 | HIPAA News and Advice

A covered entity under HIPAA is a healthcare provider, health plan, or healthcare clearinghouse that electronically transmits any health information in connection with transactions such as billing and claims, making them subject to HIPAA’s privacy and security regulations to safeguard protected health information (PHI). A covered entity under HIPAA represents an important concept within the framework of healthcare data management and privacy protection in the United States. HIPAA, enacted in 1996, introduced a set of regulations designed to safeguard the confidentiality, integrity, and availability of PHI while promoting the exchange of healthcare data among authorized entities. Covered entities play a central role in the application and enforcement of HIPAA standards.

What is a Covered Entity under HIPAA?Description
DefinitionOrganizations or entities in healthcare subject to HIPAA regulations to protect patients’ PHI.
HIPAAAbbreviation for the Health Insurance Portability and Accountability Act, enacted in 1996 to set PHI protection standards.
Categories of Covered EntitiesHealthcare Providers: Professionals and institutions providing healthcare services.
Health Plans: Entities offering health insurance, including government and employer plans.
Healthcare Clearinghouses: Intermediaries facilitating electronic healthcare data exchange.
Business AssociatesThird-party entities handling PHI for covered entities are required to sign BAAs and comply with HIPAA standards.
Responsibilities of Covered EntitiesImplementation of stringent safeguards for PHI protection.
Conducting risk assessments to identify vulnerabilities.
Providing training to staff regarding privacy and security protocols.
Importance of ComplianceEnsures patient trust, avoids legal penalties, and protects privacy and security principles in healthcare.
Table: Summary of What Constitutes a Covered Entity under HIPAA

A covered entity refers to an entity or organization that is under HIPAA regulations due to its engagement in certain healthcare-related activities. These entities are obligated to adhere to stringent privacy and security standards when handling PHI, which includes individually identifiable health information. Covered entities has three primary categories: healthcare providers, health plans, and healthcare clearinghouses. Each category includes organizations within the healthcare industry, collectively constituting the backbone of HIPAA’s regulatory framework.

Healthcare providers are a major category of covered entities under HIPAA. This group includes entities involved in the delivery of healthcare services, ranging from individual practitioners to large healthcare institutions. The term “healthcare provider” is extensive and covers physicians and surgeons, hospitals and clinics, dentists, psychologists, chiropractors, nursing homes and pharmacies.

Any entity or professional that furnishes medical or healthcare services while transmitting health information electronically is considered a healthcare provider within the scope of HIPAA. This classification is important in ensuring that patient data is protected consistently across various healthcare settings and specialties. Healthcare providers must adopt a range of measures to protect PHI. These include implementing strict access controls, conducting risk assessments, training staff on HIPAA privacy and security protocols, and establishing secure electronic systems for transmitting and storing PHI. These stringent requirements are designed to safeguard patient information and protect their right to privacy.

Health plans constitute another category of covered entities within the HIPAA framework. Health plans are organizations or programs that provide medical coverage, including health insurance companies, government-sponsored healthcare programs, and employer-sponsored health plans. Examples of health plans include private health insurance companies, Medicare, Medicaid, Health Maintenance Organizations (HMOs) and employee health benefit programs.

The inclusion of health plans as covered entities stresses the importance of protecting patient information throughout the healthcare ecosystem, from the point of care provision to the management of insurance claims. This ensures that PHI remains confidential and secure as it flows through various stages of healthcare services. HIPAA mandates that health plans implement administrative, technical, and physical safeguards to protect PHI. This includes encryption of data, secure transmission methods, strict authentication processes, and the appointment of a designated Privacy Officer responsible for overseeing compliance with HIPAA regulations. These measures are necessary to prevent unauthorized access to sensitive patient data.

Healthcare clearinghouses represent the third category of covered entities under HIPAA. These entities serve as intermediaries in the healthcare data exchange process, facilitating the transmission of electronic healthcare information between different parties. Clearinghouses are required in standardizing healthcare transactions, such as claims submissions, to ensure compatibility and efficiency in data exchange. Healthcare clearinghouses typically convert non-standard data formats into standardized formats, making it easier for healthcare providers, health plans, and other entities to exchange information seamlessly. Examples of healthcare clearinghouses include electronic data interchange (EDI) services, billing services, and claims processing entities. To fulfill their role as covered entities under HIPAA, healthcare clearinghouses must implement data protection measures, such as secure data transmission protocols, adherence to data integrity standards, and strict access controls to safeguard the confidentiality and accuracy of PHI during the data conversion and transmission process.

While these categories cover entities and organizations within the healthcare industry, HIPAA also extends its reach to business associates. Business associates are third-party entities that perform functions or services on behalf of covered entities and, in doing so, may come into contact with PHI. Examples of business associates include medical billing companies, IT service providers, and law firms providing legal services to healthcare providers. HIPAA regulations require covered entities to enter into business associate agreements (BAAs) with these third parties. These agreements stipulate that business associates must also adhere to HIPAA’s privacy and security standards when handling PHI. This extends the responsibility for protecting patient data to entities involved in healthcare operations, strengthening the overall security and privacy posture within the healthcare industry.


Covered entities under HIPAA include healthcare providers, health plans, and healthcare clearinghouses, representing organizations and professionals within the healthcare industry. These entities are entrusted with the responsibility of safeguarding PHI through compliance with HIPAA’s privacy and security regulations. The inclusion of business associates further extends the reach of these regulations, ensuring that patient data remains confidential, secure, and protected throughout its lifecycle within the healthcare ecosystem. Understanding the role of covered entities is necessary to promote the principles of patient privacy and data security in healthcare.

3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy