What is a covered entity under HIPAA?

by | Mar 24, 2023 | HIPAA News and Advice

A covered entity under HIPAA is a healthcare provider, health plan, or healthcare clearinghouse that electronically transmits any health information in connection with transactions such as billing and claims, making them subject to HIPAA’s privacy and security regulations to safeguard protected health information (PHI). A covered entity under HIPAA represents an important concept within the framework of healthcare data management and privacy protection in the United States. HIPAA, enacted in 1996, introduced a set of regulations designed to safeguard the confidentiality, integrity, and availability of PHI while promoting the exchange of healthcare data among authorized entities. Covered entities play a central role in the application and enforcement of HIPAA standards.

What is a Covered Entity under HIPAA?Description
DefinitionOrganizations or entities in healthcare subject to HIPAA regulations to protect patients’ PHI.
HIPAAAbbreviation for the Health Insurance Portability and Accountability Act, enacted in 1996 to set PHI protection standards.
Categories of Covered EntitiesHealthcare Providers: Professionals and institutions providing healthcare services.
Health Plans: Entities offering health insurance, including government and employer plans.
Healthcare Clearinghouses: Intermediaries facilitating electronic healthcare data exchange.
Business AssociatesThird-party entities handling PHI for covered entities are required to sign BAAs and comply with HIPAA standards.
Responsibilities of Covered EntitiesImplementation of stringent safeguards for PHI protection.
Conducting risk assessments to identify vulnerabilities.
Providing training to staff regarding privacy and security protocols.
Importance of ComplianceEnsures patient trust, avoids legal penalties, and protects privacy and security principles in healthcare.
Table: Summary of What Constitutes a Covered Entity under HIPAA

A covered entity refers to an entity or organization that is under HIPAA regulations due to its engagement in certain healthcare-related activities. These entities are obligated to adhere to stringent privacy and security standards when handling PHI, which includes individually identifiable health information. Covered entities has three primary categories: healthcare providers, health plans, and healthcare clearinghouses. Each category includes organizations within the healthcare industry, collectively constituting the backbone of HIPAA’s regulatory framework.

Healthcare providers are a major category of covered entities under HIPAA. This group includes entities involved in the delivery of healthcare services, ranging from individual practitioners to large healthcare institutions. The term “healthcare provider” is extensive and covers physicians and surgeons, hospitals and clinics, dentists, psychologists, chiropractors, nursing homes and pharmacies.

Any entity or professional that furnishes medical or healthcare services while transmitting health information electronically is considered a healthcare provider within the scope of HIPAA. This classification is important in ensuring that patient data is protected consistently across various healthcare settings and specialties. Healthcare providers must adopt a range of measures to protect PHI. These include implementing strict access controls, conducting risk assessments, training staff on HIPAA privacy and security protocols, and establishing secure electronic systems for transmitting and storing PHI. These stringent requirements are designed to safeguard patient information and protect their right to privacy.

Health plans constitute another category of covered entities within the HIPAA framework. Health plans are organizations or programs that provide medical coverage, including health insurance companies, government-sponsored healthcare programs, and employer-sponsored health plans. Examples of health plans include private health insurance companies, Medicare, Medicaid, Health Maintenance Organizations (HMOs) and employee health benefit programs.

The inclusion of health plans as covered entities stresses the importance of protecting patient information throughout the healthcare ecosystem, from the point of care provision to the management of insurance claims. This ensures that PHI remains confidential and secure as it flows through various stages of healthcare services. HIPAA mandates that health plans implement administrative, technical, and physical safeguards to protect PHI. This includes encryption of data, secure transmission methods, strict authentication processes, and the appointment of a designated Privacy Officer responsible for overseeing compliance with HIPAA regulations. These measures are necessary to prevent unauthorized access to sensitive patient data.

Healthcare clearinghouses represent the third category of covered entities under HIPAA. These entities serve as intermediaries in the healthcare data exchange process, facilitating the transmission of electronic healthcare information between different parties. Clearinghouses are required in standardizing healthcare transactions, such as claims submissions, to ensure compatibility and efficiency in data exchange. Healthcare clearinghouses typically convert non-standard data formats into standardized formats, making it easier for healthcare providers, health plans, and other entities to exchange information seamlessly. Examples of healthcare clearinghouses include electronic data interchange (EDI) services, billing services, and claims processing entities. To fulfill their role as covered entities under HIPAA, healthcare clearinghouses must implement data protection measures, such as secure data transmission protocols, adherence to data integrity standards, and strict access controls to safeguard the confidentiality and accuracy of PHI during the data conversion and transmission process.

While these categories cover entities and organizations within the healthcare industry, HIPAA also extends its reach to business associates. Business associates are third-party entities that perform functions or services on behalf of covered entities and, in doing so, may come into contact with PHI. Examples of business associates include medical billing companies, IT service providers, and law firms providing legal services to healthcare providers. HIPAA regulations require covered entities to enter into business associate agreements (BAAs) with these third parties. These agreements stipulate that business associates must also adhere to HIPAA’s privacy and security standards when handling PHI. This extends the responsibility for protecting patient data to entities involved in healthcare operations, strengthening the overall security and privacy posture within the healthcare industry.


Covered entities under HIPAA include healthcare providers, health plans, and healthcare clearinghouses, representing organizations and professionals within the healthcare industry. These entities are entrusted with the responsibility of safeguarding PHI through compliance with HIPAA’s privacy and security regulations. The inclusion of business associates further extends the reach of these regulations, ensuring that patient data remains confidential, secure, and protected throughout its lifecycle within the healthcare ecosystem. Understanding the role of covered entities is necessary to promote the principles of patient privacy and data security in healthcare.

HIPAA Covered Entity Topics

What is the definition of a HIPAA-covered entity?
How does an organization determine if it is a HIPAA-covered entity?
Are all healthcare providers considered HIPAA-covered entities?
What obligations does an entity covered by HIPAA have concerning patient data?
Do insurance companies fall under the category of entities covered by HIPAA?
What is a covered entity under HIPAA?
Who would not be considered a covered entity under HIPAA?
Is an employer a covered entity under HIPAA?
Who should HIPAA complaints be directed to within the covered entity?
What are the penalties for a HIPAA-covered entity that breaches patient confidentiality?
Are health technology companies automatically considered HIPAA-covered entities?
What distinguishes a HIPAA entity from non-covered entities?
Can a HIPAA-covered entity share medical records with another such entity without patient consent?
How often should HIPAA-covered entities review their compliance procedures?
What types of training must employees of an entity covered by HIPAA undergo?
How do entities covered by HIPAA handle data breaches?
What is the role of a privacy officer in a HIPAA-covered entity?
Are dental practices considered HIPAA-covered entities?
Can a patient sue a HIPAA-covered entity for a data breach?
How are HIPAA-covered entities audited for compliance?
What are the reporting obligations of a HIPAA entity in case of data exposure?
How do third-party vendors interact with HIPAA-covered entities?
Can a business associate be considered a HIPAA-covered entity?
How should a HIPAA entity respond to unauthorized access to protected health information?
What security measures must entities covered by HIPAA implement?
Are there exemptions for certain types of entities covered by HIPAA?
How long must a HIPAA-covered entity retain medical records?
What patient rights are recognized by entities covered by HIPAA concerning their personal data?
Are telemedicine platforms typically classified as HIPAA-covered entities?
What distinguishes business associates from HIPAA-covered entities?
How can patients file complaints against a HIPAA entity?
What is the significance of the Notice of Privacy Practices for a HIPAA-covered entity?
How do international medical tourism practices intersect with HIPAA-covered entities?
Are there specific encryption standards that a HIPAA-covered entity must adhere to?
How do federal and state laws regarding patient privacy relate to HIPAA-covered entities?
How do HIPAA-covered entities handle minor patient information?
Are pharmacies and drug stores universally categorized as HIPAA-covered entities?
How can a HIPAA-covered entity ensure compliance when integrating new technologies?
What are the key differences between a HIPAA-covered entity and a HIPAA business associate?
Are research institutions always considered HIPAA-covered entities?
What are the boundaries of marketing activities for an entity covered by HIPAA?
Can cloud service providers be classified as HIPAA-covered entities?
How should a HIPAA entity prepare for an official audit or review?
What documentation is essential for a HIPAA-covered entity’s compliance processes?
How often do regulations impacting HIPAA-covered entities get updated?
Do educational institutions fall under the scope of entities covered by HIPAA?
How do mobile health apps and digital health tools intersect with HIPAA-covered entities?
What is the role of electronic health record systems in a HIPAA-covered entity?
How does the Health Information Exchange (HIE) network impact HIPAA-covered entities?
Are mental health professionals bound by the same rules as other HIPAA-covered entities?
How do mergers and acquisitions impact the status of a HIPAA-covered entity?
Can patients access all their health data held by a HIPAA-covered entity?
Are billing and invoicing data handled differently by entities covered by HIPAA than medical data?
3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy