What distinguishes a HIPAA entity from non-covered entities?

by | Mar 23, 2023 | HIPAA News and Advice

A HIPAA-covered entity refers to healthcare providers, health plans, and healthcare clearinghouses that transmit or store protected health information (PHI) electronically, while non-covered entities refer to entities and individuals who do not electronically transmit PHI in the scope of covered transactions, such as employers, life insurers, government agencies, and certain education institutions. Healthcare professionals and stakeholders engaged in healthcare data management often encounter the difference between HIPAA-covered entities and non-covered entities. This distinction is required in comprehending the regulatory framework that governs the privacy and security of patients’ PHI within the United States healthcare system.

HIPAA Covered EntitiesNon-Covered Entities
Healthcare ProvidersEmployers
Health PlansLife Insurers
Healthcare ClearinghousesGovernment Agencies
Engagement in Covered TransactionsCertain Education Institutions
Compliance ObligationsLack of Direct HIPAA Compliance
Business Associate AgreementsOther Regulatory Considerations
Shared Considerations
Ethical and Privacy ConsiderationsEthical and Privacy Considerations
Data SecurityData Security
Data Sharing and ConsentData Sharing and Consent
Table: Distinctions Between HIPAA-Covered Entities and Non-Covered Entities

A HIPAA-covered entity is an important term within the regulatory framework of HIPAA. This term covers important constituents, namely healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers include entities, ranging from individual physicians and practitioners to hospital systems and clinics, all of which engage in providing medical treatment, diagnosis, and care to patients. Health plans include various insurance schemes, including group health plans, individual health insurance policies, and government-sponsored healthcare programs, which administer, manage, or offer the financial components of healthcare services. Healthcare clearinghouses serve as intermediaries that facilitate the processing and conversion of non-standardized data into standardized formats, thereby ensuring seamless interoperability between diverse entities engaged in healthcare transactions.

Non-covered entities include entities and individuals that do not transmit PHI electronically in the scope of covered transactions as stipulated by HIPAA. This includes entities such as employers, who, although might possess health-related information about employees, do not routinely engage in electronic PHI transactions. Similarly, life insurers, who collect and utilize health data to underwrite policies, do not fall within the scope of covered entities as they predominantly operate outside the realm of electronic healthcare transactions. Government agencies, despite their involvement in healthcare activities, also assume the status of non-covered entities unless they engage in covered transactions as defined under HIPAA. Certain education institutions, despite their role in student health records, are considered non-covered entities unless they transmit PHI electronically in covered transactions.

The distinction between HIPAA-covered entities and non-covered entities revolves around the electronic transmission of PHI in the scope of covered transactions. Covered transactions pertain to a set of healthcare-related activities that involve the electronic exchange of healthcare information. These include processes such as claims submission, eligibility verification, and payment remittance, among others. Covered entities engage in these transactions as part of their operational procedures, necessitating compliance with the privacy and security standards stipulated by HIPAA. The implications of this distinction ripple across various dimensions of healthcare data management, warranting divergent regulatory obligations. HIPAA-covered entities shoulder the weight of HIPAA compliance requirements to safeguard the privacy and security of PHI. They are required to implement administrative, technical, and physical safeguards to protect against unauthorized access, use, and disclosure of PHI. These safeguards include access controls, encryption measures, audit trails, and workforce HIPAA training, all geared toward protecting the integrity and confidentiality of patient information. Covered entities are also entwined with the responsibility of signing business associate agreements with external entities that have access to PHI in the course of providing services, thus extending the web of compliance and accountability.

Non-covered entities, although exempt from the rigors of HIPAA’s Privacy, Security, and Breach Notification Rules, are not entirely devoid of privacy considerations. Ethical considerations, state laws, and industry standards necessitate a certain level of diligence in handling health-related data. Employers, for instance, must balance employee privacy with occupational health concerns, steering clear of undue intrusion into sensitive medical information. Life insurers are urged to maintain transparency and fairness in underwriting practices, preventing discriminatory use of health data. Government agencies, in their healthcare roles, must align with relevant regulations that govern their specific activities, even if they do not directly fall under HIPAA’s jurisdiction. Education institutions, likewise, must prudently manage student health records to protect confidentiality and promote trust.


The dichotomy between HIPAA-covered entities and non-covered entities forms the basis of healthcare information management within the United States. The former, including healthcare providers, health plans, and healthcare clearinghouses, manage electronic PHI transactions with unwavering adherence to HIPAA’s regulatory imperatives. Non-covered entities operate beyond the scope of covered transactions but are nevertheless instructed to follow ethical and legal considerations in the handling of health data. This distinction stresses the complicated nature of healthcare privacy, necessitating an understanding of regulatory frameworks to ensure the protection of patient information within the evolving healthcare industry.

HIPAA Covered Entity Topics

What is the definition of a HIPAA-covered entity?
How does an organization determine if it is a HIPAA-covered entity?
Are all healthcare providers considered HIPAA-covered entities?
What obligations does an entity covered by HIPAA have concerning patient data?
Do insurance companies fall under the category of entities covered by HIPAA?
What is a covered entity under HIPAA?
Who would not be considered a covered entity under HIPAA?
Is an employer a covered entity under HIPAA?
Who should HIPAA complaints be directed to within the covered entity?
What are the penalties for a HIPAA-covered entity that breaches patient confidentiality?
Are health technology companies automatically considered HIPAA-covered entities?
What distinguishes a HIPAA entity from non-covered entities?
Can a HIPAA-covered entity share medical records with another such entity without patient consent?
How often should HIPAA-covered entities review their compliance procedures?
What types of training must employees of an entity covered by HIPAA undergo?
How do entities covered by HIPAA handle data breaches?
What is the role of a privacy officer in a HIPAA-covered entity?
Are dental practices considered HIPAA-covered entities?
Can a patient sue a HIPAA-covered entity for a data breach?
How are HIPAA-covered entities audited for compliance?
What are the reporting obligations of a HIPAA entity in case of data exposure?
How do third-party vendors interact with HIPAA-covered entities?
Can a business associate be considered a HIPAA-covered entity?
How should a HIPAA entity respond to unauthorized access to protected health information?
What security measures must entities covered by HIPAA implement?
Are there exemptions for certain types of entities covered by HIPAA?
How long must a HIPAA-covered entity retain medical records?
What patient rights are recognized by entities covered by HIPAA concerning their personal data?
Are telemedicine platforms typically classified as HIPAA-covered entities?
What distinguishes business associates from HIPAA-covered entities?
How can patients file complaints against a HIPAA entity?
What is the significance of the Notice of Privacy Practices for a HIPAA-covered entity?
How do international medical tourism practices intersect with HIPAA-covered entities?
Are there specific encryption standards that a HIPAA-covered entity must adhere to?
How do federal and state laws regarding patient privacy relate to HIPAA-covered entities?
How do HIPAA-covered entities handle minor patient information?
Are pharmacies and drug stores universally categorized as HIPAA-covered entities?
How can a HIPAA-covered entity ensure compliance when integrating new technologies?
What are the key differences between a HIPAA-covered entity and a HIPAA business associate?
Are research institutions always considered HIPAA-covered entities?
What are the boundaries of marketing activities for an entity covered by HIPAA?
Can cloud service providers be classified as HIPAA-covered entities?
How should a HIPAA entity prepare for an official audit or review?
What documentation is essential for a HIPAA-covered entity’s compliance processes?
How often do regulations impacting HIPAA-covered entities get updated?
Do educational institutions fall under the scope of entities covered by HIPAA?
How do mobile health apps and digital health tools intersect with HIPAA-covered entities?
What is the role of electronic health record systems in a HIPAA-covered entity?
How does the Health Information Exchange (HIE) network impact HIPAA-covered entities?
Are mental health professionals bound by the same rules as other HIPAA-covered entities?
How do mergers and acquisitions impact the status of a HIPAA-covered entity?
Can patients access all their health data held by a HIPAA-covered entity?
Are billing and invoicing data handled differently by entities covered by HIPAA than medical data?
3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy