What distinguishes a HIPAA entity from non-covered entities?

by | Mar 23, 2023 | HIPAA News and Advice

A HIPAA-covered entity refers to healthcare providers, health plans, and healthcare clearinghouses that transmit or store protected health information (PHI) electronically, while non-covered entities encompass entities and individuals who do not electronically transmit PHI in the scope of covered transactions, such as employers, life insurers, government agencies, and certain education institutions. Healthcare professionals and stakeholders engaged in healthcare data management often encounter the delineation between HIPAA-covered entities and non-covered entities. This distinction is required in comprehending the regulatory framework that governs the privacy and security of patients’ PHI within the United States healthcare system.

HIPAA Covered EntitiesNon-Covered Entities
Healthcare ProvidersEmployers
Health PlansLife Insurers
Healthcare ClearinghousesGovernment Agencies
Engagement in Covered TransactionsCertain Education Institutions
Compliance ObligationsLack of Direct HIPAA Compliance
Business Associate AgreementsOther Regulatory Considerations
Shared Considerations
Ethical and Privacy ConsiderationsEthical and Privacy Considerations
Data SecurityData Security
Data Sharing and ConsentData Sharing and Consent
Table: Distinctions Between HIPAA-Covered Entities and Non-Covered Entities

A HIPAA-covered entity is an important term within the regulatory ambit of HIPAA. This term encompasses a triad of integral constituents, namely healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers include entities, ranging from individual physicians and practitioners to expansive hospital systems and clinics, all of which engage in providing medical treatment, diagnosis, and care to patients. Health plans include various insurance schemes, including group health plans, individual health insurance policies, and government-sponsored healthcare programs, which administer, manage, or offer the financial components of healthcare services. Healthcare clearinghouses, in turn, serve as intermediaries that facilitate the processing and conversion of non-standardized data into standardized formats, thereby ensuring seamless interoperability between diverse entities engaged in healthcare transactions.

Non-covered entities include entities and individuals that stand beyond the purview of transmitting PHI electronically in the scope of covered transactions as delineated by HIPAA. This encompasses entities such as employers, who, although might possess health-related information of employees, do not routinely engage in electronic PHI transactions as part of their core functions. Similarly, life insurers, who collect and utilize health data to underwrite policies, do not fall within the scope of covered entities as they predominantly operate outside the realm of electronic healthcare transactions. Government agencies, despite their involvement in healthcare activities, also assume the status of non-covered entities unless they engage in covered transactions as defined under HIPAA. Certain education institutions, despite their role in student health records, are considered non-covered entities unless they transmit PHI electronically in covered transactions.

The distinction between HIPAA-covered entities and non-covered entities revolves around the electronic transmission of PHI in the scope of covered transactions. Covered transactions pertain to a set of healthcare-related activities that involve the electronic exchange of healthcare information. These encompass processes such as claims submission, eligibility verification, and payment remittance, among others. Covered entities engage in these transactions as an integral part of their operational landscape, necessitating compliance with the privacy and security standards stipulated by HIPAA. The implications of this distinction ripple across various dimensions of healthcare data management, warranting divergent regulatory obligations. HIPAA-covered entities shoulder the weight of HIPAA compliance requirements to safeguard the privacy and security of PHI. They are mandated to implement comprehensive administrative, technical, and physical safeguards to protect against unauthorized access, use, and disclosure of PHI. These safeguards include access controls, encryption measures, audit trails, and workforce HIPAA training, all geared towards fortifying the integrity and confidentiality of patient information. Covered entities are also entwined with the responsibility of signing business associate agreements with external entities that have access to PHI in the course of providing services, thus extending the web of compliance and accountability.

Non-covered entities, although exempt from the rigors of HIPAA’s Privacy, Security, and Breach Notification Rules, are not entirely devoid of privacy considerations. Ethical considerations, state laws, and industry standards necessitate a certain level of diligence in handling health-related data. Employers, for instance, must navigate the delicate balance between employee privacy and occupational health concerns, steering clear of undue intrusion into sensitive medical information. Life insurers are urged to uphold transparency and fairness in underwriting practices, preventing discriminatory use of health data. Government agencies, in their healthcare roles, must align with relevant regulations that govern their specific activities, even if they do not directly fall under HIPAA’s jurisdiction. Education institutions, likewise, must tread prudently in managing student health records to uphold confidentiality and foster trust.


The dichotomy between HIPAA-covered entities and non-covered entities forms the bedrock of healthcare information management within the United States. The former, encompassing healthcare providers, health plans, and healthcare clearinghouses, navigate the complexity of electronic PHI transactions with unwavering adherence to HIPAA’s regulatory imperatives. Non-covered entities operate beyond the contours of covered transactions but are nevertheless urged to uphold ethical and legal considerations in the handling of health data. This distinction underscores the complicated nature of healthcare privacy, necessitating a comprehensive understanding of regulatory frameworks to ensure the sanctity of patient information within the ever-evolving healthcare industry.

3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy