A covered entity refers to a health plan, a healthcare clearinghouse, or a healthcare provider that is involved in the transmission of health information electronically with respect to normal transactions, as stated in 45 CFR 160.103 (HHS). Simply put, in case an organization has patient data and transmits it electronically to make billing, eligibility, or claims, HIPAA is probably in force. This definition matters because it determines who should comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, and who has the potential to be subject to enforcement in the event of any violation.

These rules are actively enforced by regulators. In 2024, the HHS Office for Civil Rights settled 22 cases with financial fines, with numerous cases being related to simple compliance violations such as the absence of risk assessments and poor protection (HHS OCR, HIPAA Journal). Consequently, the covered entity status influences the legal exposure, financial risk, and patient trust. It also influences the organizational approach to PHI and ePHI, collaboration with vendors, and documentation of compliance.

This article breaks down the types of covered entities, explains the electronic transmission requirement, and walks through responsibilities and risks so business owners can clearly understand where they stand and what steps to take next. If you are unsure how federal rules apply to your operations, this breakdown of entities covered by HIPAA provides additional clarity on classifications and obligations:

Legal Definition Under 45 CFR 160.103

The official HIPAA covered entity definition comes from 45 CFR §160.103, issued by the Department of Health and Human Services (HHS). Under this regulation, a covered entity is any health plan, healthcare clearinghouse, or healthcare provider that transmits health information in electronic form in connection with transactionsto which HHS has established standards, including claims, eligibility inquiries, payment requests, or referral authorizations (45 CFR §160.103, HHS).

The size of the organization is not of importance here, but the activity. A small clinic, a solo practitioner, or even a startup turns into a covered entity as soon as the first standard electronic transaction is performed. The minimum number of patients or revenue requirement is nonexistent. HIPAA comes into play in case electronic transmission is made in the event of covered transactions.

When this status becomes activated, an organization is deemed to be legally bound by the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Since then, the covered entity should safeguard PHI and ePHI, adhere to the minimum required standard, carry out risk assessment, and act to address breaches as required by the federal law. Lack of knowledge or lateness of knowledge does not warrant enforcement or punishment.

Healthcare Providers

The providers of healthcare are individuals or organizations that offer medical or health-related services and charge for such services. In HIPAA, a provider is a covered entity only when health information is sent electronically in relation to the usual dealings like claims, checking eligibility, referrals, or payment enquiries, as specified by HHS.

This is a vital requirement. Being a provider does not make one a covered entity just because one is treating patients or keeping paper records. The covered entity status is initiated as soon as the electronic transactions are made. This means utilizing electronic health records, making a claim to the insurers, or third-party billing platforms. After activation, HIPAA is applicable in totality.

Since then, the provider has to abide by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. This covers the protection of PHI and ePHI; access should be limited to the minimum, staff should be trained, and the response to breaches should be adequate. Notably, the HIPAA compliance requirements do not lessen when the electronic transactions are eventually discontinued.

Examples of Healthcare Providers Covered by HIPAA

1. Hospitals and hospital systems

Hospitals and hospital systems are covered entities as they regularly transfer electronic health information in a bid to make billing, referral, and care coordination. They handle high numbers of electronic health records and communicate with insurers, laboratories, and experts via standardized electronic transactions.

2. Physician practices and clinics

Physician practices and outpatient facilities will become covered entities when they submit electronic claims or eligibility verifications to the health plans. Small practices are also subject to HIPAA when they are under electronic billing or EHR.

3. Dentists, orthodontists, and oral surgeons

Dental providers are covered entities that send patient information electronically to make an insurance claim or coordinate treatment. This encompasses general dentists and those who are experts, like the orthodontists and oral surgeons.

4. Pharmacies (retail and mail-order)

Retail and mail-order pharmacies are considered covered entities since they receive electronic prescriptions and insurance transactions. They process ePHI on a regular basis in regard to medication dispensing and billing of patients.

5. Psychologists, therapists, and counselors

Mental health professionals are covered entities that transfer health information electronically for payment or administrative purposes. This is in the case of individual practices, group therapy clinics, and behavioral health providers.

6. Chiropractors and physical therapists

When chiropractic and physical care providers transmit treatment data electronically or exchange the information via computer networks with insurers, the providers turn into covered entities.

7. Nursing homes and home health agencies

The long-term care homes and home health agencies are covered entities because they have continuous electronic interaction with the health plans, physicians, and care teams.

8. Laboratories and diagnostic imaging centers

Covered entities Llabs and imaging centers are covered entities since they send electronic test results, reports, and billing information as routine healthcare activities.

9. Telemedicine providers

The providers of telemedicine are nearly always covered entities because the process of delivering care is based on the electronic transfer of health information with the help of digital platforms and remote communication tools.

10. Urgent care centers and ambulatory surgery centers

Urgent care clinics and ambulatory surgery centers are covered entities when they file electronic claims, have EHRs, or share patient information electronically when giving treatment and follow-up.

Key clarification

Cash-only healthcare providers who do not send health information electronically to complete routine transactions are not termed as covered entities under HIPAA. But when electronic transmission comes, HIPAA requirements take effect in their entirety.

Health Plans

A health plan, according to HIPAA, is an individual or group plan that covers or reimburses medical care. The covered entity in this category is the health plan and not the employer that is sponsoring the health plan. This is significant since HIPAA requirements would be relevant to the activities, information management, and release of Protected Health Information of the plan.

Health plans regularly receive, process, and transmit health information to support enrolment, claims, and payment processes. These transactions are electronic in nature, and therefore HIPAA is automatic. Consequently, the Privacy Rule, Security Rule, and Breach Notification Rule have to be adhered to by health plans. They also have to restrict access to PHI, use the least possible standard, and have clear policies on member rights and disclosures.

To understand how HIPAA applies beyond hospitals and clinics, it helps to look at the broader ecosystem of vendors and partners involved in healthcare operations. Many organizations underestimate their responsibilities until they review how HIPAA compliance service providers are defined and regulated. This becomes especially important for IT vendors, cloud platforms, and consultants that touch ePHI at any stage.

Examples of Health Plans Covered by HIPAA

1. Health insurance companies
   Health insurance companies are covered entities since they handle claims, coverage determinations, and payment through electronic systems that contain PHI.
2. Health Maintenance Organizations (HMOs)
   HMOs are covered entities since they coordinate care and process electronic health information for both treatment and payment purposes.
3. Preferred Provider Organizations (PPOs)
   PPOs communicate the health information through electronic means so as to administer networks, claims, and reimbursements. This activity puts them under the HIPAA coverage.
4. Employer-sponsored group health plans
   Employer-provided group health plans are covered entities. Although the plan is the responsibility of the employer, HIPAA compliance is taken care of by the plan.
5. Self-funded employer health plans
   Plans that are self-funded are entities covered even in cases where the employer makes direct payments on claims. HIPAA is applicable in the administration and treatment of data in the plan.
6. Medicare and Medicare Advantage
   Medicare programs can be considered covered entities since they handle high amounts of electronic health information to service and pay beneficiaries.
7. Medicaid and CHIP
   Covered entities include State Medicaid programs and the Children’s Health Insurance Program. They handle payments, claims, and eligibility using electronic systems that deal with PHI.
8. TRICARE (military health system)
   TRICARE is a covered entity since it covers health benefits to the active-duty services, retirees, and their families. The program processes electronic claims, eligibility data, and treatment information, and this makes it subject to full HIPAA requirements.
9. Veterans Health Administration programs
   The programs at Veterans Health Administration qualify as covered entities because they provide and reimburse healthcare services using electronic systems. These programs process huge amounts of PHI regarding treatment, billing, and care coordination.
10. Federal Employees Health Benefits Program
    The Federal Employees Health Benefits Program is a covered entity since it provides health coverage to the federal employees and retirees. Electronic communication of enrollment information, claims, and payments elicits HIPAA requirements.
11. Long-term care insurance
    When they provide medical or custodial care and they transmit health information electronically, long-term care insurance plans are covered entities. HIPAA is relevant to the way such plans gather, store, and share PHI.
12. Medicare Supplement (Medigap) policies
    Medigap policies are covered entities as they are a supplement to the Medicare coverage, and they are based on electronic health information processing claims, and benefits coordination.

Exceptions

1. Workers’ compensation carriers

The workers’ compensation insurers cannot be considered the covered entity as they offer benefits concerning workplace injuries and not healthcare coverage under HIPAA.

2. Auto and casualty insurers

HIPAA does not cover auto and casualty insurance companies because they do not deal with health plans as intended by the federal law, but with accident-related claims.

3. Life insurance companies

Life insurers are not covered entities since their products are not used to pay for healthcare services or even to undertake normal HIPAA transactions.

4. Disability income insurance

Disability income insurers do not qualify as covered entities since they consist of wage replacement benefits and not medical coverage, and are not described in HIPAA as a health plan.

Healthcare Clearinghouses

A healthcare clearinghouse is an organization that transforms health information that is received by another organization into a standard format. It can also transform normal electronic transactions into nonstandard forms. This definition is the direct result of 45 CFR 160.103, the publication of the Department of Health and Human Services (HHS).

Role as data format intermediaries
Healthcare clearinghouses are technical intermediaries. They do not tend to offer medical services and cover. They instead decode, authenticate, and direct health data so that it may flow between health plans and providers. Since this work is associated with the electronic transmission of PHI and ePHI, the clearinghouses are considered covered entities when it comes to HIPAA. Size does not matter. The coverage is caused by the mere presence of the function.

Clearinghouses are also essential in claims processing as well as payment processes. Consequently, they are forced to adhere to the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. They also need to exercise effective technical protection and have elaborate audit controls.

Examples of Healthcare Clearinghouses

1. Medical billing clearinghouses

Healthcare providers submit claims to these organizations, which subsequently transform them into standard electronic formats and send them to health plans.

2. Claims repricing companies

Claims repricing entities modify bills in accordance with contract requirements. They serve as healthcare clearinghouses when they process this data electronically under HIPAA.

3. Value-added networks (VANs)

VANs also safely convey electronic healthcare transactions among payers and providers. HIPAA is applicable because it deals with PHI in a standard format.

4. Community health information systems

The systems help in electronic data sharing between various healthcare institutions. Their translation or routing of standardized transactions can qualify them as meeting the definition of the clearinghouse and they are considered a covered entity under HIPAA.

5. EDI (Electronic Data Interchange) gateways

EDI gateways are classified as healthcare clearinghouses when they transform healthcare data, and put it in standard transaction formats. These gateways allow providers and health plans to transmit claims, eligibility requests and payment data electronically. HIPAA is applicable to the full extent of the operations of EDI gateways because they process PHI during such transactions.

6. Health Information Exchanges (format conversion function)

Health Information Exchanges are covered entities that conduct format conversion between standard and nonstandard data. An exchange that merely archives or directs information without exchanging it can be a business partner. Nonetheless, it becomes a healthcare clearinghouse once it converts data formats.

Functions of Healthcare Clearinghouses

Data standardization and format conversion
Healthcare clearinghouses transform health data into standardized formats to allow it to be transported through various systems. This measure will enable providers and health plans to communicate without compatibility problems. The processing delays and errors are also minimized by standardization. Since PHI is actively processed during conversion, it needs powerful technical protection.

Error checking and validation
Clearinghouses check transactions for data missing, wrong fields, and irregular formatting, and submit them. This process enhances the rates of claim acceptance and decreases the rework of providers. The integrity of data is also safeguarded by error checking when it is being transmitted. Periodic validation facilitates compliance and audit preparedness.

Transaction routing between providers and payers
Clearinghouses safely direct electronic transactions between health plans and health providers. Such transactions consist of claims, eligibility requests, and confirmations of payment. The routing needs to be precise and in a timely manner to facilitate the processes of patient care and billing. The PHI is electronic in nature, so the security controls of HIPAA should be applied at all levels.

Standard HIPAA Transactions (Covered Transactions)

The Department of Health and Human Services (HHS) implemented national standards for particular electronic healthcare transactions under 45 CFR Part 162. They are referred to as standard transactions. HIPAA is applicable when a healthcare provider sends health information electronically in any of the aforementioned transactions. This is in accordance with the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act. The rule guarantees that the providers and health plans adopt standard formats in the exchange of electronic data.

When one of these standard transactions is conducted electronically, the covered entity status is usually initiated. The format should be in line with the HHS adopted standards. After this occurs, the organization would be under the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. The following are the important covered transactions as in 45 CFR Part 162.

Healthcare Claims and Claim Status

Healthcare claims entail making payment requests to a health plan. Claim status transactions enable the providers to determine whether a claim has been received, approved, denied, or pending. Since such transactions involve protected health data, the HIPAA protection is in place. One of the most common covered entity status triggers is the electronic claims submission.

Eligibility Inquiries and Responses

Eligibility transactions enable providers to verify the active coverage of a patient. These electronic communications entail benefit information and coverage limits. Patient data is transferred among systems, which makes protection by HIPAA necessary. This procedure assists the providers in preventing billing mistakes.

Referral Certification and Authorization

Referral and authorization transactions involve seeking approval for some treatments/services. Such exchanges contain patient and clinical data. Due to the electronic transfer of PHI, HIPAA requirements should be adhered to. Adequate authorization eliminates disagreements and time wastage.

Payment and Remittance Advice

The health plan sends reimbursement information to the providers in payment transactions. Remittance advice details what has been paid, adjusted, or denied. These e-mails have patient identifiers and treatment codes. Hence, they are subject to the  standards of HIPAA transactions.

Premium Payments

Premium payment transactions entail electronic transfer of employers, individuals, or government programs to health plans. These transactions involve enrollment and cover details. Electronic data transmission is present, HIPAA rules are applicable.

Enrollment and Disenrollment

Enrollment deals enroll people in a health plan. Disenrollment gets them out of coverage. Both procedures involve electronic data interchange that involves health and personal information. They are therefore governed by HIPAA.

Benefits Coordination

The coordination of benefits transactions establishes the paying order in case a patient is covered by more than one insurance. These e-mails contain elaborate health and coverage information. Due to the sharing of PHI among plans, the HIPAA protections are compulsory.

Electronic Prescribing

Electronic prescribing enables providers to transmit prescription information to pharmacies. Such a transaction involves patient identifiers and medication details. HIPAA will be applicable since the information will be transmitted electronically. There should be protection of ePHI through secure transmission standards.

Common Business Associate Examples

According to HIPAA, a business associate refers to any individual or corporation that contracts to provide services to a covered entity and works with the Protected Health Information (PHI) in the process. The Department of Health and Human Services published 45 CFR 160.103 that provides this definition. The business associates do not offer direct medical care or insurance coverage. Nevertheless, they develop, obtain, store, or transmit PHI on behalf of a covered entity. Due to such access, they are required to comply with the HIPAA Security Rule and some of the Privacy Rule requirements.

Working with business associates also requires structured oversight. Organizations often rely on a formal HIPAA compliance checklist to verify vendor safeguards, documentation, and contractual protections. These are some of the typical business partners as observed in healthcare organizations.

EHR and EMR Software Vendors

Providers commonly outsource, archive, or store patient data with electronic health record vendors. They are business associates since they have electronic protected health information (ePHI). HIPAA obligations are activated even when they do not access the records on a daily basis. Hence, there is a need for a Business Associate Agreement (BAA).

Cloud Storage and Hosting Providers

Business associates are cloud providers who store backups, databases, or application environments that contain PHI. They need to adopt a high level of security measures, like encryption and access controls. HIPAA directly applies to them since they store ePHI on behalf of the covered entities.

Medical Billing Companies

The billing firms make claims and handle reimbursement on behalf of healthcare providers. In the course of this job, they get the names of patients, the codes of treatments, and the payment details. They serve as business partners since they pass PHI electronically when making normal transactions.

IT Support and Managed Service Providers

IT vendors can have networks, servers, and security systems that hold PHI. They can access patient records even though they may not be viewing them. This access makes them business associates as per the HIPAA regulations.

Legal and Accounting Firms

The law firms and accounting firms become business partners when they access PHI to offer their services. As an example, patient files can be reviewed by the legal counsel during litigation. Audits can be carried out by reviewing the billing records by accountants. A BAA would be required in such instances.

Consultants and Auditors

Systems containing PHI are often subjected to compliance consultants and security auditors. Since they can access sensitive information in the course of assessments, HIPAA is applicable to their activities.

Transcription Services

Medical transcription companies transcribe voice records to written medical records. As recordings include health-related information, which is identifiable by a single individual, these companies directly deal with PHI and can be considered business associates.

Shredding Companies

When destroying paper records that include PHI, document destruction companies are already involved in business partnerships. Under HIPAA, secure shredding is mandatory. The availability of such records causes compliance obligations.

Data Analytics Firms

PHI is accessed via the analytics firms hired to process patient data to generate reporting or operational insights on behalf of covered entities. Consequently, they are obliged to adhere to the HIPAA security standards and sign a BAA.

Claims Processors

The third-party claims processors review and pay healthcare claims. They are available in electronic format, which means that they store and transmit PHI, and therefore, are considered a business associate category.

Who Is NOT a HIPAA Covered Entity

The HIPAA does not apply to all organizations that deal with health-related information. The law is only applicable to health plans, health care clearinghouses, and healthcare providers that conduct their transactions electronically to transmit health information. As such, a large number of businesses involved with medical data in other settings are not covered entities. Nonetheless, it might be that some of them are still liable to other federal or state privacy regulations.

The following are typical examples of organizations not classified as covered entities in HIPAA.

• Employers maintain employee health records in their role as employers
  When employers maintain health information for hiring, sick leave, workplace injury files, and benefits administration, they are not considered covered entities. HIPAA does not consider employment records as protected health information. But when the employer is sponsoring a group health plan, then that plan is also a covered entity.
• Life insurance companies
  Life insurers are not covered entities since it does not cover or reimburse healthcare services as stipulated by HIPAA. Although they gather medical data as part of the underwriting process, they are subject to other insurance and privacy regulations.
• Workers’ compensation carriers
  The definition of covered entity in HIPAA does not apply to workers’ compensation insurers. They offer job-related injury benefits instead of a health plan-based healthcare coverage.
• Property and casualty insurers
  The accident claims and liability coverage are processed by auto and casualty insurers. They are not covered entities since they are not health plans under HIPAA.
• Schools and universities
  HIPAA is not usually applicable to educational institutions, but the Family Educational Rights and Privacy Act (FERPA) is. The health records of students kept by schools are typically safeguarded by FERPA rather than by the HIPAA Privacy Rule.
• Research organizations (unless partnered with a covered entity)
  The independent research institutions are not covered entities unless they work as a healthcare provider or health plan. Nevertheless, when they get PHI of a covered entity, they can be a business associate and should adhere to HIPAA by a business associate agreement.
• Providers who never transmit electronically and accept cash only
  A covered entity is not a healthcare professional who does not engage in standard electronic transactions and does all transactions in cash. The application of HIPAA is only in cases where the transmission of the standard transactions is electronic.
• Consumer health and wellness apps not affiliated with covered entities
  Standalone health apps that do not directly interact with a healthcare provider or a health plan to gather fitness or wellness data are not subject to coverage.
• Fitness trackers are not integrated with covered entities
  Uncovered entities under HIPAA are independent fitness machines that track the number of steps, heart rate, or sleep patterns. But in the case of data being sent directly to an electronic health record system of a provider, the HIPAA protections can be invoked.

Special Case: Hybrid Entities

Certain organizations carry out both non-healthcare and healthcare roles. In such instances, HIPAA permits the organization to be a hybrid organization according to the 45 CFR 164.103 of the Department of Health and Human Services. A hybrid organization is one legal organization that comprises covered and non-covered functions.

To begin with, the organization should officially identify its healthcare component. It does this by determining the division or unit that engages in the covered entity activities, like medical care or health plan transactions. It is only the specified healthcare constituent that qualifies as a subject of complete HIPAA compliance. HIPAA does not directly regulate the rest of the organization unless it contributes to the healthcare aspect.

For example, a university may operate a medical center, student health clinic, and academic departments. The university can designate its medical center as the healthcare component. In that case, HIPAA applies fully to the medical center but not to departments such as admissions or athletics. However, the university must create firewalls and safeguards to prevent improper sharing of protected health information between components.

This framework assists the management of big organizations in dealing with compliance more effectively. Nevertheless, it needs to be well documented, with boundaries, and robust internal controls to be in compliance.

Final Words: Simplifying HIPAA Compliance With the Right Guidance

HIPAA compliance is not a one-time project. Instead, it is an ongoing responsibility that affects how organizations protect patient data, manage vendors, and respond to security risks. As regulations evolve, businesses must update policies, strengthen safeguards, and maintain workforce awareness. In the absence of a formal compliance plan, organizations tend to have problems in the evaluation of risks, documentation, and vendor management. In the long run, these loopholes may result in breaches, fines, and the mistrust of patients. Many organizations address this challenge through structured HIPAA compliance consulting services that translate regulatory language into actionable security controls and documentation practices.

FortNexShield assists organizations in the partner-driven approach. It does not provide direct compliance tools but rather introduces businesses to trusted and pre-vetted compliance service providers. This model assists organizations in identifying solutions that fit their industry, budget, and technical requirements. This means that business owners will be able to concentrate on business operations as compliance professionals deal with complicated regulatory issues.

Ready to Strengthen Your HIPAA Compliance?

Connect with FortNexShield to:

• Get matched with verified HIPAA compliance partners
• Receive tailored recommendations based on your organization’s risk profile
• Improve audit readiness and safeguard patient data
• Build a long-term compliance roadmap

Schedule a consultation today and take the next step toward confident HIPAA compliance!

Is my small practice a covered entity?

Yes, when your practice exchanges health information electronically to conduct the usual transactions like claims or eligibility, you are a covered entity. Under HIPAA, size is not an issue. A solo provider is also covered even when electronic billing is initiated. Nevertheless, when you are a cash-only operation and never transmit any electronic transactions, HIPAA is not applicable.

Does using a billing service make me a covered entity?

The utilization of a billing service does not automatically establish the status of a covered entity. Rather, you will be a covered entity when your practice receives electronic health information in standard transactions. The billing firm will then be your business partner. Then, you will have to sign a business associate agreement to comply with HIPAA requirements.

Are all insurance companies covered entities?

No, not every insurance company is covered. The coverage is applicable to health insurance companies and health plans since they cover medical care. Life insurance companies and auto insurance companies are, however, not covered entities under HIPAA. The difference lies in the fact that the company may act as a health plan according to federal regulations.

Can an organization be both a covered entity and a business associate?

This is indeed possible in some cases. A hospital will be a covered entity in case it provides care. Nevertheless, when the said hospital provides data processing services to another provider, it can be a business partner of that service. The position varies with the kind of activity under execution.

What is the difference between PHI and ePHI?

Health information that is individually identifiable in any form is considered to be protected health information (PHI). Electronic protected health information (ePHI) is defined as PHI that is electronically created, stored, or transmitted. Although both are to be safeguarded, the HIPAA Security Rule is directly applicable to ePHI.

How long must I keep compliance documentation?

HIPAA has policies, procedures, and other related documentation that must be maintained by covered entities and business associates for at least 6 years. This time starts from the time of the creation or the latest date of the document. The correct record retention helps in audit preparedness and the defense of auditing.

What should I do if I discover a breach?

First, control the leakage of the incident and do not disclose it. Following this, a risk assessment will be conducted to see whether the breach is reportable. Next, consider the HIPAA Breach Notification Rule that might involve informing the impacted individuals and the Department of Health and Human Services. Quick response minimizes HIPAA non-compliance fines and establishes trust.

Are volunteers subject to HIPAA?

Yes, volunteers of a covered entity are regarded as the workforce of HIPAA. Hence, they should adhere to privacy and security policies as their paid employees. Supervision and training are necessary to avoid unauthorized access or disclosure of the protected health information.