Compliance
Apr 28, 2026
15 min read

HIPAA Covered Entities: Who Needs to Comply?

Kevin Barona
Table of content
H2
H3
share

Who qualifies as a HIPAA covered entity? There are three categories: healthcare providers who transmit health information electronically for standard transactions, health plans, and healthcare clearinghouses. If your organization falls into any of these categories, you are required to comply with HIPAA's Privacy, Security, and Breach Notification Rules.

But HIPAA's reach doesn't stop there. Even organizations that aren't covered entities may still need to comply if they handle Protected Health Information (PHI) on behalf of a covered entity. These organizations are called business associates, and they carry their own set of legal obligations under HIPAA.

If you're unsure whether HIPAA applies to your organization, you're not alone. The definitions can be confusing, especially for health tech companies, SaaS businesses, and organizations that sit on the edge of healthcare. This guide breaks down exactly who qualifies, who doesn't, and what compliance looks like once you know where you stand.

What Is a HIPAA Covered Entity?

A HIPAA covered entity is any organization or individual that directly handles PHI through treatment, payment, or healthcare operations. The term comes from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which established national standards for protecting sensitive patient information.

There are three types of covered entities: healthcare providers, health plans, and healthcare clearinghouses. Each has a specific definition under the law, and each is required to comply with the same core set of privacy and security rules.

One important detail that trips people up: the definition is based on what your organization does, not what it's called. A social worker whose activities meet HIPAA's definition of healthcare is a healthcare provider under the law, regardless of their job title. A small clinic that submits insurance claims electronically is a covered entity, even if it only has five employees.

The determining factor is function, not size or label.

Medical files that are stacked next to each other

The Three Types of HIPAA Covered Entities

HIPAA defines three distinct categories of covered entities. Each category has its own criteria, but all three share the same compliance obligations once they qualify. Here's how each one is defined and who falls into it.

1. Healthcare Providers

Every healthcare provider, regardless of size, who electronically transmits health information in connection with certain standard transactions is a covered entity under HIPAA. Standard transactions include submitting claims, checking benefit eligibility, requesting referral authorizations, and other activities for which HHS has adopted electronic standards.

This category covers a wide range of providers. Hospitals, physicians, dentists, psychologists, chiropractors, nursing homes, pharmacies, and clinics all qualify if they conduct standard transactions electronically.

There's an important nuance here. Simply using electronic technology like email doesn't automatically make a provider a covered entity. The electronic transmission has to be in connection with a HIPAA-standard transaction. A therapist who only accepts cash payments and never submits electronic claims may not be a covered entity. A physician who submits even one electronic insurance claim is.

Not all healthcare providers are covered entities. Providers who don't conduct any standard transactions in electronic form fall outside the definition. This can include some small practices, certain alternative medicine practitioners, and providers who bill patients directly without involving insurance.

2. Health Plans

Health plans are organizations that provide or pay the cost of medical care. This is a broad category that includes many types of entities.

Health plans covered by HIPAA include health insurance companies, dental and vision insurers, prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicaid, Medicare supplement insurers, and long-term care insurers. Employer-sponsored group health plans, government health programs, and church-sponsored health plans also fall under this category.

There are some exceptions. Workers' compensation plans, automobile insurance, and property and casualty insurance are not considered health plans under HIPAA. If an insurance company has multiple lines of business and only one qualifies as a health plan, HIPAA applies only to that specific line of business.

There's also a size-based exemption. Self-administered group health plans with fewer than 50 participants are not required to comply with HIPAA's administrative simplification rules.

3. Healthcare Clearinghouses

A healthcare clearinghouse is a business that processes health information transactions between healthcare providers and health plans. Their primary function is to take data in nonstandard formats and convert it into standard formats (or the reverse) so that transactions like claims, eligibility checks, and payment authorizations can be processed accurately.

Examples of healthcare clearinghouses include billing services, repricing companies, claims management organizations, and community health information systems that help providers and plans exchange data.

Clearinghouses often receive PHI from other covered entities as part of their processing work. Because of this, they must comply with the same HIPAA privacy and security requirements as healthcare providers and health plans.

healthcare files

Covered Entities vs. Business Associates

This is where many organizations get confused. Not every organization that handles PHI is a covered entity. But that doesn't mean HIPAA doesn't apply to them.

A business associate is any person or organization that performs functions or activities involving PHI on behalf of a covered entity. If your company provides services to a hospital, health plan, or clinic, and those services require access to patient data, you are almost certainly a business associate under HIPAA.

Common examples of business associates include IT service providers and managed hosting companies, medical billing and coding services, law firms and accounting firms that access PHI, consultants who perform utilization reviews, independent medical transcriptionists, cloud storage providers that host PHI, and pharmacy benefits managers.

Before a covered entity can share PHI with a business associate, the two parties must execute a written Business Associate Agreement (BAA). This contract establishes what the business associate is permitted to do with the data and requires them to comply with HIPAA's privacy and security requirements.

This isn't just a formality. Business associates are directly liable for compliance with certain provisions of the HIPAA Rules. If a business associate mishandles PHI, both the business associate and the covered entity can face enforcement action.

One more point worth noting: if an entity does not meet the definition of either a covered entity or a business associate, it does not have to comply with the HIPAA Rules. Knowing where you fall in this framework is the first step toward understanding your obligations.

Common Gray Areas: Who Is (and Isn't) a Covered Entity

The three categories above are straightforward in theory. In practice, certain types of organizations raise questions. Here are the situations that come up most often.

  • Employers. Employers are generally not covered entities under HIPAA, even if they maintain employee health records. That's because employee health records maintained by an employer in its role as an employer are not used for HIPAA-covered transactions. However, employers who sponsor and administer self-insured health plans may have partial HIPAA obligations related to the plan. In that case, the employer must ensure that PHI collected by the health plan is not used for employment-related decisions.

  • Pharmacies. Pharmacies are covered entities. HIPAA's definition of healthcare includes the sale or dispensing of a drug in accordance with a prescription, which means pharmacies qualify as healthcare providers. They must comply with the Privacy Rule, the Security Rule, and the Breach Notification Rule.

  • Schools. Schools that employ healthcare providers, such as school nurses or psychologists, are generally not covered entities if those providers primarily serve students and do not conduct standard electronic transactions. Student health records maintained by schools are typically governed by FERPA (the Family Educational Rights and Privacy Act), not HIPAA.

  • Health tech companies and app developers. A health tech company or app developer is not a covered entity on its own. However, if it handles PHI on behalf of a covered entity, it becomes a business associate and must comply with HIPAA through a BAA. This is a common situation for SaaS companies that build products for healthcare providers, health plans, or clearinghouses.

  • Researchers. Researchers are covered entities only if they are also healthcare providers who transmit electronic PHI for standard transactions. A physician conducting clinical research who also submits electronic claims is a covered entity. A university researcher who receives de-identified data for a study is not.

If you're still unsure, the Department of Health and Human Services offers a free online decision tool on the CMS website that walks you through a series of questions to help determine whether your organization qualifies as a covered entity.

Responsibilities of HIPAA Covered Entities

Once you've determined that your organization is a covered entity, the next question is what compliance actually requires. HIPAA's rules are extensive, but they come down to a core set of obligations that every covered entity must meet.

  • Safeguard PHI. Implement administrative, physical, and technical safeguards to protect PHI from unauthorized access, disclosure, or misuse. This includes access controls, encryption, audit logs, and physical security for areas where PHI is stored.

  • Designate compliance leadership. Appoint a HIPAA Privacy Officer and a HIPAA Security Officer. These individuals are responsible for developing and enforcing your organization's HIPAA policies. In smaller organizations, one person can fill both roles.

  • Train your workforce. Every employee who has access to PHI must receive training on your organization's HIPAA policies and procedures. Training should be role-specific, mandatory, and refreshed annually.

  • Execute Business Associate Agreements. Identify every vendor, contractor, and service provider that accesses PHI on your behalf. Execute a compliant BAA with each one before sharing any data.

  • Provide a Notice of Privacy Practices. Covered entities must give patients a clear notice explaining how their PHI will be used, disclosed, and protected. This notice must be made available at the first point of service and posted on your website if you have one.

  • Respond to patient access requests. HIPAA gives patients the right to access their medical records. Covered entities must have a documented process for fulfilling these requests within 30 days.

  • Report breaches. Build and maintain an incident response plan that covers detection, investigation, and notification. If a breach of unsecured PHI occurs, you must notify affected individuals within 60 days, and in some cases notify OCR (the Office for Civil Rights) and the media as well.

Many of these requirements overlap with other compliance frameworks. Organizations that have already implemented ISO 27001 or SOC 2 will find that a significant portion of the technical and administrative safeguards carry over. For a closer look at what happens when these obligations are not met, see our guide on common HIPAA violations and how to prevent them.

Compliant leadership

How to Determine If HIPAA Applies to Your Organization

Figuring out whether HIPAA applies to you comes down to two questions. First, does your organization meet the definition of a covered entity (healthcare provider conducting standard electronic transactions, health plan, or healthcare clearinghouse)? Second, if not, does your organization handle PHI on behalf of a covered entity as a business associate?

If the answer to either question is yes, HIPAA applies to you.

For organizations that are clearly healthcare providers or health plans, the path is straightforward. For health tech companies, SaaS businesses, and service providers, the answer often depends on the specifics of your contracts and the type of data you handle.

The HHS covered entity decision tool on the CMS website is a useful starting point. It walks you through a series of questions about your organization's activities and tells you whether you meet the definition. But for organizations with complex or evolving relationships to the healthcare industry, a decision tool can only go so far.

If you're building for healthcare or expanding into health-related services and need clarity on your obligations, get in touch for HIPAA compliance services and we'll help you determine exactly where you stand and what you need to do next.

Related Articles

HIPAA
Common HIPAA Violations and How to Prevent Them
ISO 27001
SOC 2
ISO 27001 vs SOC 2: Which Do You Need?
ISO 27001
How much does ISO 27001 Certification cost?
ISO 27001
ISO 27001 Certification Explained: Step by Step
SOC 2
SOC 2 Requirements: What Your Business Actually Needs
SOC 2
SOC 2 Type 1 vs Type 2: What’s the Difference and Which Do You Need?
Weekly tips and insights on building trust.
Join leaders in building a secure, trusted brand—receive expert guidance to outpace competitors and win customers.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By signing up, you agree to our Terms and Conditions.
Are you ready to get started?
Schedule a call to see how we can help you build trust
Contact us