What is a Covered Entity?
What is a Covered Entity?
A covered entity is an organization that is directly subject to HIPAA regulations. HIPAA defines three categories of covered entities: healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. Understanding whether your organization qualifies as a covered entity is the first step in determining your HIPAA compliance obligations.
The three types of covered entities
Healthcare providers — any provider of medical or health services who transmits health information in electronic form in connection with a HIPAA-covered transaction. This includes:
- Hospitals and health systems
- Physicians and medical practices
- Dentists, chiropractors, and other licensed practitioners
- Pharmacies
- Clinics and urgent care centers
- Nursing facilities
- Home health agencies
The key qualifier is electronic transmission. A healthcare provider that conducts all transactions on paper and never transmits health information electronically may not be a covered entity. However, in practice, nearly all providers today transmit information electronically.
Health plans — organizations that provide or pay for the cost of healthcare. This includes:
- Health insurance companies
- HMOs (Health Maintenance Organizations)
- Employer-sponsored group health plans
- Government programs such as Medicare, Medicaid, and TRICARE
- Long-term care insurance providers
- Employee assistance programs that provide health benefits
Healthcare clearinghouses — entities that process health information received from another entity into a standard format (or vice versa). Clearinghouses typically sit between providers and health plans, translating data into standardized transaction formats.
Covered entity responsibilities
As a covered entity, an organization must comply with all HIPAA rules:
- Privacy Rule — governs the use and disclosure of PHI, grants individuals rights over their health information, and requires privacy notices
- Security Rule — requires administrative, physical, and technical safeguards to protect ePHI
- Breach Notification Rule — mandates notification of affected individuals, HHS, and potentially media following a breach of unsecured PHI
- Enforcement Rule — establishes penalties for noncompliance
- Omnibus Rule — extends certain requirements to business associates and strengthens breach notification provisions
Covered entity vs business associate
The distinction between covered entities and business associates is critical:
- A covered entity is directly regulated under HIPAA and bears primary responsibility for PHI protection
- A business associate is a vendor or partner that handles PHI on behalf of a covered entity and is regulated through BAAs and certain direct HIPAA obligations
A technology company that builds software for a hospital is typically a business associate, not a covered entity. The hospital is the covered entity. However, both have compliance obligations — the covered entity through direct regulation and the business associate through its BAA and HITECH Act provisions.
Determining if you are a covered entity
To determine whether your organization is a covered entity:
- Does your organization provide healthcare services, operate a health plan, or function as a clearinghouse?
- Does your organization transmit health information electronically in connection with covered transactions (such as claims, eligibility inquiries, or referral authorizations)?
If both answers are yes, your organization is likely a covered entity. If you are unsure, the HHS website provides a covered entity decision tool.
How episki helps
episki helps covered entities manage their HIPAA compliance obligations by tracking required safeguards, documenting policies and procedures, managing business associate agreements, and maintaining breach notification workflows. Learn more on our HIPAA compliance page.
