What Is a HIPAA Covered Entity? Definition, Types, and Obligations

What Is a HIPAA Covered Entity

HIPAA uses the term “covered entity” to define which organizations the law applies to directly. The definition comes from 45 CFR § 160.103 and covers three distinct categories: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.

The practical trigger for most practices is that last phrase — “transmit electronically.” If your practice submits any electronic claims to Medicare, Medicaid, or a private insurer, you transmit health information electronically. That makes you a covered entity, regardless of your practice size, specialty, or how many patients you see.

The common assumption that HIPAA only applies to hospitals or large health systems is wrong. A solo family medicine physician, a two-person dental practice, and a behavioral health clinic with eight therapists are all covered entities if they bill electronically. In the United States, nearly every licensed healthcare provider is a covered entity.

The Three Types of Covered Entities

Health Plans

Health plans include any individual or group insurance plan, HMO, Medicare, Medicaid, Medicare supplement insurer, or long-term care insurer. Employer-sponsored health plans with 50 or more participants are also covered entities. The defining characteristic is that a health plan pays for or provides healthcare benefits.

Examples: Blue Cross Blue Shield, Aetna, UnitedHealth Group, Medicare Part A and B, state Medicaid programs, employer self-insured health plans with 50+ participants.

Healthcare Clearinghouses

Healthcare clearinghouses are entities that process nonstandard health information into standard electronic formats — or vice versa. They sit between providers and payers, translating billing data. Because they handle large volumes of PHI from many providers, they are covered entities themselves.

Examples: third-party billing companies that reformat claims, repricing companies, community health management information systems.

Healthcare Providers

This is the category that applies to most medical and dental practices. A healthcare provider is a covered entity if they transmit any health information electronically in connection with a transaction covered under HIPAA. Covered transactions include claims, eligibility inquiries, referral authorizations, and remittance advice.

Examples: physicians, surgeons, dentists, orthodontists, chiropractors, optometrists, podiatrists, psychologists, licensed counselors, physical therapists, occupational therapists, speech therapists, hospitals, urgent care centers, ambulatory surgery centers, pharmacies, nursing homes, and home health agencies.

The key word is “any.” A single electronic claim submission is sufficient.

How to Know If Your Practice Is a Covered Entity

Work through this checklist. If you answer yes to any of these, your practice is a covered entity:

Do you submit claims electronically to Medicare or Medicaid?
Do you submit claims electronically to any private insurer?
Do you use a practice management system or billing software that submits claims on your behalf?
Do you check patient eligibility electronically?
Do you send or receive electronic remittance advice (ERA)?
Do you request prior authorizations electronically?

If your practice uses a billing company to submit claims on your behalf, you are still the covered entity — the billing company is your business associate. The outsourcing does not transfer your HIPAA obligations.

The only healthcare providers who are not covered entities are those who operate entirely on cash, never submit any electronic claims, and have no payer relationships. This is rare in modern practice.

What Covered Entities Must Do

HIPAA compliance for covered entities is not optional and is not self-executing. The law requires specific, documented actions:

Annual security risk assessment. You must assess the risks to the confidentiality, integrity, and availability of all PHI your practice creates, receives, maintains, or transmits. This assessment must be documented. Lack of a risk assessment is the most common finding in OCR audits.

Written privacy and security policies. You need documented policies covering how PHI is used and disclosed, who has access, how breaches are handled, how workforce members are trained, and how patient rights are honored.

Workforce training. Every employee and contractor with access to PHI must receive HIPAA training. Training must be documented, including dates and which staff members completed it.

Business Associate Agreements. Every vendor that creates, receives, maintains, or transmits PHI on your behalf must sign a BAA before you share any patient data with them. This includes your EHR vendor, billing company, cloud storage provider, and any software platform that handles patient information. Using a vendor without a BAA is a HIPAA violation even if no breach occurs.

Breach notification. You must have a documented process for identifying, evaluating, and reporting breaches. Breaches affecting 500 or more individuals in a state must be reported to OCR and local media. Breaches of any size must be reported to affected patients within 60 days of discovery.

Privacy officer designation. HIPAA requires you to designate a privacy officer responsible for developing and implementing privacy policies. In a small practice this is often the practice administrator. The designation must be documented.

Business Associates vs. Covered Entities

The distinction matters because it determines who is directly regulated by HIPAA and what contracts are required.

A covered entity creates, receives, or transmits PHI as part of providing or paying for healthcare. HIPAA applies to covered entities directly.

A business associate is a person or entity that performs functions or services on behalf of a covered entity and, in doing so, creates, receives, maintains, or transmits PHI. Business associates are bound by HIPAA indirectly — through the BAA they sign with the covered entity, and through the HIPAA Omnibus Rule (2013), which extended direct liability to business associates.

Common business associates your practice likely has: EHR vendor, billing company, medical transcription service, IT support company with access to systems containing PHI, cloud storage provider, email service with patient communications, answering service that handles patient calls.

Your obligation as a covered entity: identify every vendor that touches PHI and execute a signed BAA before sharing any patient data. Keep a BAA log so you can produce evidence of signed agreements if OCR comes calling.

PHIGuard includes a signed BAA with every plan — no separate negotiation or legal review required. Every vendor you use to manage practice tasks should offer the same.

Like what you're reading?

Try PHIGuard free — no credit card required.

Covered Entity: Under HIPAA, a covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits any health information in electronic form in connection with a HIPAA-covered transaction.

Protected Health Information (PHI): Individually identifiable health information held or transmitted by a covered entity or business associate, in any form — electronic, paper, or verbal. Includes names, dates, contact information, diagnoses, and payment information when linked to a patient.

Business Associate Agreement (BAA): A contract required by HIPAA between a covered entity and any vendor that handles PHI on its behalf. The BAA defines permitted uses of PHI and requires the vendor to protect it under HIPAA standards.

Office for Civil Rights (OCR): The division of the US Department of Health and Human Services that enforces HIPAA Privacy and Security Rules and investigates complaints and breaches.

Q&A

What is a HIPAA covered entity?

A HIPAA covered entity is an organization or individual that falls into one of three categories: health plans (insurers, HMOs, Medicare, Medicaid), healthcare clearinghouses (entities that process nonstandard health data into standard formats), or healthcare providers that transmit health information electronically. The electronic transmission requirement is the practical trigger — any provider that submits electronic claims is a covered entity.

Q&A

Which healthcare providers are covered entities under HIPAA?

Doctors, dentists, chiropractors, psychologists, therapists, optometrists, hospitals, clinics, pharmacies, nursing facilities, and any other provider that transmits health information electronically are covered entities. The category is broad by design — if you bill insurance electronically, you qualify.

Q&A

What must a HIPAA covered entity do to comply?

Covered entities must conduct and document an annual security risk assessment, implement written privacy and security policies, train all workforce members on HIPAA, sign Business Associate Agreements with every vendor that handles PHI, maintain a breach notification process, and designate a privacy officer. These are not optional — each requirement is specified in the HIPAA Privacy Rule or Security Rule.

Want to learn more?

Learn More

Is my small private practice a HIPAA covered entity?

Almost certainly yes. If your practice submits electronic claims to Medicare, Medicaid, or any private insurer — or uses any electronic billing system — you transmit health information electronically and are a covered entity. Solo practitioners, small group practices, and specialty clinics all qualify.

What is the difference between a covered entity and a business associate?

A covered entity creates, receives, or transmits PHI in the course of providing healthcare services. A business associate is a vendor or contractor that handles PHI on the covered entity's behalf — such as a billing company, IT vendor, or software platform. Business associates are not covered entities but are still bound by HIPAA through a signed Business Associate Agreement.

Do covered entities need a HIPAA compliance officer?

HIPAA requires covered entities to designate a privacy officer responsible for policies and procedures. In a small practice this is often the practice administrator or office manager rather than a dedicated compliance hire. The obligation is to designate the role — not to hire a full-time specialist.

What happens if a covered entity fails to comply with HIPAA?

The Office for Civil Rights (OCR) enforces HIPAA. Penalties range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category. Willful neglect with no correction can reach the maximum. State attorneys general can also bring civil actions.

Keep reading

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.

HIPAA Compliance Checklist for Small Medical Practices

A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.