A HIPAA Covered Entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information in electronic form in connection with a transaction for which the Department of Health and Human Services has adopted a standard, which makes the organization directly subject to the administrative, privacy, and security requirements in the HIPAA Administrative Simplification regulations.
Health plans include many types of public and private payers that provide or pay the cost of medical care. Examples include commercial health insurers, health maintenance organizations, certain government programs that pay for care, and employer-sponsored group health plans, with limited exceptions for certain small plans administered only by the employer and maintained without outside administration. When a health plan meets the regulatory definition, it is a covered entity even if it outsources claims processing, member services, or other functions to vendors.
Health care clearinghouses are entities that process nonstandard health information into standard formats, or the reverse, for purposes such as billing and claims. Clearinghouse status depends on the function performed rather than the size of the organization. Some organizations act as clearinghouses only for part of their operations, and the covered entity obligations attach to the clearinghouse function.
Health care providers become covered entities when they transmit health information electronically in connection with a covered transaction. The covered transactions are standardized administrative and financial exchanges such as claims, eligibility inquiries, claim status, referral authorization, and electronic remittance advice. A provider that does not conduct standard electronic transactions, and does not use a billing service or other agent to conduct them on the provider’s behalf, does not meet the provider covered entity definition solely by delivering care.
Covered entity status matters because it determines who has direct regulatory duties under the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Covered entities must implement policies and procedures for permissible uses and disclosures of protected health information, provide required notices and individual rights processes, apply workforce access controls and safeguards for electronic protected health information, and execute compliant business associate agreements when another party performs functions involving protected health information on the covered entity’s behalf.
A related concept is the hybrid entity, which is a single legal entity that performs both covered and non-covered functions and designates its health care components for HIPAA compliance purposes. Separate legal entities within a corporate family are not automatically covered entities based on affiliation, and a vendor that handles protected health information is not a covered entity unless it independently meets a covered entity definition. Vendors that create, receive, maintain, or transmit protected health information for a covered entity usually fall under business associate status, which carries its own direct obligations under the HIPAA Security Rule and the HIPAA Breach Notification Rule.
The Official Regulatory Text Relating to HIPAA Covered Entities
45 CFR 160.103 Definitions is relevant because it contains the controlling definition of a covered entity for HIPAA Administrative Simplification. The regulation states “Covered entity means: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” This wording is relevant because it is the legal test used to determine whether an organization is directly subject to requirements under the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule.
45 CFR 160.103 Definitions is also relevant because it defines the component terms used in the covered entity definition. The regulation states “Health plan means an individual or group plan that provides, or pays the cost of, medical care.” The regulation states “Health care clearinghouse means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and ‘value-added’ networks and switches, that does either of the following functions: (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.” The regulation states “Health care provider means a provider of services” and includes specified provider types by cross-reference. This wording is relevant because it defines which payer, clearinghouse, and provider functions qualify, and it clarifies that a provider becomes a covered entity when electronic transmission occurs in connection with a covered transaction.