A Covered Entity under HIPAA is an organization or individual that falls into one of three regulated categories under federal health privacy and security regulations: a health plan, a health care clearinghouse, or a health care provider that transmits health information in electronic form in connection with a standard transaction, and that status triggers compliance duties under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule for protected health information handled in its covered functions.
Health plans are Covered Entities when they provide or pay the cost of medical care and operate within the health plan definition used in HIPAA Administrative Simplification. This category includes many private health insurers and certain public benefit programs. Health plans that are Covered Entities must implement privacy policies, limit uses and disclosures of protected health information to permitted purposes or valid authorizations, provide required notices and individual rights processes, and maintain safeguards for electronic protected health information.
Health care clearinghouses are Covered Entities when they process health information from one format into standard transactions or from standard transactions into nonstandard formats. Clearinghouse activities often involve claims and eligibility transactions and related administrative data flows. Clearinghouses must apply the HIPAA Privacy Rule and HIPAA Security Rule to protected health information they create, receive, maintain, or transmit in their clearinghouse role.
Health care providers become Covered Entities when they transmit health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted a standard, such as certain billing and payment transactions. Many providers meet this threshold through electronic claims submission or other standard transactions conducted directly or through a billing service. A provider that only treats patients and maintains records but does not conduct standard electronic transactions does not become a Covered Entity solely by providing care.
Covered Entity status is tied to functions and transactions rather than professional titles or licensing. A clinic, hospital, physician practice, dentist, pharmacy, laboratory, and similar provider organizations are commonly Covered Entities because they conduct standard electronic transactions, but the determination depends on whether the provider transmits health information electronically for covered transactions. A vendor that handles protected health information does not become a Covered Entity based on access alone and may instead be a Business Associate when it performs functions for a Covered Entity that involve protected health information.
Covered Entities can operate within larger organizations that also perform non-covered activities. Some organizations designate covered components when only part of the entity meets the Covered Entity definition, and HIPAA obligations apply to the designated covered components and their protected health information. The compliance focus is on where protected health information is created, received, maintained, or transmitted for covered functions and on controls that prevent impermissible uses and disclosures across internal boundaries.
Covered Entities carry direct compliance duties that cannot be assigned away by contract. Business associate agreements are required when a third party performs a regulated function involving protected health information on behalf of a Covered Entity, but the Covered Entity retains responsibility for its own policies, workforce controls, access management, disclosures, and breach decision-making. Enforcement actions can involve both the Covered Entity and its Business Associates when failures involve impermissible uses or disclosures or inadequate safeguards for electronic protected health information.
Determining whether an organization is a Covered Entity under HIPAA requires confirming that it fits within the health plan, health care clearinghouse, or qualifying health care provider category and then mapping protected health information handling to the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements that apply to the organization’s covered activities.