A few years ago, I got a call from the office manager of a chiropractic clinic in Texas. She was panicking. They'd just received a letter from HHS about a patient complaint, and her first question floored me: "We're not a hospital — does HIPAA even apply to us?" It does. And that misunderstanding is more common than you'd think. Covered entities include a much wider range of organizations than most people realize, and getting it wrong puts you on the wrong side of federal law.
What Does "Covered Entities Include" Actually Mean Under HIPAA?
The HIPAA Privacy Rule defines exactly three categories of covered entities. If your organization falls into any one of them, every provision of HIPAA — Privacy, Security, Breach Notification — applies to you. No exceptions, no grace periods.
According to HHS, covered entities include:
- Health care providers who transmit any health information electronically in connection with a HIPAA-covered transaction (claims, eligibility inquiries, referral authorizations, etc.)
- Health plans, including health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and military/veterans' health programs
- Health care clearinghouses, which process nonstandard health information into standard formats (or vice versa)
That's it. Three categories. But the devil is in the details — especially for health care providers, where a single electronic transaction can trigger full HIPAA obligations.
The official definition is spelled out in the HHS covered entity guidance, and I recommend every compliance officer bookmark that page.
The Provider Trap: One Electronic Claim Changes Everything
Here's where it gets interesting. A solo therapist who only accepts cash and keeps paper records? Not a covered entity. But the moment that therapist submits a single electronic claim to an insurer, the entire practice falls under HIPAA.
I've worked with small practices — acupuncturists, physical therapists, optometrists — who assumed HIPAA was a "big hospital thing." It's not. If you're a health care provider and you transmit protected health information (PHI) electronically for any covered transaction, you're in. Period.
And the list of covered transactions is broad. It includes claims, benefit eligibility inquiries, referral authorizations, and enrollment or disenrollment in a health plan. The full list is defined under the HIPAA Transactions Rule at 45 CFR Part 162.
What About Dentists, Chiropractors, and Pharmacies?
Yes, all of them. Dentists who bill electronically are covered entities. Pharmacies that process electronic prescriptions are covered entities. Chiropractors, podiatrists, psychologists — if they transmit any covered transaction electronically, HIPAA applies in full.
That Texas chiropractor I mentioned? They'd been billing insurance electronically for years. They were absolutely a covered entity. They just didn't know it until OCR came knocking.
Health Plans: Bigger Than You Think
When people hear "health plan," they picture Blue Cross or Aetna. But covered entities include employer-sponsored group health plans, even self-insured ones. If your company offers health benefits to employees and that plan has 50 or more participants (or is administered by an outside entity), it's a covered entity under HIPAA.
This catches a lot of HR departments off guard. The employer itself isn't the covered entity — the group health plan is. But in practice, anyone at the company who handles enrollment data, claims, or benefits information on behalf of the plan needs to comply with HIPAA's Privacy and Security Rules.
Government programs qualify too. Medicare Part A, Part B, Part D, Medicaid, CHIP, TRICARE, and the Veterans Health Administration are all health plans under HIPAA.
What About Vision and Dental Plans?
They count. Long-term care plans count. Medicare supplemental policies count. If it meets the definition of a health plan under 45 CFR 160.103, it's a covered entity. The scope is deliberately wide.
Health Care Clearinghouses: The Invisible Middlemen
Clearinghouses are the least understood category. These are entities that sit between providers and payers, converting nonstandard data formats into HIPAA-standard electronic transactions (or the reverse).
Billing services that process claims on behalf of providers often function as clearinghouses. If your organization receives health information from another entity and translates it into a standard format for transmission, you may be a clearinghouse — and therefore a covered entity.
In practice, most compliance questions I field are from providers and health plans. But clearinghouses face the same obligations around PHI, ePHI safeguards, and breach notification.
The $5.55 Million Mistake: When a Covered Entity Forgets What It Is
Advocate Medical Group, a large physician network in Illinois, learned this lesson the hard way. In 2016, OCR settled with Advocate Health Care for $5.55 million after multiple breaches exposed the ePHI of approximately 4 million individuals. Among the findings: inadequate risk analysis and failure to implement policies governing access to PHI across the covered entity's facilities.
The settlement wasn't just about the breach itself. It was about the systemic failure to operate like a covered entity — to conduct the risk assessments, implement the safeguards, and train the workforce that HIPAA demands. You can review this enforcement action on the HHS OCR enforcement page.
That $5.55 million figure should get the attention of every covered entity that's been putting off compliance.
What About Business Associates?
Business associates are not covered entities, but they're directly regulated by HIPAA since the HITECH Act. A business associate is any person or organization that performs a function or activity involving PHI on behalf of a covered entity — think cloud hosting companies, billing firms, IT contractors, or shredding services.
The distinction matters. Covered entities must have a Business Associate Agreement (BAA) in place with every vendor that touches PHI. If you're a covered entity and you skip the BAA, you're liable — even if the vendor is the one who caused the breach.
Quick Reference: How to Know If You're a Covered Entity
Ask yourself three questions:
- Are you a health care provider who transmits health information electronically for any covered transaction? → Covered entity.
- Are you a health plan (insurer, HMO, employer group health plan, government program)? → Covered entity.
- Do you process or facilitate the conversion of health data between nonstandard and standard electronic formats? → Covered entity.
If the answer to any of those is yes, you must comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Full stop.
Why This Classification Demands Real Training
Here's the part that keeps me busy. Knowing you're a covered entity is step one. Actually operating like one is where most organizations fall short.
HIPAA requires every covered entity to train its entire workforce — not just clinical staff, but front desk employees, billing teams, IT, even volunteers — on the policies and procedures relevant to their job functions. OCR looks at training documentation in nearly every investigation.
If your physicians and clinical staff need role-specific education, our HIPAA Training for Physicians and Clinical Environments course covers the exact Privacy and Security Rule requirements that apply in clinical settings. For a broader view of available training, visit our full training catalog.
Workforce training isn't optional for covered entities. It's a regulatory requirement under 45 CFR 164.530(b), and OCR has cited training failures in enforcement actions going back over a decade.
Don't Wait for a Complaint to Find Out
That chiropractic office in Texas? They ended up fine — no penalty, just a corrective action plan. But they spent six months and significant legal fees getting there. All because nobody in the office had ever confirmed whether they were a covered entity or understood what that meant.
If you're reading this and you're still unsure whether your organization qualifies, stop guessing. Review the HHS covered entity guidance, run your operations through the three-question test above, and start building a compliance program that matches your obligations.
Because covered entities include far more organizations than most people assume — and OCR doesn't accept ignorance as a defense.