A $5.1 Million Mistake Started with One Wrong Assumption

In 2017, Memorial Healthcare System paid $5.1 million to settle with the Office for Civil Rights after employees at an affiliated physician practice accessed the protected health information of 115,143 individuals without authorization. The root cause wasn't a sophisticated cyberattack. It was a fundamental failure to understand who was responsible for what under HIPAA — a failure that traces back to one deceptively simple question: Are you a covered entity under HIPAA?

If you get the answer wrong, everything downstream — your training, your policies, your breach response — is built on sand. I've watched organizations spend years operating under the assumption that HIPAA didn't apply to them, only to face an OCR investigation that proved otherwise. So let's break this down with precision.

What Exactly Is a Covered Entity Under HIPAA?

A covered entity under HIPAA is any organization or individual that falls into one of three categories defined by the Department of Health and Human Services:

  • Health care providers who transmit any health information electronically in connection with a HIPAA-covered transaction (claims, eligibility inquiries, referral authorizations, etc.)
  • Health plans, including health insurance companies, HMOs, employer-sponsored group health plans, and government programs like Medicare and Medicaid
  • Health care clearinghouses that process nonstandard health information into standard formats

That first category trips people up constantly. A solo practitioner who submits even one electronic claim is a covered entity. A hospital system with 40,000 employees is a covered entity. The scale doesn't matter. The electronic transaction does.

You can verify the full legal definition at HHS.gov's covered entities page.

The Classification Error That Costs Organizations Millions

Here's what I see in the field more than I'd like to admit: organizations that genuinely believe they aren't covered entities because they don't "deal with insurance" or because they're "too small." Neither of those factors determines your status.

A home health care agency that bills Medicare electronically? Covered entity. A physician practice that submits electronic referral authorizations? Covered entity. A dental office with three employees that files a single electronic claim? Covered entity.

Misclassifying yourself means you skip the workforce training requirements, ignore the Security Rule's administrative safeguards, and fail to implement breach notification procedures. When a breach inevitably occurs, OCR doesn't care that you didn't know. Willful neglect carries penalties up to $2,067,813 per violation category per year under the current penalty structure outlined in 45 CFR Part 160, Subpart D.

Covered Entity vs. Business Associate: The Line That Keeps Shifting

I get this question in almost every consulting engagement: "We handle PHI, but we're not a covered entity — we're a business associate, right?"

Sometimes, yes. A business associate is a person or entity that performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information. Think: billing companies, IT vendors with access to ePHI, cloud storage providers hosting patient records.

But here's the critical distinction. If your organization independently meets the definition of a health care provider, health plan, or clearinghouse — and conducts covered electronic transactions — you're a covered entity regardless of whether you also serve as a business associate to another entity. You can be both simultaneously.

Why This Distinction Matters for Enforcement

OCR holds covered entities to a higher standard of accountability. A covered entity must:

  • Appoint a Privacy Officer and a Security Officer
  • Conduct a thorough risk analysis of all ePHI
  • Train every member of the workforce — not just clinical staff — on HIPAA policies
  • Implement breach notification procedures that comply with the Breach Notification Rule
  • Execute Business Associate Agreements with every vendor that touches PHI

Business associates have their own obligations under the HITECH Act, but the buck starts with the covered entity. When Advocate Medical Group paid $5.55 million in 2016 for breaches involving unencrypted laptops, OCR pointed directly at the covered entity's failure to conduct an enterprise-wide risk analysis — not at any downstream vendor.

The Workforce Training Requirement Most Covered Entities Underfund

Section 164.530(b) of the Privacy Rule requires every covered entity to train all workforce members on HIPAA policies and procedures. "Workforce" doesn't mean just employees. It includes volunteers, trainees, and anyone under the organization's direct control — whether or not they're paid.

In my experience, this is where covered entities hemorrhage compliance. They train nurses and doctors but skip the front desk. They onboard new hires with a one-time video but never conduct annual refreshers. They train in-office staff but ignore remote workers handling ePHI from home.

If you run a physician practice or clinical environment, the HIPAA Training for Physicians and Clinical Environments course covers exactly these obligations. For home health agencies navigating the unique challenges of PHI in patients' homes, the HIPAA Training for Home Health Care Agencies addresses mobile workforce scenarios that standard training programs miss entirely.

How Do I Know If My Organization Is a Covered Entity Under HIPAA?

This is the question I hear most frequently, so here's a direct answer. Ask yourself three things:

  • Do you provide health care? This includes physicians, hospitals, nursing homes, pharmacies, dentists, psychologists, chiropractors, home health agencies, and dozens of other provider types.
  • Do you transmit health information electronically in connection with any transaction for which HHS has adopted a standard? The most common: claims, benefit eligibility inquiries, and referral authorizations.
  • Are you a health plan or a health care clearinghouse?

If you answered yes to either the first two questions together or the third question alone, you're a covered entity. HHS even provides a Covered Entity Decision Tool on CMS.gov to walk you through the determination.

There's no registration process. There's no certificate you receive. You either meet the definition or you don't — and the obligation attaches automatically.

Three Real-World Scenarios That Clarify the Gray Areas

Scenario 1: The Cash-Only Practice

A concierge medicine practice accepts only cash payments and never submits electronic claims. Are they a covered entity? Technically, no — if they truly never conduct any covered electronic transactions. But the moment they electronically submit a single referral authorization or coordinate benefits with a payer, they cross the line. I've seen practices operate in this gray zone for years, then trigger covered entity status with one electronic transaction they didn't even realize qualified.

Scenario 2: The Employer Wellness Program

A large employer runs an in-house wellness clinic for employees. The clinic submits electronic claims to the company's group health plan. That clinic is a covered entity as a health care provider. The group health plan is a covered entity as a health plan. Both have independent HIPAA obligations, and the information cannot flow freely between them just because the same employer runs both.

Scenario 3: The Home Health Agency

A home health care agency provides skilled nursing visits and submits claims to Medicare electronically. This is a textbook covered entity. Every aide, nurse, and administrative staff member who accesses patient information is part of the workforce that must be trained. The challenge? PHI travels into patients' homes on mobile devices, paper charts, and verbal conversations with family members. Standard office-based HIPAA training doesn't address these realities — which is exactly why specialized HIPAA training programs exist for these environments.

What Happens When a Covered Entity Ignores Its Status

OCR doesn't send a warning letter first. They investigate complaints and breaches. By the time they're involved, the damage is done.

Consider the 2018 settlement with Cottage Health. The California health system paid $3 million after two breaches exposed the ePHI of over 62,500 individuals. OCR found that Cottage Health had failed to conduct a risk analysis — a requirement that applies to every covered entity without exception.

The pattern in OCR settlements is remarkably consistent: covered entities that didn't do the basics. No risk analysis. No workforce training documentation. No encryption on portable devices. No business associate agreements. These aren't exotic failures. They're checkboxes that someone skipped because they didn't take their covered entity status seriously enough.

Your Covered Entity Status Isn't Optional — Your Response to It Is

You can't choose whether you're a covered entity under HIPAA. The definition is binary: you either meet it or you don't. But you absolutely choose how you respond to that status.

The organizations I see thrive under HIPAA are the ones that treat covered entity status as an operating framework, not a burden. They invest in workforce training that goes beyond check-the-box compliance. They conduct risk analyses annually, not just when an auditor asks. They build a culture where protecting PHI is as routine as locking the front door.

The ones who struggle? They're still arguing about whether HIPAA applies to them — usually right up until the moment OCR proves that it does.