Last year I got a call from the owner of a medical billing company in Ohio. She'd just received a letter from the Office for Civil Rights — an investigation was underway. Her first question floored me: "Are we even covered by HIPAA?" She'd been in business for eleven years. She handled protected health information for dozens of physician practices. And she genuinely didn't know whether she qualified as a covered entity. That conversation cost her organization over $140,000 in remediation before it was over.
If you've ever searched "a covered entity is" — you're asking the single most foundational question in all of HIPAA compliance. Get this wrong, and everything downstream fails: your training, your policies, your breach notification obligations, your risk analysis. Every bit of it.
Let me break it down the way I wish someone had broken it down for that billing company owner a decade ago.
A Covered Entity Is One of Exactly Three Things
HIPAA doesn't apply to every organization that touches health data. A covered entity is an organization that falls into one of three categories defined under the HIPAA Administrative Simplification provisions at 45 CFR § 160.103:
- Health care providers who transmit any health information electronically in connection with a HIPAA-covered transaction. This includes physicians, hospitals, dentists, chiropractors, nursing homes, pharmacies — even solo practitioners.
- Health plans — health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and military/veterans health programs.
- Health care clearinghouses — entities that process nonstandard health information into standard formats (or vice versa). Billing services and repricing companies often fall here.
That's it. Three buckets. If your organization doesn't fit into one of them, HIPAA's Privacy and Security Rules don't apply to you directly. But here's the catch most people miss.
The Electronic Transaction Trigger for Providers
Being a health care provider alone isn't enough. You become a covered entity when you transmit health information electronically in connection with a transaction that HHS has adopted standards for — claims, eligibility inquiries, referral authorizations, and others. In practice, nearly every provider in the United States does this. If you bill insurance electronically, you're in.
I've met exactly two providers in twenty years who could credibly claim they didn't conduct electronic transactions. Both were cash-only concierge practices. Everyone else? You're a covered entity.
The $5.55 Million Mistake: When a Covered Entity Forgets What It Is
Advocate Medical Group, a large physician network in Illinois, learned this the hard way. In 2016, HHS announced a $5.55 million settlement with Advocate Medical Group after multiple breaches affecting nearly 4 million individuals. Among the findings: the organization failed to conduct an accurate, thorough risk assessment of the potential risks and vulnerabilities to ePHI across its entire enterprise.
This is what happens when a covered entity treats compliance as optional or departmental. HIPAA doesn't let you protect some PHI and ignore the rest. If you're a covered entity, the obligations cover your entire organization — every department, every device, every workforce member.
What a Covered Entity Must Actually Do
Once you confirm that your organization is a covered entity, a specific set of obligations kicks in. These aren't suggestions. OCR enforces them with financial penalties that start at $137 per violation and can reach $2,067,813 per violation category per year (adjusted for inflation under the HITECH Act).
Privacy Rule Requirements
You must limit the use and disclosure of PHI to the minimum necessary for the task at hand. You must provide patients with a Notice of Privacy Practices. You must give individuals access to their own records within 30 days (15 days for ePHI under the proposed rules). You must track disclosures and train every workforce member.
Security Rule Requirements
You need administrative, physical, and technical safeguards for all ePHI. That means a documented risk analysis, access controls, audit controls, encryption decisions, and contingency planning. Every single one of these must be documented — not just implemented, but documented.
Breach Notification Rule
If unsecured PHI is accessed, used, or disclosed in a way not permitted by the Privacy Rule, you must notify affected individuals within 60 days. If the breach affects 500 or more people, you must also notify HHS and prominent media outlets. This is where most covered entities panic — and where OCR investigations often begin.
Workforce training is the thread that ties all of this together. If your staff doesn't know what PHI is, how to handle it, and what to do when something goes wrong, your policies are just paper. That's why I always recommend structured, role-specific training like our HIPAA training for physicians and clinical environments — it addresses the exact scenarios clinical teams face daily.
Covered Entity vs. Business Associate: The Line That Trips Everyone Up
Here's where it gets confusing. A covered entity is the organization directly subject to HIPAA. But if you hire a vendor who handles PHI on your behalf — a cloud storage company, an IT support firm, a shredding service, a billing clearinghouse — that vendor is a business associate.
Business associates have their own direct obligations under HIPAA since the 2013 Omnibus Rule. But the covered entity is responsible for having a signed Business Associate Agreement in place. Skip that step, and you're on the hook even if the vendor is the one who causes the breach.
I've seen this play out repeatedly with home health care agencies. They contract with scheduling platforms, telehealth vendors, and remote monitoring services — all of which touch ePHI. If you're in that space, our HIPAA training for home health care agencies walks through exactly how to manage these relationships and stay compliant.
Who Is Not a Covered Entity?
This matters just as much as knowing who is. The following are not covered entities under HIPAA:
- Life insurers
- Employers (with respect to employment records)
- Workers' compensation carriers
- Most schools and school districts (FERPA applies instead)
- Law enforcement agencies
- Consumer health apps that don't involve a covered entity or business associate
That last one catches people off guard. Your Fitbit data? Your meditation app? Not covered by HIPAA — unless the app is provided by or contracted with a covered entity. The FTC, not HHS, polices those companies.
How Do You Know If Your Organization Is a Covered Entity?
HHS actually built a decision tool for this. The CMS "Are You a Covered Entity?" page walks you through the analysis step by step. I recommend every compliance officer run through it — especially if your organization has changed its operations, added telehealth, or started billing electronically since the last time you checked.
Here's the quick test I use in the field:
- Do you provide, pay for, or process health care?
- Do you transmit any health information electronically in a standard transaction?
If both answers are yes, you're almost certainly a covered entity. And HIPAA's full weight applies.
The Real Risk of Not Knowing
Ignorance has never been a valid defense with OCR. When Cignet Health of Prince George's County denied 41 patients access to their medical records and then ignored OCR's investigation, HHS imposed a $4.3 million civil money penalty — one of the earliest major enforcement actions. The organization's fundamental failure was acting as though the rules didn't apply to them.
That's the danger of not understanding what a covered entity is. You don't get to opt out. You don't get a grace period. The moment you meet the definition, every requirement attaches — and OCR's enforcement clock starts ticking.
Your Next Step
If you're reading this, odds are good that your organization is a covered entity. The question isn't whether HIPAA applies to you. The question is whether you're doing enough about it.
Start with training. Start with a risk analysis. Start with a Business Associate Agreement inventory. And if you're not sure where to begin, explore our full catalog of HIPAA training courses designed for specific roles and care settings. The worst time to learn you're a covered entity is when OCR is already asking questions.