A home health aide I worked with once told me, "We're too small to be a covered entity." Her agency had 40 employees, billed Medicare directly, and transmitted claims electronically every single day. She was wrong — and that misunderstanding had already put the agency at risk for months.

Under HIPAA, a covered entity is defined as one of three types of organizations: a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically in connection with certain transactions. If your organization falls into any of these categories, every HIPAA rule — Privacy, Security, Breach Notification — applies to you. No exceptions for size. No grace period for ignorance.

Let's break down exactly who qualifies, what the obligations look like, and what happens when organizations get this wrong.

Under HIPAA a Covered Entity Is Defined As Three Specific Types

The definition comes straight from the HIPAA Administrative Simplification provisions at 45 CFR § 160.103. There are exactly three categories. You either fit one, or you don't.

1. Health Plans

This is the broadest category, and it trips people up constantly. A health plan includes health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and military healthcare programs like TRICARE. It also includes dental, vision, and prescription drug plans.

Here's the part most people miss: a self-funded employer health plan with 50 or more participants is a covered entity all on its own — separate from the employer. I've seen HR directors stunned to learn their company's self-insured benefits plan triggers full HIPAA compliance obligations.

2. Healthcare Clearinghouses

Clearinghouses are the middlemen. They receive health information from one entity, process it into a standard format, and send it along. Think billing services that convert nonstandard claims into ANSI X12 transactions. Most providers never interact with a clearinghouse directly, but these organizations handle massive volumes of protected health information (PHI) every day.

3. Healthcare Providers Who Transmit Electronically

This is the category that catches small practices, solo practitioners, and home health agencies off guard. Any healthcare provider — regardless of size — becomes a covered entity the moment they transmit health information electronically in connection with a HIPAA-standard transaction. Those transactions include claims, benefit eligibility inquiries, referral authorizations, and payment remittance.

If your agency bills Medicare or Medicaid electronically, you're a covered entity. Period. If a billing company does it on your behalf, you're still a covered entity — and that billing company is your business associate.

Why Getting This Definition Wrong Costs Real Money

The Office for Civil Rights (OCR) at HHS doesn't care whether you knew you were a covered entity. Enforcement actions make that crystal clear.

In 2018, OCR settled with Allergy Associates of Hartford for $125,000 after a physician impermissibly disclosed a patient's PHI to a reporter. The practice was a covered entity — a healthcare provider transmitting electronic transactions — and was expected to have workforce training and privacy policies in place. They didn't meet the standard. You can review OCR's enforcement results on the HHS breach settlement page.

In another case, OCR fined Adult & Pediatric Dermatology, P.C. $150,000 in 2013 for failing to have proper risk analysis and breach notification procedures after an unencrypted thumb drive containing ePHI for about 2,200 individuals was stolen from a staff member's car. They were a small specialty practice — and fully subject to every HIPAA requirement as a covered entity.

Size doesn't create immunity. That's the message OCR sends with every settlement.

What Does Being a Covered Entity Actually Require?

Once you meet the definition, you inherit a comprehensive set of obligations. Here's what your organization must do:

  • Implement the Privacy Rule: Establish policies governing the use and disclosure of PHI. Designate a Privacy Officer. Provide a Notice of Privacy Practices to every patient.
  • Implement the Security Rule: Conduct a thorough risk analysis of all ePHI. Apply administrative, physical, and technical safeguards. Document everything.
  • Follow Breach Notification requirements: If unsecured PHI is compromised, notify affected individuals within 60 days. Breaches affecting 500 or more individuals must also be reported to OCR and prominent media outlets.
  • Train your workforce: Every member of your workforce — employees, volunteers, trainees — must receive HIPAA training. Not once. Regularly, and whenever material changes occur.
  • Manage business associates: Execute Business Associate Agreements (BAAs) with every vendor, contractor, or partner that accesses PHI on your behalf.

If you're running a home health care agency, these requirements hit differently. Your workforce is mobile. PHI travels in cars, on tablets, and through unsecured Wi-Fi networks in patients' homes. That's exactly why HIPAA training designed specifically for home health care agencies matters more than generic compliance modules.

Covered Entity vs. Business Associate: The Distinction That Matters

I get this question constantly: "If we hire a billing company, are they the covered entity instead of us?"

No. You're still the covered entity. The billing company becomes your business associate. Under the HITECH Act and the 2013 Omnibus Rule, business associates are directly liable for HIPAA violations — but that doesn't transfer your responsibilities to them.

You must have a signed BAA with every business associate. You must verify they have appropriate safeguards. If you learn they've violated HIPAA, you must take action or risk liability yourself.

The relationship flows one way: covered entities create the obligations, business associates inherit a subset of them through contract and regulation.

How Do You Know If You're a Covered Entity?

HHS actually built a decision tool for this. The CMS "Are You a Covered Entity?" page walks you through the analysis step by step. I recommend every practice manager and compliance officer use it — especially if your organization has recently started accepting insurance or transmitting electronic claims.

Ask yourself these questions:

  • Does your organization provide healthcare services? (Medical, dental, behavioral health, home health, chiropractic — the list is long.)
  • Does your organization — or anyone on your behalf — transmit health information electronically for claims, eligibility checks, or referral authorizations?
  • Does your organization offer or administer a health plan?

If you answered yes to any combination of these, you're almost certainly a covered entity under HIPAA.

The Training Gap That OCR Keeps Penalizing

Here's what I've seen over 15 years of consulting: organizations that correctly identify themselves as covered entities still fail at one basic requirement — workforce training. OCR's enforcement history is littered with cases where the covered entity had policies on paper but never trained staff to follow them.

Your training has to be role-specific. A receptionist handling intake forms faces different PHI risks than a nurse making home visits. A billing clerk has different exposure than an IT administrator managing your EHR system.

Generic, one-size-fits-all training doesn't meet the standard. If your workforce operates in patients' homes, consider specialized HIPAA courses built for your environment. The investment is a fraction of what a single breach investigation costs.

What Happens If You're a Covered Entity and Don't Comply?

OCR's enforcement follows a tiered penalty structure, codified at 45 CFR Part 160, Subpart D. Penalties range from $137 per violation for unknowing infractions up to $2,067,813 per violation for willful neglect left uncorrected. Those numbers are adjusted annually for inflation.

But financial penalties aren't the only consequence. OCR can require corrective action plans that last two to three years. During that time, your organization operates under a microscope — submitting evidence of workforce training, updated policies, and completed risk analyses on a regular schedule.

State attorneys general can also bring HIPAA enforcement actions under the HITECH Act. Several have done so, adding another layer of risk for covered entities that ignore their obligations.

The Bottom Line for Your Organization

Under HIPAA, a covered entity is defined as a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically for standard transactions. If you fit that definition, you carry the full weight of HIPAA compliance — Privacy Rule, Security Rule, Breach Notification Rule, and everything in between.

Don't assume you're too small, too specialized, or too new to qualify. The definition is broad by design. OCR enforces it without regard to organization size.

Know what you are. Train your people. Protect the PHI your patients trust you with. That's not just compliance — it's the baseline for operating in healthcare today.