A small dental practice in Indiana received a $12,000 penalty from the Office for Civil Rights in 2019. The owner told investigators he didn't think HIPAA applied to his office because he wasn't a hospital. He was wrong — and expensive wrong at that. If you've ever asked yourself what are HIPAA covered entities, you're asking the right question. The answer determines whether federal privacy law applies to your organization, your staff, and every piece of patient data you touch.
I've consulted with dozens of organizations that assumed they fell outside HIPAA's reach. Physical therapy clinics. Billing companies. Home health agencies. Most were covered entities the entire time and didn't know it until an OCR complaint landed on their desk.
Let's break this down so you never have to guess.
What Are HIPAA Covered Entities, Exactly?
A HIPAA covered entity is any organization or individual that transmits health information electronically in connection with certain transactions. That's the legal definition pulled straight from HHS.gov's guidance on covered entities. But here's the practical version: if you create, store, or send protected health information (PHI) and you do any electronic billing or claims processing, HIPAA almost certainly applies to you.
The law spells out three categories of covered entities:
- Health Care Providers — doctors, dentists, chiropractors, nursing homes, pharmacies, home health agencies, and any other provider who transmits health information electronically.
- Health Plans — health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and military/veterans' health programs.
- Health Care Clearinghouses — entities that process or facilitate the processing of health information from nonstandard to standard formats, like billing services and repricing companies.
That's it. Three categories. But inside those categories live hundreds of thousands of organizations — many of which don't realize they qualify.
The Provider Category Is Bigger Than You Think
When people picture a covered entity, they picture a hospital. That's only a fraction of the story. The provider category sweeps in anyone who furnishes, bills, or is paid for health care in the normal course of business — and transmits any health information electronically.
That includes solo practitioners. It includes home health aides who work for an agency submitting electronic claims. It includes the psychologist running a two-person office.
I've worked with a home health care agency in Georgia that had been operating for three years without a single HIPAA policy in place. Their nurses were texting patient vitals to the office using personal phones. No encryption, no audit trail, no business associate agreements with their software vendors. They were a covered entity from day one and had been exposed the entire time.
If you run or work for a home health organization, structured HIPAA training for home health care agencies isn't optional — it's the baseline for keeping your organization out of OCR's enforcement pipeline.
Health Plans: Not Just Insurance Companies
Employer-sponsored group health plans trip people up constantly. If your company provides health benefits to employees and the plan has 50 or more participants, that plan is a covered entity under HIPAA. The company itself isn't automatically a covered entity — but the plan is, and the company acts on behalf of the plan.
This means HR departments handling enrollment data, claims information, or coordination of benefits are managing PHI. I've seen HR managers store spreadsheets of employee diagnoses on shared drives with zero access controls. That's a HIPAA violation waiting to happen.
Medicare Part A, Part B, Medicare Advantage, Medicaid programs, CHIP — all covered entities. The Department of Defense TRICARE program is a covered entity. Even the Veterans Health Administration qualifies.
Clearinghouses: The Invisible Third Category
Health care clearinghouses are the least understood covered entities. They sit between providers and payers, translating claims data into standardized electronic formats. If your organization receives health information from another entity, processes it, and passes it along in a different format, you're probably a clearinghouse.
Billing services, repricing companies, and community health management information systems often fall here. The key factor is whether the entity processes or facilitates the processing of health information received from another entity.
I spoke with the owner of a medical billing company in Texas who was stunned to learn his company was a covered entity. He thought he was just a business associate. But because his company received nonstandard claims data, reformatted it, and forwarded it to payers, he met the clearinghouse definition. That distinction changed his compliance obligations overnight — including the requirement to have a full privacy officer, workforce training, and a breach notification process.
The $4.3 Million Mistake: What Happens When Covered Entities Ignore the Rules
In 2016, the University of Mississippi Medical Center paid $2.75 million to OCR after a stolen laptop exposed the ePHI of approximately 10,000 patients. The investigation revealed the medical center — clearly a covered entity — had failed to implement policies covering the removal of devices containing ePHI from the facility. They also lacked a complete risk analysis.
In 2018, Anthem Inc., one of the nation's largest health plans, paid $16 million to settle HIPAA violations after a massive data breach affecting nearly 79 million people. That remains the largest HIPAA settlement to date. The covered entity had failed to conduct an enterprise-wide risk analysis and hadn't implemented sufficient procedures to regularly review information system activity.
These aren't abstract warnings. These are real penalties paid by real covered entities that didn't meet their compliance obligations.
Covered Entity vs. Business Associate: Why the Distinction Matters
Here's a question I get weekly: "We handle PHI, so we must be a covered entity, right?" Not necessarily. Many organizations that touch PHI are business associates — not covered entities. The difference matters because it changes your compliance path.
A covered entity creates or receives PHI as part of providing health care, operating a health plan, or processing health information as a clearinghouse.
A business associate performs a function on behalf of a covered entity that involves access to PHI. Think: IT vendors, shredding companies, cloud storage providers, and attorneys.
Business associates have their own set of HIPAA obligations under the HITECH Act and the Omnibus Rule. But covered entities bear the primary responsibility for ensuring their business associates comply — which means having signed business associate agreements (BAAs) with every vendor that touches PHI.
If you're unsure whether your organization is a covered entity or a business associate, HHS provides a useful covered entity decision tool through CMS.gov.
Does Every Employee of a Covered Entity Need Training?
Yes. The HIPAA Privacy Rule requires every member of a covered entity's workforce to receive training on the organization's privacy policies and procedures. "Workforce" under HIPAA doesn't just mean employees — it includes volunteers, trainees, and anyone under the organization's direct control, whether paid or not.
I've seen organizations limit training to clinical staff and skip front desk workers, billing clerks, and IT personnel. That's a compliance gap. If a receptionist can see a patient's name on a screen, that person needs training. Period.
If you're building or refreshing your training program, start with role-specific courses that cover real scenarios your staff will face. Our HIPAA training catalog is built around this principle — practical, role-based education that maps to actual workforce responsibilities.
Three Steps Every Covered Entity Should Take This Quarter
1. Confirm Your Status
Use the CMS decision tool linked above. Document your determination. If you're a covered entity, make sure leadership knows and accepts the obligations that come with it.
2. Conduct or Update Your Risk Analysis
OCR cites the lack of a risk analysis more than almost any other violation. Identify where PHI lives in your organization — electronic, paper, and verbal. Assess the threats. Document everything.
3. Train Your Entire Workforce
Not just doctors. Not just nurses. Everyone. Ensure training covers the Privacy Rule, the Security Rule, and your organization's specific policies for handling PHI and reporting breaches. Keep records of who was trained and when — OCR will ask for them during an investigation.
The Bottom Line
Understanding what HIPAA covered entities are isn't an academic exercise. It's the first compliance question every health care provider, health plan, and clearinghouse needs to answer correctly. Get it wrong, and you operate in a false sense of security while OCR has the authority to investigate you, fine you, and publish your name on their Wall of Shame.
Get it right, and you build your compliance program on solid ground — starting with knowing exactly what the law expects from your organization.