A few years ago, I got a call from the owner of a small billing company in Ohio. She was convinced HIPAA didn't apply to her. "We're not a hospital," she told me. "We just process claims." Within six months, OCR came knocking after a breach involving 12,000 patient records. She was, in fact, a covered entity under HIPAA — and she'd done almost nothing to comply.

If you've ever asked what is a covered entity under HIPAA, you're asking the single most foundational question in healthcare privacy law. Get this wrong, and everything downstream — your policies, your training, your breach notification obligations — is built on sand.

What Is a Covered Entity Under HIPAA, Exactly?

A covered entity is any organization or individual that falls into one of three categories defined by the HIPAA Administrative Simplification Rules. Those categories are:

  • Health care providers who transmit any health information electronically in connection with a HIPAA-covered transaction (claims, eligibility inquiries, referral authorizations, etc.)
  • Health plans — including health insurance companies, HMOs, employer-sponsored group health plans, and government programs like Medicare and Medicaid
  • Health care clearinghouses — entities that process nonstandard health information they receive from another entity into a standard format, or vice versa

That's it. Three buckets. But the edges are blurrier than most people realize, and I've watched organizations on both sides of the line make expensive mistakes.

The Provider Trap: Electronic Transactions Change Everything

Here's where confusion hits hardest. A solo physician who accepts only cash and never submits an electronic claim is technically not a covered entity. The moment that physician bills Medicare electronically — even once — the designation kicks in.

In my experience, nearly every physician practice in the country qualifies. If your office submits electronic claims to any payer, you're a covered entity. Period. This is why HIPAA training for physicians and clinical environments isn't optional — it's the law.

The definition comes directly from HHS's official guidance on covered entities, and it's surprisingly clear once you read it.

Home Health Agencies: A Growing Gray Area

I've seen a surge in questions from home health care agencies wondering if they qualify. The answer is almost always yes. If your agency bills Medicare, Medicaid, or any private insurer electronically, you meet the definition of a health care provider conducting covered transactions.

The stakes for home health are especially high. Your workforce enters patients' homes, handles PHI on mobile devices, and often communicates through channels that aren't encrypted. That's a compliance minefield. I'd strongly recommend starting with HIPAA training designed specifically for home health care agencies to address those unique risks.

Health Plans: Broader Than You Think

When people hear "health plan," they picture Blue Cross or Aetna. But the HIPAA definition is much wider. It includes:

  • Employer-sponsored group health plans (even self-insured ones)
  • Medicare Part A, B, C, and D
  • Medicaid programs
  • Long-term care insurance issuers
  • Employee welfare benefit plans that provide health benefits
  • Military and veterans' health programs like TRICARE and the VA

If your organization sponsors a group health plan for employees, your HR department is handling PHI as part of a covered entity function — and that triggers HIPAA obligations you might not have considered.

The Small Plan Exception That Barely Matters

There's a narrow exception for group health plans with fewer than 50 participants that are administered solely by the employer. In practice, I've rarely seen a plan that genuinely qualifies. If a third-party administrator touches your plan, the exception evaporates.

Clearinghouses: The Invisible Covered Entities

Health care clearinghouses are the least understood of the three. These are entities that sit between providers and payers, translating electronic claims and other transactions into standardized formats. Think of companies that convert a physician's billing software output into the X12 format required by insurers.

If your organization performs this translation function, you're a covered entity — regardless of whether you ever see a patient.

The $5.55 Million Penalty That Proved Definitions Matter

In 2017, Memorial Healthcare System in Florida agreed to a $5.55 million settlement with OCR after employees at an affiliated physician practice accessed ePHI through a shared database without authorization. The breach affected 115,143 individuals. Memorial was a covered entity, and OCR held them accountable for inadequate access controls and failure to audit employee access to PHI.

This case is a perfect illustration of what happens when a covered entity doesn't take its classification seriously. OCR's resolution agreement with Memorial Healthcare System is worth reading for any compliance officer.

The lesson: being a covered entity isn't just a label. It triggers a cascade of enforceable obligations under the Privacy Rule, Security Rule, and Breach Notification Rule.

What Obligations Come With Being a Covered Entity?

Once you're classified as a covered entity, here's what you're required to do:

  • Implement the Privacy Rule: Establish policies for how PHI is used and disclosed, provide patients with a Notice of Privacy Practices, and honor individual rights like access and amendment requests.
  • Implement the Security Rule: Apply administrative, physical, and technical safeguards to protect ePHI. Conduct a risk analysis. Manage access controls, encryption, and audit logs.
  • Train your workforce: Every member of your workforce — employees, volunteers, trainees — must receive HIPAA training appropriate to their role. HHS has been explicit about this requirement.
  • Execute Business Associate Agreements: Any vendor that handles PHI on your behalf must sign a BAA before they touch your data.
  • Follow breach notification procedures: If unsecured PHI is accessed, used, or disclosed in a way that violates the Privacy Rule, you must notify affected individuals, HHS, and in some cases the media — within strict timeframes.

Skipping any of these isn't a gamble. It's a guarantee that an OCR investigation will go badly.

"We're Just a Business Associate" — Are You Sure?

I hear this constantly. Organizations assume they're business associates when they're actually covered entities. A billing company that submits claims on behalf of providers is a clearinghouse if it's reformatting data. A staffing agency that provides nurses directly to patients and bills insurers might be a health care provider.

The distinction matters because covered entities bear primary accountability. Business associates have obligations too, but they derive from the BAA and the Omnibus Rule — not from the same direct regulatory footing.

When in doubt, consult the CMS "Are You a Covered Entity?" decision tool. It's not perfect, but it's a solid starting point.

Three Steps to Take Right Now

If you're still unsure whether your organization qualifies as a covered entity under HIPAA, here's what I tell every client:

  • Map your transactions. Identify every electronic transaction your organization sends or receives. If any of them match the HIPAA transaction standards (claims, enrollment, eligibility, payment), you're likely in.
  • Get a legal opinion if you're on the edge. A few hours of attorney time now saves you millions later.
  • Start training immediately. Even if you're 95% sure, workforce training is your cheapest insurance. Browse our full HIPAA training catalog for role-specific courses that fit your organization.

The Bottom Line on Covered Entity Status

Understanding what is a covered entity under HIPAA isn't an academic exercise. It determines whether OCR has jurisdiction over you, whether you owe breach notifications to HHS, and whether a single employee's mistake can trigger a seven-figure penalty.

I've worked with organizations that spent years assuming they were exempt. Every one of them told me the same thing once they realized the truth: "I wish we'd figured this out sooner." Don't be that organization. Know your status, build your compliance program around it, and train your people before OCR gives you a reason to.