The $4.3 Million Mistake That Started With One Wrong Assumption

In 2016, the University of Texas MD Anderson Cancer Center lost three unencrypted devices containing patient data. Their defense? They argued certain requirements didn't apply to them the way OCR interpreted the rules. HHS disagreed — emphatically. The resulting $4.3 million penalty became a landmark reminder that understanding who is a covered entity under HIPAA isn't an academic exercise. It's the foundation every compliance program rests on.

If you're reading this, you probably need a definitive answer. Maybe you run a small practice, manage a home health agency, or work for a health plan trying to figure out where your obligations begin. I've spent years helping organizations answer this exact question, and I can tell you — the consequences of getting it wrong are severe and completely avoidable.

Who Is a Covered Entity Under HIPAA? The Straight Answer

HIPAA defines three categories of covered entities. Only three. If your organization falls into one of these buckets, every HIPAA rule — Privacy, Security, Breach Notification — applies to you.

  • Health care providers who transmit any health information electronically in connection with a HIPAA-covered transaction. This includes physicians, hospitals, clinics, dentists, pharmacies, chiropractors, nursing homes, and home health agencies — if they bill electronically.
  • Health plans — health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, military and veterans' health programs, and most government health care programs.
  • Health care clearinghouses — entities that process nonstandard health information into standard formats (or vice versa). Think billing services and repricing companies that sit between providers and payers.

That's the complete list. The HHS covered entity guidance page spells this out clearly. If you don't fit one of these three categories, you're not a covered entity — though you may still be a business associate, which carries its own set of obligations.

The "Electronic Transaction" Trigger Most Providers Miss

Here's the nuance that trips people up. A health care provider isn't automatically a covered entity just because they treat patients. The trigger is electronic transmission of health information in connection with a standard transaction — claims, eligibility inquiries, referral authorizations, and similar processes defined under HIPAA.

In practice, this captures almost every provider in 2026. If your office submits electronic claims to insurance, you're in. If a billing company submits claims on your behalf, you're still in. I've met solo practitioners who insisted they were exempt because they used a third-party billing service. They weren't.

The only providers who genuinely fall outside are those who never conduct any covered transaction electronically — a cash-only therapist who doesn't file insurance claims, for example. That's a shrinking population.

Health Plans: Bigger Than You Think

When people ask who is a covered entity under HIPAA, they usually picture hospitals and doctor's offices. But health plans represent an enormous segment that's often underestimated.

Your employer's group health plan is a covered entity. So is every Medicare Advantage plan, every state Medicaid program, and every vision or dental insurer. Even a small self-funded employer plan with 50 or more participants qualifies.

This matters because health plans handle staggering volumes of PHI — protected health information — and their workforce needs training that's tailored to plan operations, not clinical workflows. The obligations are the same, but the implementation looks completely different.

What About Employer HR Departments?

The employer itself is generally not a covered entity. But the group health plan it sponsors is. This creates a compliance gray zone I see exploited (unintentionally) all the time. HR staff access enrollment data, claims information, and benefits records that contain PHI. Without proper firewalls between plan administration and employment decisions, you've got a violation waiting to happen.

Clearinghouses: The Invisible Third Category

Health care clearinghouses process and standardize health data that flows between providers and payers. Companies like Emdeon (now Change Healthcare) and Availity are classic examples. They receive nonstandard data, convert it, and pass it along.

Most clearinghouses know exactly what they are. The confusion arises with smaller billing services that perform clearinghouse-like functions without realizing they've crossed the line. If your organization reformats claims data or translates between coding systems, consult the regulatory definitions in 45 CFR Part 160 to determine your status.

Covered Entity vs. Business Associate: A Critical Distinction

Not every organization that touches PHI is a covered entity. Many are business associates — contractors, vendors, and service providers who handle PHI on behalf of a covered entity. Think: cloud storage companies, IT consultants, medical transcription services, and shredding companies.

Business associates have direct liability under HIPAA since the HITECH Act. They must comply with the Security Rule and parts of the Privacy Rule. But the obligations differ in scope and structure from those placed on covered entities.

The practical takeaway: if someone hands you PHI and you're not a covered entity yourself, you're almost certainly a business associate. Either way, you have compliance work to do.

What Happens When You Guess Wrong

I've watched organizations assume they weren't covered entities and skip every safeguard — no risk analysis, no workforce training, no encryption, no breach notification plan. Then a laptop goes missing or a phishing attack succeeds, and OCR comes calling.

Premera Blue Cross learned this the hard way in 2020 when OCR settled a case involving a breach affecting 10.4 million people for $6.85 million. The investigation revealed systemic failures in security management that had persisted for years. Being a covered entity means the full weight of HIPAA enforcement applies to you, and OCR doesn't accept ignorance as a defense.

Your Staff Can't Protect PHI If They Don't Know the Rules

Once you've confirmed your covered entity status, the next step is workforce training. HIPAA requires it. OCR enforces it. And every penalty I've referenced in this article involved organizations whose training programs were either absent or inadequate.

If you run a physician practice or clinical environment, HIPAA training built for physicians and clinical teams addresses the specific scenarios your staff faces daily — from patient intake to EHR access to after-hours communications.

If you operate a home health agency, the compliance challenges are even more complex. Your workforce enters private residences, uses mobile devices in the field, and communicates across unsecured networks. HIPAA training designed for home health care agencies covers these exact risks with practical, role-specific guidance.

A Quick Self-Assessment: Are You a Covered Entity?

Answer these questions honestly:

  • Does your organization provide health care services and submit electronic claims or other HIPAA-standard transactions?
  • Does your organization operate or sponsor a health plan?
  • Does your organization process health information from nonstandard to standard formats (or the reverse)?

If you answered yes to any of these, you're a covered entity. Full stop. Every HIPAA rule applies to you, your workforce, and your handling of PHI and ePHI.

If you answered no to all three but still receive, store, or transmit PHI for someone who answered yes — you're a business associate, and you still have regulatory obligations.

What OCR Expects From Covered Entities in 2026

OCR's enforcement priorities have sharpened in recent years. Here's what I'm seeing them focus on when they investigate covered entities:

  • Risk analysis: Not a one-time checklist — an ongoing, documented process that identifies threats to ePHI.
  • Workforce training: Annual at minimum, role-specific, and documented with completion records.
  • Access controls: Minimum necessary access, unique user IDs, and audit logging.
  • Breach notification: A tested plan that meets the 60-day notification window for breaches affecting 500 or more individuals.
  • Business associate agreements: Current, signed, and actually enforced — not just filed in a drawer.

If your compliance program covers these fundamentals, you're ahead of most organizations I audit. If it doesn't, you're running on borrowed time.

Stop Guessing, Start Complying

Figuring out who is a covered entity under HIPAA is step one. Everything else — your policies, your training, your technical safeguards — flows from that determination. Get it right and you build on a solid foundation. Get it wrong and you build on sand.

Explore the full HIPAA training catalog at HIPAACertify to find the course that matches your organization's role and risk profile. Because the next OCR investigation won't wait for you to figure out whether the rules apply to you.