The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What Are Covered Entities Under HIPAA?

Covered entities under HIPAA are individuals or entities that transmit protected health information electronically for transactions that the Department of Health and Human Services has adopted standards in 45 CFR Part 162.

Covered transactions include transmissions of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization.

Covered entities under HIPAA compliance rules include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs.

Healthcare clearinghouses are organizations that process nonstandard health information and convert data into types that conform to the standards outlined in the HIPAA administrative simplification regulations.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Healthcare providers include hospitals, clinics, doctors, psychologists, dentists, chiropractors, nursing homes, pharmacies, home health agencies, and other providers of healthcare that transmit health information electronically.

HIPAA also applies to business associates of HIPAA-covered entities and their subcontractors.

What is a Business Associate?

A business associate can be an individual or company that provides services to a HIPAA-covered entity which requires them to have access to, store, use, or transmit protected health information. The list of business associates is long, and the range of companies included under the definition of business associate is diverse.

Business associates of HIPAA covered entities include third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms – electronic and physical records, EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and medical device manufacturers.

Prior to a business associate being given PHI, or access to systems containing PHI, they must enter into a HIPAA-compliant business associate agreement with the covered entity.  A business associate agreement is a contract in which the responsibilities of the business associate with respect to HIPAA and PHI are described.

Penalties for Noncompliance with HIPAA Rules

Covered entities under HIPAA, and business associates that have signed a BAA with a covered entity, must comply with HIPAA Rules. The failure to comply with any aspect of HIPAA can result in financial penalties. The penalties for HIPAA violations increase each year to account for inflation; and, as at April 2022, the maximum penalty for a HIPAA violation is $63,973 per incident, up to a maximum of $1,919,173 per violation category, per year.

If HIPAA violations have been allowed to persist for several years, or if multiple violations of HIPAA Rules are discovered, multi-million-dollar fines are possible. Criminal penalties are also possible for certain HIPAA violations.

Covered Entities under HIPAA FAQs

Is a school that provides healthcare services for students a HIPAA Covered Entity?

Although there are some cases in which higher education institutions can be “hybrid entities”, most public schools that provide healthcare services for students are not HIPAA Covered Entities because student health information is classified as “education records” under the Family Educational Rights and Privacy Act (FERPA). As FERPA pre-empts HIPAA, student health information is not Protected Health Information under HIPAA, and therefore schools are not HIPAA Covered Entities.

Are employers Covered Entities under HIPAA if they maintain employee health records?

Generally, employers are not Covered Entities under HIPAA because employee health records maintained by an employer are not used for HIPAA-covered transactions (i.e., a request to a health plan for payment in respect of the provision of healthcare). An employer could be regarded as a “partial entity” if it operates a self-insured health plan; and, in this case, the employer would have to implement safeguards to ensure PHI is not used for work-related operations and activities.

When might state laws affect who is a Covered Entity under HIPAA?

A Covered Entity will always be a Covered Entity under HIPAA, but some states have passed legislation which provides a different definition of a Covered Entity under the state law. The best example of this is in Texas, where the Medical Records Privacy Act classifies every organization or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits health information in any form as a Covered Entity – including schools and employers.

Does a Covered Entity have to sign a Business Associate Agreement to use Gmail?

A Covered Entity has to sign a Business Associate Agreement with every organization to whom PHI is disclosed. Therefore, if PHI is disclosed in an email sent from a Gmail account (not to a Gmail account), a Business Associate Agreement has to be in place. Most Covered Entities will not use Gmail as their email provider, but they may use other Google Workspace services (i.e., Drive, Chat, Sheets, etc.) for which a Business Associate Agreement will be necessary before PHI is disclosed.

When might a criminal penalty be imposed on a Covered Entity?

To date, the penalties imposed on Covered Entities have been civil penalties. The only criminal penalties for violations of HIPAA have been for the individuals responsible for the violations; and, although these are rare, there have been cases in which employees of Covered Entities have been sentenced to up to six years in jail. Nonetheless, in extreme circumstances of willful neglect, it is possible that the Office for Civil Rights refer a case to the Department of Justice.

Who is covered by HIPAA?

In the context of which organizations are covered by HIPAA, all health plans, health care clearinghouses, and qualifying healthcare providers – along with any Business Associates that provide a service for or on behalf of a Covered Entity – are covered by HIPAA. Vendors of personal health records are also covered by HIPAA to the extent that they must report breaches of unsecured individually identifiable health information to the Federal Trade Commission.

Under HIPAA a Covered Entity CE is defined as?

Under HIPAA, a Covered Entity (CE) is defined as a health plan, a health care clearinghouse, or a healthcare provider – provided the healthcare provider transmits health information in electronic form in connection with a transaction covered under 45 CFR Part 164 (typically payment and remittance advices, eligibility, claims status, authorizations for treatment, etc.).

Why are pharmacies classified as healthcare providers?

Pharmacies are classified as healthcare providers because the definition of healthcare in the HIPAA General Requirements includes: “The sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription”. Consequently, retail pharmacies are classified as healthcare providers and required to comply with the Privacy, Security, and Breach Notification Rules.

What is a health care clearinghouse?

A health care clearinghouse is a business that manages transactions between health plans and healthcare providers to ensure they are submitted accurately. There are thousands of elements that can complicate the transaction process, and health care clearinghouses minimize the risk of errors to accelerate transactions such as eligibility checks, authorizations, and payments.

Are all healthcare providers Covered Entities under HIPAA?

Not all healthcare providers are Covered Entities under HIPAA because not all conduct “covered transactions” in electronic format. If (for example) a chiropodist bills clients directly or conducts covered transactions over the phone (phone calls are not considered electronic transactions under HIPAA), the chiropodist does not qualify as a Covered Entity under HIPAA.

Do Business Associates have to comply with the same HIPAA Rules as Covered Entities?

Business Associates have to comply with the same Security and Breach Notification Rules as Covered Entities. Compliance with the Privacy Rule (or part thereof) and the Administrative Requirements (Part 162) depends on the service being provided to or on behalf of the Covered Entity and the provisions of the Business Associate Agreement between the Business Associate and the Covered Entity.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist