HIPAA Covered Entities: The Complete Definition (2026)

By ComplyCreate Editorial Team  ·  Published Apr 24, 2026  ·  Last reviewed Apr 24, 2026

The term "covered entity" is the starting point for all HIPAA compliance. If your organization qualifies as a covered entity, the Privacy Rule, Security Rule, and Breach Notification Rule apply to you directly. If you don't qualify, you may still be subject to HIPAA as a business associate — but the compliance path is different.

The Three Types of Covered Entities Under 45 CFR § 160.103

HIPAA's implementing regulations at 45 CFR § 160.103 define three categories of covered entities. All three are subject to the full HIPAA regulatory framework, though the specific requirements vary based on the entity's function.

1. Healthcare Providers

A healthcare provider is a covered entity if it furnishes, bills, or is paid for health care in the normal course of business AND transmits any health information in electronic form in connection with a standard transaction. Standard transactions include claims, payment remittances, eligibility inquiries, and referral authorizations as defined in 45 CFR Part 162.

Examples of healthcare providers that are covered entities:

• Physicians (MDs, DOs) in private practice or hospital employment
• Dentists, orthodontists, and oral surgeons
• Mental health therapists and psychologists (when billing electronically)
• Chiropractors, physical therapists, and occupational therapists
• Hospitals, inpatient rehabilitation facilities, and skilled nursing facilities
• Home health agencies and hospice organizations
• Pharmacies that submit claims electronically
• Clinical laboratories
• Ambulance services (when billing electronically)

2. Health Plans

Health plans are covered entities regardless of whether they transmit information electronically — the electronic transaction trigger does not apply to them. Health plans include:

• Health insurance issuers (commercial insurers like Aetna, UnitedHealth, BlueCross)
• HMOs and PPOs
• Medicare and Medicaid programs (Parts A, B, C, D)
• Employer-sponsored group health plans with 50 or more participants that are not self-administered
• Self-funded employer health plans
• Long-term care insurers (with limited exceptions)
• Medicare supplemental (Medigap) policies
• Multi-employer health plans

Note: Certain small employer-sponsored plans (fewer than 50 participants, administered solely by the employer) are exempt from most HIPAA requirements. Workers' compensation, automobile insurance, and property/casualty insurers are generally not covered entities.

3. Healthcare Clearinghouses

A healthcare clearinghouse is a public or private entity that processes nonstandard health information received from another entity into a standard format, or vice versa. Clearinghouses include billing services, community health management information systems, and value-added networks that translate between claim formats. In practice, clearinghouses are almost always aware of their HIPAA status and have robust compliance programs in place.

Edge Cases and Common Misconceptions

Sole Proprietor Providers

A solo practitioner — one physician, one therapist, one chiropractor — is a covered entity if they transmit health information electronically for covered transactions. The fact that you are a one-person practice does not exempt you. Thousands of individual practitioners have received OCR complaints for HIPAA violations precisely because they assumed "small" meant "exempt." It does not.

Employers and Group Health Plans

The employer organization itself is typically not a covered entity. However, if the employer sponsors a group health plan, that plan is a covered entity. This creates a common source of confusion: an employer handles enrollment forms, premium payments, and benefits administration — but the HIPAA obligations technically fall on the plan, not the employer acting in its employer capacity. Nonetheless, OCR treats the employer's HR department that administers the plan as a component of the covered entity when it accesses PHI.

Hybrid Entities

An organization that performs both covered and non-covered functions may designate itself a "hybrid entity" under 45 CFR § 164.105. A university with a medical school, for example, can designate the medical school as its healthcare component while keeping the broader university separate. The hybrid entity must erect appropriate firewalls between the covered and non-covered components.

Affiliated Covered Entities

Legally separate covered entities that are affiliated through common ownership or control may designate themselves a single affiliated covered entity for Privacy Rule purposes. This is common in large health systems where dozens of separately incorporated hospitals and clinics share a compliance program.

Cash-Only Providers

A provider who accepts no insurance and never transmits health information electronically — no e-billing, no electronic claims — is technically not a covered entity. In practice, this applies to a vanishingly small number of providers. Even accepting a single electronic payment or filing a single electronic claim brings you into covered entity status.

The "Am I a Covered Entity?" Decision Checklist

Work through these questions in order:

1. Do you provide health care services? If no, you are not a healthcare provider. Proceed to question 3.
2. Do you transmit any health information electronically for billing, claims, eligibility, or referrals? If yes, you are a covered entity as a healthcare provider.
3. Do you operate a health insurance plan, HMO, or self-insured employer plan? If yes, that plan is a covered entity.
4. Do you process health claims or translate between claim formats for others? If yes, you are likely a healthcare clearinghouse and a covered entity.
5. Do you receive, maintain, or transmit PHI to provide services to a covered entity? If yes, you may be a business associate — see our business associates guide.

If you are still unsure, take our free HIPAA self-assessment quiz.

What Covered Entity Status Means for Your Compliance Program

Notice of Privacy Practices (NPP)

Every covered entity — with the limited exception of clearinghouses that don't interact directly with patients — must develop, distribute, and post a Notice of Privacy Practices as required by 45 CFR § 164.520. The NPP tells patients how you use and disclose their PHI, what their rights are, and how to file a complaint. The HHS model NPP was updated in February 2026, meaning existing NPPs may need revision. See our guide on BAA vs. NPP for a clear comparison of both documents.

Business Associate Agreements

Covered entities must execute a BAA with every business associate — any vendor or contractor that creates, receives, maintains, or transmits PHI on their behalf. Common examples: EHR vendors, billing companies, cloud storage providers, IT support firms, and transcription services. The BAA requirements are set out at 45 CFR § 164.504(e). See our business associates guide for the full list of BA examples and what the BAA must contain.

Privacy Rule and Patient Rights

Covered entities must implement the full suite of Privacy Rule requirements: minimum necessary standard, patient right of access (45 CFR § 164.524), right to amend (§ 164.526), right to an accounting of disclosures (§ 164.528), and restrictions on certain disclosures including marketing and sale of PHI.

Security Rule

If you maintain electronic PHI (ePHI), you must implement administrative, physical, and technical safeguards under the Security Rule (45 CFR §§ 164.302–164.318), including a formal risk assessment at least annually. See our HIPAA risk assessment guide for step-by-step instructions.

Frequently Asked Questions

What is a HIPAA covered entity?

A HIPAA covered entity is any organization that falls into one of three categories defined at 45 CFR § 160.103: (1) a healthcare provider that conducts certain standard transactions electronically, (2) a health plan, or (3) a healthcare clearinghouse. Covered entities are directly subject to HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule.

Are all doctors covered entities?

Not technically — a provider must transmit health information electronically for a covered transaction to qualify. However, virtually all practicing physicians, therapists, dentists, and clinicians do so through electronic billing, making them covered entities in practice. A truly cash-only, paper-only provider who never submits an electronic claim is the narrow exception.

Is my employer a covered entity?

Most employers are not covered entities in their employer capacity. If your employer sponsors a group health plan, that plan is a covered entity — but the employer's general HR and payroll functions are not. Confusion arises because the same employees often administer both the plan and general HR, so the firewall between covered and non-covered functions is critical.

What if I'm both a covered entity and a business associate?

This dual-role situation is addressed under 45 CFR § 164.105. Each function must comply with its applicable HIPAA requirements. A hospital that also provides billing services to an independent physician group, for example, is a covered entity for its own patient care and a business associate to the physician group. The BAA and compliance obligations apply separately to each role.

Do covered entities need BAAs?

Yes — covered entities must sign a BAA with every vendor or contractor that creates, receives, maintains, or transmits PHI on their behalf, as required by 45 CFR § 164.504(e). Operating without a BAA exposes both parties to HIPAA civil monetary penalties. You can generate a compliant BAA at BAAGenerator.com.