The Types of Covered Entities in HIPAA

7 min read

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to provide industry-wide standards for handling protected health information (PHI).

HIPAA Privacy Rules mandate organizations and other stakeholders within the healthcare industry handling PHI to comply with its regulations.

According to HIPAA rules, Covered Entities and their Business Associates should develop and implement procedures that safeguard PHI.

While the HIPAA regulations are clearly indicated, the biggest dilemma remains on who falls under the category of a Covered Entity.

Wondering whether you qualify as a Covered Entity or not? Read on as we uncover the three types of Covered Entities under the HIPAA watch!

What is a Covered Entity?


Covered Entities refer to healthcare providers, health plans, and clearinghouses involved in transferring Protected Health Information.

PHI transmission may include payment of healthcare services, treatment, billings, operations, or insurance coverage.

What are the 3 Covered Entities?

The 3 main categories of Covered Entities under HIPAA regulations include:

1.    Healthcare Providers

These Healthcare Providers refer to individuals or institutions responsible for providing patients with diagnosis, treatment, care, and follow-up services.

Covered Entities should maintain the HIPAA Privacy and Security Rules required to safeguard the patient’s health information.

Examples of healthcare providers who fall under the HIPAA Covered Entity bracket include:

  •          Clinics
  •          Doctors
  •          Psychologists
  •          Nurse practitioners
  •          Physician Assistant
  •          Chiropractors
  •          Nursing homes
  •          Pharmacies
  •          Hospitals

The above individuals and companies have to be transmitting information electronically. The transaction should be under the Department of Human and Health Sciences (HHS) standards.

2.    Healthcare Plans

The Healthcare plans refer to organizations responsible for providing, arranging, paying, or reimbursing any part of the cost incurred in providing healthcare services.

These Healthcare plans include:

  •          Health insurance companies
  •          Company health plans
  •          Health Maintenance Organizations (HMOs)
  •          Government programs responsible for paying for healthcare, such as Medicare, Medicaid, and Military and veterans’ healthcare plans.

In general, health plans are some forms of insurance covering health care costs. Three types of health plans fall under the Covered Entity bracket in the United States. They include:

Health Insurance Issuer

A health insurance issuer refers to an insurance company or an insurance service licensed to participate in the insurance business within a state. This issuer is subject to state laws that regulate insurance.

Health Maintenance Organization (HMO)

HMOs, refer to types of health insurance that limit coverage to care provided by doctors working for or in contract with the HMO.

Usually, HMOs do not cover care outside the network unless there is an emergency. You may need to work or reside in the HMO’s service area to be eligible for coverage.

The insured party has to select a primary care physician from the local healthcare providers’ networks under an HMO plan.

The person insured may not see a specialist outside the network without first receiving an official referral from their primary care physician.

Group Health Plans

A group health plan is a welfare benefit plan for employees offered by an employer or organization responsible for providing medical care for the participant and their families through insurance or reimbursement.

3.    Healthcare Clearinghouse

Healthcare clearinghouses refer to organizations responsible for processing nonstandard health information to ensure that it complies with data standards on behalf of other enterprises.

According to the National Institute of Standards and Technology (NIST), healthcare clearinghouses are responsible for receiving standard transactions from other entities.

The clearing houses then process the health information into nonstandard for the receiving entity. The vice versa also applies.

Clearing houses are electronic hubs that enable healthcare organizations to transmit claims electronically to insurance carriers.

They have to transmit the data in a secure way to safeguard the protected health information (PHI).

A clearing house interacts with PHI in that it checks the medical claims for errors and ensures that the claims get processed correctly by the insurance company. The claims and related medical records are shared electronically with the appropriate medical organizations.

A credible clearinghouse enables seamless data sharing between you, your provider, and their networks, hence improving the claim process.

Examples of Clearing Houses

Emdeon Clearinghouse

An excellent example of a clearing house is Emdeon. It is the largest healthcare clearinghouse in the U.S. healthcare system, responsible for revenue and payment management and connecting payers, patients, and providers in the healthcare system.

Clearinghouses have to comply with the HIPAA Security Rule, or they will otherwise face heavy fines for breaches.

Anthem Inc.

According to the department of Human and Health Sciences (HHS), one of the leading healthcare clearinghouses, Anthem, Inc., had to pay $16 million after a series of cyberattacks.

The 2015 incident exposed electronic PHI to close to 79 million people. The stolen e-PHI included names, social security numbers, email addresses, dates of birth, physical addresses, and employment information.

4.    Hybrid Entity

The fourth type of Covered Entity is a Hybrid Entity which refers to any single legal entity that performs the covered and noncovered functions in its operations.

A covered function is any function whose performance makes the individual or organization perform it to become a health plan, healthcare clearinghouse, or healthcare provider.

The Covered Entity should designate healthcare components within the organization it operates in for it to become a Hybrid Entity.

A Hybrid Entity may not include its health care components, research components that do not function as health care providers, or do not conduct functions similar to a business associate.

The research components of a Hybrid Entity functioning as healthcare providers and performing electronic transactions should be added to the Hybrid Entity’s healthcare components. The research components then become subject to the HIPAA Privacy Rule.

What is a Covered Entity Obligated to Do?

According to HHS, covered entities should comply with HIPAA’s Security and Privacy Rules.

Covered Entities and Compliance with the Security Rule

The HIPAA Security Rule demands that Covered Entities establish reasonable and effective administrative, technical, and physical safeguards to protect e-PHI.

The Covered Entities should comply with the following requirements:

  •          Enhance e-PHI confidentiality, integrity, and availability
  •          Identification and protection against possible threats to the integrity of e-PHI
  •          Provide protection against any possible unauthorized use and disclosure of e-PHI
  •          Ensuring that their workforce observes compliance

Covered Entities and The Privacy Rule

The HIPAA Privacy Rule addresses the use of PHI by covered entities by outlining standards for individuals; right to control the usage of their health information.

The Privacy Rule gives an individual the right to examine and access a copy of their medical records.

Individuals have a right to authorize Covered Entities to share their e-PHI with a third party.

Am I a Covered Entity?

Individuals and organizations involved in transferring, storing, and processing protected health information should comply with HIPAA regulations.

However, these individuals or organizations have to operate as health plans, healthcare providers, or healthcare clearing houses to fall under the category of Covered Entities.


We have provided a detailed list of the three main categories of Covered Entities plus Hybrid Entities. Read through the article to understand your position.

Flatirons Development will be your most trusted partner if you are a Covered Entity looking into developing healthcare software for your organization.

We are HIPAA-Compliant, offering software development for mobile and web applications of your dreams.

We’re willing to sign a Business Agreement with your organization to ensure HIPAA compliance.

More ideas.
transportation management system

Guide to Transportation Management System

Flatirons Development

Jun 12, 2023

Vehicle Routing Optimization Algorithms

Flatirons Development

Jun 05, 2023

The Difference Between Google Universal Analytics and GA4

Flatirons Development

May 29, 2023

Digital Marketing Tools You’ll Love

Flatirons Development

May 26, 2023

The Top 10 Data Onboarding Tools in 2024 

Flatirons Fuse

May 22, 2023

3 Ways to Accept Google Pay Online

Flatirons Development

May 19, 2023