September 16, 2025

HIPAA Covered Entities - It’s More Than Just PHI

Written by Chris Camejo

HIPAA/HITECH Privacy Compliance Information Security Compliance

Table of contents

Covered Entity Definition
Covered Transaction Definition
Health Plan Definition
Health Care Clearinghouse Definition
Health Care Provider Definition

Some organizations within the health care sector may believe that they are a Covered Entity simply because they handle health records (spoiler alert: this might not be the case). This often occurs due to misunderstandings about the definition of a Covered Entity. This post takes a deep dive into the Health Insurance Portability and Accountability Act (HIPAA) definition of Covered Entity to help organizations determine whether HIPAA applies to them.

This post is part of a series that helps understand HIPAA applicability. For other posts in this series see:

HIPAA Applicability - Understanding the Security, Breach Notification, and Privacy Rules*
HIPAA Business Associates - What’s Your Function?*
HIPAA Protected Health Information - When Health Information Isn’t Protected
HIPAA, HITECH, and HITRUST - It’s HI Time to Make Sense of it All

*These blogs have yet to be published and are coming soon.

Various terms throughout this post are linked to further definitions, either within this post or directly to definitions in laws and regulations.

TrustedSec has years of experience helping organizations meet HIPAA security and privacy compliance requirements. Please get in touch with us for any questions on this topic or if your organization needs assistance with its HIPAA Compliance program.

Covered Entity Definition

The HIPAA Rules directly apply to Covered Entities. The definition of Covered Entity in 45 Code of Federal Regulations (CFR) 160.103 tells us that a Covered Entity is any of the following:

A health plan
A health care clearinghouse
A health care provider who transmits any health information in electronic form in connection with a Covered Transaction

Each of these terms is defined in more detail below.

Organizations that do not fall into any of the categories listed in the definition above are not Covered Entities, even if they handle information that would otherwise be considered Protected Health Information (PHI), and the HIPAA Rules do not directly apply to them (although they may apply indirectly as a Business Associate if the organization meets that definition).

Note that health care providers are only considered Covered Entities if they transmit certain Covered Transactions (defined below). There is a common misunderstanding that all health care providers are Covered Entities, which in turn results from a misunderstanding about the intent of HIPAA:

HIPAA is primarily intended to regulate health plans, not health care providers.
The main purpose of HIPAA Title II, which contains the Security, Breach Notification, and Privacy Rules, is to establish the requirements for standard formats used for electronic data exchange with and about health plans (what this post has been calling Covered Transactions) as described in the Administrative Rule.
The Security, Breach Notification, and Privacy Rules are only intended to cover organizations participating in these standardized data exchanges.

With this background in mind, it should make sense that a health care provider only needs to use the standard electronic data exchange formats described in the Administrative Rule if the health care provider is participating in a Covered Transaction related to the health plans that are the primary focus of HIPAA. In turn, it should also make sense that the Security, Breach Notification, and Privacy Rules intended to protect the covered exchanges would only apply to a health care provider that participates in these specific exchanges related to health plans.

The following flowchart can help organizations determine whether they are a Covered Entity based on this definition:

Covered Transaction Definition

Health care providers are only considered Covered Entities if they electronically transmit health information in connection with a transaction covered by HIPAA’s Data-Formatting requirements.

The Data-Formatting requirements are described in 45 CFR Part 162. The transaction types referenced in the definition of Covered Entities are defined in Subparts K through R of Part 162, with each subpart defining a specific Covered Transaction type and the standards to be used for that transaction type.

This table shows the transmissions a health care provider could make to a health plan that would be considered Covered Transactions with references to the source within the HIPAA regulations. Other transmission types have been omitted as they are not relevant to the status of a health care provider as a Covered Entity:

Covered Transaction Type	Transmission Contents	Reference
Health care claims or equivalent encounter information	A request to obtain payment, and the necessary accompanying information for health care (a) If there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting health care (b)	45 CFR 162.1101(a) 45 CFR 162.1101(b)
Eligibility for a health plan	An inquiry to obtain any of the following information about a benefit plan for an enrollee: Eligibility to receive health care under the health plan Coverage of health care under the health plan Benefits associated with the benefit plan	45 CFR 162.1201(a)
Referral certification and authorization	A request for the review of health care to obtain an authorization for the health care (a) A request to obtain authorization for referring an individual to another health care provider (b)	45 CFR 162.1301(a) 45 CFR 162.1301(b)
Health care claim status	An inquiry to determine the status of a health care claim	45 CFR 162.1401(a)
Coordination of benefits	For the purpose of determining the relative payment responsibilities of the health plan, either of the following for health care: Claims Payment information	45 CFR 162.1801

Health care providers are only Covered Entities if they transmit these Covered Transactions. Receiving a Covered Transaction is irrelevant to a health care provider’s status as a Covered Entity.

All of the Covered Transactions that would be transmitted by a health care provider must be received by a health plan to meet these definitions. Therefore, transmissions from a health care provider to any organization other than a health plan is not a Covered Transaction, even if it otherwise meets these definitions.

Health Plan Definition

Health plans are defined in 45 CFR 160.103 as an individual or group plan that provides, or pays the cost of, medical care.

The definition of a health plan includes the following, singly or in combination:

A group health plan
A health insurance issuer
An HMO
Part A or Part B of the Medicare program
The Medicaid program
The Voluntary Prescription Drug Benefit Program
An issuer of a Medicare supplemental policy
An issuer of a long-term care policy, excluding a nursing home fixed indemnity policy
An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers
The health care program for uniformed services
The veterans health care program
The Indian Health Service program
The Federal Employees Health Benefits Program
An approved State child health plan providing benefits for child health assistance
The Medicare Advantage program
A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals
Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care

The definition of a health plan explicitly excludes both of the following:

Any policy, plan, or program to the extent that it provides, or pays for the cost of, the following benefits:
- Coverage only for accident, or disability income insurance, or any combination thereof
- Coverage issued as a supplement to liability insurance
- Liability insurance, including general liability insurance and automobile liability insurance
- Workers' compensation or similar insurance
- Automobile medical payment insurance
- Credit-only insurance
- Coverage for on-site medical clinics
- Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits
A government-funded program (other than ones explicitly listed above as health plans) that fit either of the following criteria:
- Principal purpose is other than providing, or paying the cost of, health care
- Principal activity is either:
  - The direct provision of health care to persons
  - The making of grants to fund the direct provision of health care to persons

Health Care Clearinghouse Definition

A health care clearinghouse is defined in 45 CFR 160.103 as a public or private entity, including a billing service, repricing company, community health management information system (CHMIS) or community health information system (CHIS), and “value-added” networks and switches, that performs either of the following functions:

Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction
Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity

Health Care Provider Definition

A health care provider is defined in 45 CFR 160.103 as any of the following:

A provider of services
A provider of medical and other health services
Any other person or organization who furnishes, bills, or is paid for health care in the normal course of business

The definition of medical and other health services is a long and complicated list of services and items. This list has indenting that is hard to follow and multiple apparent typos that would literally take an act of Congress to fix. There are also a few lines at the end that create some exclusions in a very confusing manner by referencing other definitions that in turn have their own definitions and exclusions.

Keep in mind, for a health care provider that meets this definition to be considered a Covered Entity it must also transmit health information in electronic form in connection with a transaction covered by HIPAA. Understanding the types of Covered Transactions is likely much simpler than dealing with the much more complex provider definitions, so that is the suggested place to start.

Solutions

Services

About Us