Who is Covered under HIPAA?



Section 1. Who Does the Privacy Rule Apply to?

Medical practitioners and organizations that are subject to the privacy rule under HIPAA's Administrative Simplification guidelines are referred to as "covered entities." These are entities that routinely collect, store, and transmit personally identifiable health information in order to diagnose, treat, bill for services, or process claims. This applies to entities transmitting patient information electronically and applies to such organizations as:

  • Pharmacies
  • Physicians
  • Nursing Homes
  • Dental Offices
  • Chiropractors
  • Laboratories
  • Insurance Companies
  • Clearinghouses
  • Medicare and Medicaid

The status of "covered entity" is applied to any organization that submits HIPAA-protected information electronically. This applies to both large and small organizations and applies even if only a small portion of the total claims are transmitted and stored electronically. Once one electronic disclosure is made, the HIPAA privacy rules apply.

The organizations listed above can be grouped into four main categories, as shown below:

Health Plans - This includes individual and group insurance plans that are administered through an employer. Most types of plans are included as covered entities, including HMOs, dental plans, vision plans, Medicare and Medicaid, and prescription drug plans.

Exceptions include employer-funded group health plans with less than 50 participants, and government-funded health centers. Also excluded as a covered entity are automobile insurance companies, workers compensation plans, and liability insurance plans.

Health Care Providers - This is any health care organization, or solo medical provider, that electronically transmits personal health information that is protected by HIPAA. Any person or organization that provides a medical service and submits electronic bills for this service is considered a covered entity. The covered entity status is in effect whether the organization manages the billing process itself, or hires a third-party billing service.

In addition to electronic billing giving one status as a covered entity, electronic claims inquiries, referral authorizations, and online patient eligibility inquiries also confer covered entity status. This is true for large hospitals, as well as solo medical practitioners.

Interested in learning more? Why not take an online HIPAA Compliance course?

Health Care Clearinghouses - These organizations receive unique patient information after a medical service has been performed and compile the data in a standardized way for submission to health plans for reimbursement. Often, a clearinghouse will reprice or reformat a claim based on the known parameters of a specific health plan. Technically, clearinghouses also can be classified as business associates of the primary medical establishment, which gives them less stringent guidelines, as explained below.

Business Associates - Though not technically covered entities, Business Associates are subject to some of the same rules. Business Associates are third-party independent contractors that have permission to view and process personally identifiable health information on behalf of a medical establishment or health plan. Examples of activities performed by business associates include claim processing, billing and collection services, and data analysis.

Companies that act as business associates offer non-medical services in the realm of financial, legal and administrative assistance. While they may provide some form of medical services and be a covered entity in their own right, they do not do so for the company of which they are a business associate. Also, their non-medical assistance must involve the use of protected health information in order for them to be considered a business associate.

Covered entities that contract work out to business associates are responsible for documenting -- in a contract -- what measures the business associate will take to protect the personal health information it comes in contact with. The covered entity must clearly state in writing how the information is to be used, and under what circumstances disclosure of PHI is acceptable.

Section 2. Indications that you are NOT a Covered Entity

The privacy rule may be hard for some administrators to understand fully. You are not a covered entity, and therefore not subject to HIPAA privacy regulations, for the following types of transactions:

  • Filing paper claims to health plans, including Medicare and Medicaid. Only claims filed electronically qualify. Note however, that many insurance carriers are phasing out paper claims in favor of a strictly electronic claims submission platform.
  • Submitting claims for medical services by paper or dedicated fax machine
  • Checking claim status by phone
  • Checking patient insurance eligibility by phone
  • Enrolling or removing oneself from a group or individual health plan by phone or fax
  • Receiving payment from insurance carriers, or paper explanation of benefits documents through the mail
Section 3. Covered Transactions

"Covered Transactions" are electronic exchanges of personally identifiable patient information that is transmitted between two covered entities in accordance with HIPAA guidelines.

Examples of covered transactions include:

  • Electronic referral authorizations for visits to a specialist or a laboratory
  • Electronic claim submissions to an insurance company
  • Electronic information sent to a third party billing or collection service
  • Electronic claim information sent to a clearinghouse for reformatting and submission to an insurance carrier

Covered transactions do not include letters, emails, and documents sent by the patient, as the patient is not deemed a covered entity under HIPAA. Covered transactions must comply with all HIPAA privacy standards.

Food for Thought

Do you think that the establishment of "covered entities" and national standards will reduce health care fraud?
What additional types of business associates might a medical provider contract work out to?


Any medical provider, large or small, that electronically transmits personally identifying health information is considered a covered entity. Covered entities and their business associates engage in covered transactions, such as claims submission and processing, and data analysis, and are held accountable for maintaining patient privacy.