Skip to main content

What Is A Hipaa Entity?

by
Last updated on 6 min read
Medical Disclaimer: This article is for informational purposes only and does not constitute medical advice. Always consult a qualified healthcare professional for diagnosis and treatment. If you are experiencing a medical emergency, call 911 or your local emergency number immediately.

A HIPAA entity, also called a covered entity, is any health plan, health‑care clearinghouse, or health‑care provider that transmits protected health information electronically.

Is my employer a HIPAA covered entity?

Most typical employers are not HIPAA covered entities unless they sponsor a self‑funded health plan.

Generally, covered entities are limited to health plans, health‑care clearinghouses, and certain health‑care providers. However, an employer that only offers a fully insured group plan typically isn’t subject to HIPAA; a self‑funded employer, on the other hand, must follow the privacy rule. So, if your company runs its own health‑benefit fund, you’ll likely see a privacy notice and possibly business‑associate agreements (especially if third‑party vendors are involved).

What is the definition of a HIPAA covered entity?

A HIPAA covered entity is an organization that fits into one of three categories: health plans, health‑care clearinghouses, or health‑care providers that conduct electronic transactions for billing, claims, or other standard HHS activities.

According to the HIPAA Privacy Rule, which the U.S. Department of Health & Human Services enforces, these entities must safeguard any protected health information (PHI) they create, receive, or transmit. In most cases, business associates that handle PHI on their behalf are also subject to the same requirements (this includes vendors that process claims).

What are examples of a covered entity?

Examples of covered entities include doctors’ offices, hospitals, clinics, dental practices, pharmacies, and health‑insurance companies.

Typically, such organizations either deliver health‑care services, process health‑care payments, or serve as data intermediaries. Consequently, each must put HIPAA safeguards in place and give patients a privacy notice. Here’s a quick rundown of common covered‑entity types (think doctors, clinics, etc.):

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing homes
  • Pharmacies

Who is under HIPAA?

HIPAA applies to covered entities—health plans, health‑care providers, and health‑care clearinghouses—and their business associates.

In most cases, individuals receive protection only when a covered entity handles their health information. Federal programs like Medicare and Medicaid count as health plans under the rule (think Medicare, Medicaid). If you want more details, check out the CDC privacy guidance.

Which is considered a covered entity?

The three categories—health plans, health‑care clearinghouses, and health‑care providers that transmit electronic health information—are considered covered entities.

Every category must obey the HIPAA Privacy, Security, and Breach Notification Rules. Typically, the classification hinges on the kind of electronic transactions the organization conducts under federal standards. If an organization falls outside these categories, HIPAA doesn’t apply—though state laws might still kick in.

What types of PHI does HIPAA require a signed authorization?

HIPAA requires a signed authorization for most uses or disclosures of individually identifiable health information, except for treatment, payment, and health‑care operations.

Usually, the signed authorization has to spell out what information will be used, why it’s being disclosed, and who’s involved. It also requires the individual’s signature, the date, and a clear statement about the right to revoke (you’ll need to sign it). In short, this helps keep patients safe from unauthorized sharing of sensitive data.

Are employees covered entities?

Employees themselves are not covered entities, but the employer may be a covered entity if it runs a self‑funded health plan.

If an employer runs its own health‑benefit fund, it must meet HIPAA privacy and security requirements. That means giving participants a notice of privacy practices and signing business‑associate agreements with any third‑party vendors. Regular staff training can go a long way toward preventing accidental disclosures (think regular refresher courses).

Does HIPAA apply to coworkers?

HIPAA does not apply to coworkers unless they are acting as a business associate of a covered entity.

Generally, most workplace relationships fall under employment and state privacy laws rather than HIPAA. Yet, if a coworker accesses PHI on behalf of a covered entity, they’re required to follow HIPAA safeguards (only when they’re acting as a business associate). Employers ought to restrict health‑data access to those who truly need it for legitimate purposes.

Does HIPAA apply to everyone?

HIPAA does not apply to everyone; it only applies to covered entities and their business associates.

People who aren’t part of a covered entity aren’t bound by the federal privacy rule. Still, many states have extra privacy statutes that might cover other parties. Grasping the scope can help organizations avoid over‑extending compliance efforts (especially for small practices).

What are some health care entities?

Health‑care entities include HMOs, PPOs, group practices, nursing facilities, rehabilitation centers, hospices, dialysis centers, and ambulatory surgical centers.

Such organizations can be covered entities if they handle PHI electronically or provide health‑care services. Consequently, each must adopt the required administrative, physical, and technical safeguards (like hospitals or outpatient centers). For a practical overview, see how the Mayo Clinic outlines common compliance steps for these facilities.

Who has to follow HIPAA?

All covered entities—health plans, health‑care providers, and health‑care clearinghouses—and any business associate that handles PHI must follow HIPAA.

If an organization fails to comply, civil penalties can range from $100 to $50,000 per violation, and criminal penalties may apply for willful misconduct. Typically, organizations should run regular risk assessments and keep documentation of their policies (think annual reviews). Annual staff training is a key component of an effective compliance program.

What are health care entities?

A health‑care entity is any organization that delivers health services, such as hospitals, clinics, and professional review committees that conduct peer review.

Depending on whether they transmit PHI electronically, these entities might be covered or non‑covered. Peer‑review activities enjoy a limited exception under the privacy rule. Knowing the distinction helps determine which safeguards are required.

What makes something HIPAA compliant?

HIPAA compliance requires implementing administrative, physical, and technical safeguards to protect PHI and ePHI.

Administrative safeguards encompass policies, training, and risk analysis; physical safeguards address facility access controls; technical safeguards involve encryption and audit controls. Regular audits and incident‑response planning are essential to keep compliance on track. For a handy checklist, see the Healthline guide for small practices.

Can anyone violate HIPAA?

Both individuals and organizations can violate HIPAA if they improperly access, use, or disclose protected health information without authorization.

Violations can happen accidentally—think a misplaced file—or intentionally, like malicious hacking (think intentional data theft). While criminal prosecution is rare, it’s possible for willful violations. Entities ought to report breaches promptly to the Office for Civil Rights (OCR) as the law requires. For more on the limits of electronic communication, see the article on disclosing PHI in electronic communications.

What would be a violation of HIPAA?

A violation includes unauthorized disclosure of PHI, failure to provide patients access to their records, and not implementing required security controls.

Other common breaches include lost or stolen devices, failure to encrypt ePHI, and inadequate employee training. Whenever a violation occurs, a breach notification must go out to affected individuals and sometimes to the media. Prompt corrective action and thorough documentation can help mitigate penalties.

Edited and fact-checked by the FixAnswer editorial team.
James Park

James is a health and wellness writer providing evidence-based information on fitness, nutrition, mental health, and medical topics.