In 2025, OCR closed over 40,000 HIPAA complaints without investigation. One of the top reasons: the complaint named an organization that was not a covered entity. HIPAA's requirements — the Privacy Rule, Security Rule, Breach Notification Rule — only apply to covered entities and their business associates. If you are not a covered entity, HIPAA does not regulate you. If you are one and don't know it, OCR's $144.8 million in cumulative enforcement penalties says ignorance is expensive.
This guide explains what a covered entity is under 45 CFR 160.103, which organizations qualify, which do not, and what happens when covered entities fail to comply.
The Legal Definition: 45 CFR 160.103
Under 45 CFR 160.103, a covered entity means:
- A health plan
- A health care clearinghouse
- A health care provider who transmits any health information in electronic form in connection with a transaction covered by 45 CFR Part 162
That third category is where most confusion lives. A healthcare provider becomes a covered entity only when they transmit health information electronically for a standard HIPAA transaction. Health plans and clearinghouses are covered entities by definition — no transaction trigger required.
Once an organization meets the definition, all of HIPAA applies. The Privacy Rule, the Security Rule, the Breach Notification Rule, the requirement to issue a notice of privacy practices, patient access rights — the entire regulatory framework attaches.
The Three Types of HIPAA Covered Entities
Health Care Providers
Any person or organization that furnishes, bills, or is paid for health care in the normal course of business — if they transmit health information electronically for a covered transaction. This includes:
- Physicians and physician groups
- Hospitals and health systems
- Dental practices
- Pharmacies
- Chiropractors
- Psychologists, therapists, and counselors
- Nursing facilities and home health agencies
- Laboratories and imaging centers
- Telehealth providers
The key trigger is electronic transmission. A provider who submits even one electronic claim — or whose billing service submits claims on their behalf — is a covered entity. At that point, HIPAA applies to all patient records, not just those involved in the electronic transaction.
Health Plans
Any individual or group plan that provides or pays the cost of medical care. This includes:
- Health insurance companies
- HMOs and PPOs
- Employer-sponsored group health plans (with 50 or more participants, or administered by an entity other than the employer)
- Medicare (Parts A, B, C, and D)
- Medicaid
- TRICARE
- CHIP (Children's Health Insurance Program)
- Veterans Health Administration
- Federal Employees Health Benefits Program
Exception: A group health plan with fewer than 50 participants that is self-administered by the employer is not a covered entity under 45 CFR 160.103.
Health Care Clearinghouses
A public or private entity that processes nonstandard health information into standard data elements or transactions, or vice versa. Examples include:
- Billing services that convert provider claims into standard formats
- Repricing companies
- Community health management information systems
- Value-added networks that translate between payers and providers
Clearinghouses sit between providers and payers, standardizing the data that flows between them. They handle PHI as an inherent part of their function.
The Covered Transactions That Trigger HIPAA
For healthcare providers, covered entity status depends on conducting at least one standard electronic transaction defined under 45 CFR Part 162. There are nine:
| Transaction | CFR Reference |
|---|---|
| Health care claims or equivalent encounter information | 45 CFR 162.1101–1102 |
| Eligibility inquiries and responses | 45 CFR 162.1201–1203 |
| Referral certifications and authorizations | 45 CFR 162.1301–1302 |
| Health care claim status inquiries and responses | 45 CFR 162.1401–1403 |
| Enrollment and disenrollment in a health plan | 45 CFR 162.1501–1502 |
| Health care electronic funds transfers and remittance advice | 45 CFR 162.1601–1603 |
| Health plan premium payments | 45 CFR 162.1701–1702 |
| Coordination of benefits | 45 CFR Part 162 |
| Medicaid pharmacy subrogation | 45 CFR 162.1901–1902 |
The most common trigger is submitting insurance claims electronically. If your practice files claims through a clearinghouse or directly to a payer, you conduct a covered transaction.
Who Is NOT a Covered Entity
HIPAA does not apply to every organization that handles health-related information. The following are generally not covered entities:
- Employers — An employer is not a covered entity, even though it may hold employee health information. However, the employer's group health plan is a separate covered entity. The Privacy Rule restricts how the plan can share PHI with the employer for administrative functions. According to HHS guidance, HIPAA does not directly regulate employers.
- Schools — Most schools maintain student health records as "education records" under FERPA, which are explicitly excluded from HIPAA's definition of PHI. A school can become a covered entity if it operates a health clinic that bills insurance electronically. HHS and the Department of Education published a joint HIPAA-FERPA guide addressing these intersections.
- Life insurance companies — Life insurers are not health plans under HIPAA.
- Workers' compensation carriers — Workers' comp programs are excluded from the health plan definition.
- Most employers' disability programs
- Cash-only or paper-only providers — A provider who never submits any of the nine covered transactions electronically is not a covered entity. This is increasingly rare.
- Consumer health apps and fitness trackers — Apps like Fitbit or MyFitnessPal that are not provided by or on behalf of a covered entity are generally not covered by HIPAA, even though they collect health-related data.
Important: Not being a covered entity does not mean no privacy obligations exist. State laws, the FTC Act, and regulations like California's CMIA and CCPA may still apply.
Covered Entity vs. Business Associate
A business associate is a person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Both are regulated under HIPAA, but their obligations differ. For a detailed breakdown of BAA requirements, see our business associate agreement guide.
| Requirement | Covered Entity | Business Associate |
|---|---|---|
| Privacy Rule (full) | Yes | Certain provisions |
| Security Rule | Yes | Yes (directly liable since HITECH) |
| Breach Notification | Yes (to HHS, patients, media) | Yes (to covered entity) |
| Notice of Privacy Practices | Yes | No |
| Patient access rights | Yes | No (but must support CE) |
| BAA required | Must execute with each BA | Must sign with CE |
| Risk analysis | Yes | Yes |
| OCR enforcement | Yes | Yes (directly since HITECH Act) |
A common example: a medical billing company is a business associate. The physician practice that hired the billing company is the covered entity. Both must comply with HIPAA, but the covered entity bears primary responsibility for patient rights and the notice of privacy practices.
Common Misconceptions About Covered Entity Status
"I use a billing service, so I'm not a covered entity." Wrong. If your billing service submits electronic claims on your behalf, you are still the covered entity. The billing service is your business associate. Using a clearinghouse or billing service does not remove your covered entity status — it confirms it.
"I'm a small practice, so HIPAA doesn't apply." Wrong. HIPAA has no size threshold. A solo practitioner who submits one electronic claim is a covered entity with the same obligations as a hospital system. Practice size affects how you implement safeguards (the Security Rule's flexibility standard), not whether you must comply.
"I only do telehealth, so I'm different." Telehealth providers who bill insurance electronically are covered entities. The mode of care delivery does not change the regulatory analysis. If you furnish health care and submit electronic claims, you are covered.
"We're a substance abuse treatment center, not a hospital." Substance abuse treatment facilities are healthcare providers. If they submit electronic claims, they are covered entities — and they face additional obligations under 42 CFR Part 2. In 2026, OCR settled with Top of the World Ranch Treatment Center for $103,000 for risk analysis failures.
"We don't store PHI electronically." Covered entity status depends on conducting electronic transactions, not on how you store records. A practice with paper charts that submits electronic claims is still a covered entity — and must still protect all PHI, including paper records, under the Privacy Rule.
What Happens When Covered Entities Don't Comply
OCR has settled or imposed civil money penalties in 152 cases totaling $144.8 million through mid-2026. The majority of recent actions target covered entities that failed to conduct security risk analyses. More than three-fourths of all 2025 penalties cited risk analysis as the primary violation.
Recent enforcement actions against covered entities:
| Covered Entity | Year | Penalty | Primary Violation |
|---|---|---|---|
| Solara Medical Supplies | 2025 | $3,000,000 | Phishing attack, risk analysis failure |
| BayCare Health System | 2025 | $800,000 | Minimum necessary, risk management |
| PIH Health | 2025 | $600,000 | Risk analysis, impermissible disclosure (189,763 patients) |
| Spencer Gifts LLC Health Plans | 2026 | $450,000 | Risk analysis, lack of policies |
| Assured Imaging | 2026 | $375,000 | Risk analysis, disclosure of 244,813 records |
| Northeast Radiology | 2025 | $350,000 | Risk analysis failure |
| Regional Women's Health Group | 2026 | $320,000 | Risk analysis failure |
| Top of the World Ranch (SUD provider) | 2026 | $103,000 | Risk analysis failure |
| Comprehensive Neurology | 2025 | $25,000 | Risk analysis failure |
| Vision Upright MRI | 2025 | $5,000 | Risk analysis, breach notification |
Current 2026 penalty tiers (inflation-adjusted per HHS enforcement data):
| Tier | Culpability | Per Violation | Annual Cap |
|---|---|---|---|
| 1 | Did not know | $145 – $73,011 | $2,190,294 |
| 2 | Reasonable cause | $1,461 – $73,011 | $2,190,294 |
| 3 | Willful neglect (corrected) | $14,602 – $73,011 | $2,190,294 |
| 4 | Willful neglect (not corrected) | $73,011 – $2,190,294 | $2,190,294 |
How to Determine If You Are a Covered Entity
CMS publishes a Covered Entity Decision Tool that walks through yes/no questions for each category. The core analysis is straightforward:
- Do you provide health care? If yes, do you transmit any health information electronically for one of the nine covered transactions (most commonly: claims, eligibility checks, or remittance advice)? If yes → you are a covered entity.
- Do you operate a health plan? If you provide or pay for medical care through an individual or group plan → you are a covered entity. (Exception: self-administered employer plans with fewer than 50 participants.)
- Do you process health information between nonstandard and standard formats? If yes → you are a health care clearinghouse and a covered entity.
If the answer is no to all three, you are not a covered entity. You may still be a business associate if you handle PHI on behalf of a covered entity.
If you determine you are a covered entity, your immediate obligations include: conducting a security risk analysis, developing HIPAA policies and procedures, training your workforce, executing BAAs with every vendor that touches PHI, and issuing a notice of privacy practices to patients.
Frequently Asked Questions
Is a dentist a covered entity under HIPAA?
Yes, in most cases. A dentist who submits insurance claims electronically — even through a billing service — is a covered entity. A cash-only dentist who never conducts electronic transactions may not be, though this is rare. The ADA's HIPAA guidance confirms this.
Is an employer a covered entity under HIPAA?
No. The employer itself is not a covered entity. However, the employer's group health plan is a separate covered entity (unless it has fewer than 50 participants and is self-administered). HIPAA restricts how the plan shares PHI with the employer for administrative purposes.
Is a school a covered entity?
Generally no. Schools maintain health records as education records under FERPA, which are excluded from HIPAA. A school can become a covered entity if it runs a health clinic that bills electronically. HHS and the Department of Education published a joint HIPAA-FERPA guide explaining these distinctions.
What is a hybrid entity under HIPAA?
A hybrid entity is a single legal entity that performs both covered and non-covered functions. Examples include universities with health centers, county governments with public health clinics, and retailers with in-store pharmacies. A hybrid entity can formally designate its "health care components" to limit HIPAA's scope to those components.
What is the difference between a covered entity and a business associate?
A covered entity provides or pays for health care. A business associate handles PHI on behalf of a covered entity. Both are regulated under HIPAA, but covered entities have broader obligations including issuing notices of privacy practices and managing patient access rights. A business associate agreement must be in place between them.
Can a sole practitioner be a covered entity?
Yes. There is no size threshold for covered entity status. A solo physician, dentist, or therapist who submits even one electronic claim is a covered entity with the same core HIPAA obligations as a hospital system.
Is a telehealth provider a covered entity?
If the telehealth provider furnishes health care and submits electronic claims, yes. The mode of care delivery — in-person or virtual — does not change the regulatory analysis. Telehealth compliance requirements apply the same HIPAA rules.
Does one electronic transaction make me a covered entity?
Yes. A single electronic claim, eligibility check, or other covered transaction is enough to trigger covered entity status. Once triggered, HIPAA applies to all of your patient records and operations — not just the one transaction.
Who investigates covered entities for HIPAA violations?
The HHS Office for Civil Rights (OCR) investigates complaints, conducts audits, and imposes penalties. State attorneys general can also bring HIPAA enforcement actions under the HITECH Act.
What are the penalties for a covered entity that violates HIPAA?
Civil penalties range from $145 to $2,190,294 per violation in 2026, depending on the level of culpability. Criminal penalties can reach $250,000 and up to 10 years imprisonment for violations committed with intent to sell or use PHI for personal gain.
Sources
- 45 CFR 160.103 — Definitions (eCFR)
- HHS — Covered Entities and Business Associates
- CMS — Are You a Covered Entity?
- HHS — Enforcement Highlights
- HHS — Resolution Agreements
- HHS FAQ — Am I a Covered Entity as an Employer?
- HHS/DOE — Joint HIPAA and FERPA Guidance
- HHS — Summary of the HIPAA Privacy Rule
- ADA — HIPAA 20 Questions
Conclusion
Covered entity status is the threshold question for HIPAA compliance. If you furnish health care and submit electronic claims, operate a health plan, or process health data between standard and nonstandard formats, HIPAA applies to you. The definition under 45 CFR 160.103 is precise, and OCR enforces it aggressively — 152 enforcement actions and $144.8 million in penalties to date. Determining your status is the first step. Building a compliance program is the second.
One Guy Consulting offers affordable HIPAA compliance packages for practices of all sizes. explore our HIPAA compliance packages.