Skip to main content
U.S. flag

An official website of the United States government

Return to Search

Are You a Covered Entity?

Guidance for determining HIPAA-covered entities include health plans, clearinghouses, and certain health care providers.

Final

Issued by: Centers for Medicare & Medicaid Services (CMS)

Issue Date: August 02, 2020

document icon
Covered Entity Decision Tool (PDF) Not sure if you’re a covered entity? Use this tool to find out.

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, covers both individuals and organizations. Those who must comply with HIPAA are often called HIPAA covered entities.

HIPAA covered entities include health plans, clearinghouses, and certain health care providers as follows:

Health Plans

For HIPAA purposes, health plans include:

  • Health insurance companies
  • HMOs, or health maintenance organizations
  • Employer-sponsored health plans
  • Government programs that pay for health care, like Medicare, Medicaid, and military and veterans’ health programs

Clearinghouses

Clearinghouses include organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.

Providers

Providers who submit HIPAA transactions, like claims, electronically are covered. These providers include, but are not limited to:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing homes
  • Pharmacies

About Business Associates

If a covered entity engages a business associate to help carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that: 

  • Establishes specifically what the business associate has been engaged to do
  • Requires the business associate to comply with HIPAA

Examples of business associates include:

  • Third-party administrator that assists a health plan with claims processing
  • Consultant that performs utilization reviews for a hospital
  • Health care clearinghouse that translates a claim from a nonstandard format into a standard transaction on behalf of a health care provider, and forwards the processed transaction to a payer
  • Independent medical transcriptionist that provides transcription services to a physician

Also, a covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.

Exceptions

An organization may request an exception from the use of a standard transaction from the Secretary to test a proposed modification to that standard. Learn about our exceptions process and the principles for requesting an exception (PDF).

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.