Blog
November 20, 2024

Covered Entities vs Non-Covered Entities under HIPAA

In this post, we’ll explain the difference between covered and non-covered entities under HIPAA, so you can get a clear understanding of where your healthcare organisation fits.

Download
Download

Key Points:

  • Understanding the difference between Covered Entities and Non-Covered Entities is crucial for compliance with HIPAA, especially the Privacy Rule.
  • Covered entities include health plans, clearinghouses, and certain healthcare providers like doctors, pharmacies, and dentists who submit electronic claims.
  • Non-covered entities, not bound by the Privacy Rule, can include wearable tech, health apps, or providers not dealing with electronic data. It's essential to determine your classification to ensure compliance and avoid penalties under HIPAA.

If you’re dealing with healthcare data, and are based in the US, it’s likely you’ll need to comply with HIPAA.

Our ultimate checklist to HIPAA compliance regulations outlines everything you need to know about the federal law, including a breakdown of the different rules you’ll need to abide by.

However, when it comes to the Privacy Rule, you’ll only need to comply if you’re classed as a covered entity.

What is a HIPAA covered entity?

According to the Centers for Medicare and Medicaid Services, a covered entity includes health plans, clearinghouses, and certain health care providers.

That could look like:

  • Health insurance companies
  • Healthcare, such as Medicare, that’s paid for by the government
  • Providers who submit claims electronically, like doctors, pharmacies, and dentists
  • Clearinghouses who transmit data between medical professionals and health plans

Typically, any organisation or person that transmits data around payment transactions for medical treatment or insurance is classed as a covered entity under HIPAA. That could be hospitals, pharmacies, clinics, and nursing homes, as well as certain medical researchers if they are providing healthcare services and transmitting health data.

What is a non-covered entity under HIPAA?

Non-covered entities don’t fall under the Privacy Rule but may still have to comply with other aspects of HIPAA. They are not healthcare providers, healthcare clearinghouses, or health plans, but often store health-related information.

Examples of non-covered entities include:

  • Wearable tech such as FitBit or Apple Watch
  • Health apps you might have downloaded like Noom or MyFitnessPal
  • Providers who don’t deal with electronic data

Be sure to check whether your business is covered or non-covered to make sure you’re fully compliant with all the legal requirements. There can be heavy financial penalties to pay if you’re found to be flouting the law.

What is a BAA?

Covered entities might need to use a business associate to help them process healthcare data.

A BAA is a Business Associate Agreement. To ensure the business associate is compliant, a BAA must be drawn up that outlines exactly what the business associate has been employed to do, and reiterates that they must comply with HIPAA.

A business associate could be a subcontractor like a transcriptionist, or a data transmission service provider. The Legal Information Institute at Cornell Law School outlines their full definition of a business associate, in 45 CFR § 160.103.

A covered entity could also be a business associate of another covered entity.

How can you check if you’re a covered or non-covered entity under HIPAA?

The Department of Health and Human Services, and the Center for Medicare and Medicaid Services have created a tool you can use, to help you understand whether you’re a covered or a non-covered entity.

You can check it out here.

Can Metomic help you comply with HIPAA?

Metomic is a data security software tool that helps security and compliance teams identify where sensitive data is stored in their SaaS apps, and understand who has access to it.

It can help you discover where PHI and PII are stored, and you can set custom rules to remediate or redact data when it’s shared in apps like Slack, Google Drive, or Jira.

Ben Van Enckevort, CTO at Metomic, says:

“Healthcare organisations will hugely benefit from Metomic’s ability to accurately detect sensitive PHI so they can minimise the risk to their business. Real-time employee notifications can help security teams educate the wider workforce on their security policies too so they can start building a culture that really does care about security.”

To find out more how Metomic can help you stay HIPAA compliant, download our one-pager today.

Table of content
Table of contents
Table of contents
Table of contents
Table of contents
Table of contents

Ben van Enckevort

CTO and Co-Founder

Ben van Enckevort is the co-founder and CTO of Metomic

Key Points:

  • Understanding the difference between Covered Entities and Non-Covered Entities is crucial for compliance with HIPAA, especially the Privacy Rule.
  • Covered entities include health plans, clearinghouses, and certain healthcare providers like doctors, pharmacies, and dentists who submit electronic claims.
  • Non-covered entities, not bound by the Privacy Rule, can include wearable tech, health apps, or providers not dealing with electronic data. It's essential to determine your classification to ensure compliance and avoid penalties under HIPAA.

If you’re dealing with healthcare data, and are based in the US, it’s likely you’ll need to comply with HIPAA.

Our ultimate checklist to HIPAA compliance regulations outlines everything you need to know about the federal law, including a breakdown of the different rules you’ll need to abide by.

However, when it comes to the Privacy Rule, you’ll only need to comply if you’re classed as a covered entity.

What is a HIPAA covered entity?

According to the Centers for Medicare and Medicaid Services, a covered entity includes health plans, clearinghouses, and certain health care providers.

That could look like:

  • Health insurance companies
  • Healthcare, such as Medicare, that’s paid for by the government
  • Providers who submit claims electronically, like doctors, pharmacies, and dentists
  • Clearinghouses who transmit data between medical professionals and health plans

Typically, any organisation or person that transmits data around payment transactions for medical treatment or insurance is classed as a covered entity under HIPAA. That could be hospitals, pharmacies, clinics, and nursing homes, as well as certain medical researchers if they are providing healthcare services and transmitting health data.

What is a non-covered entity under HIPAA?

Non-covered entities don’t fall under the Privacy Rule but may still have to comply with other aspects of HIPAA. They are not healthcare providers, healthcare clearinghouses, or health plans, but often store health-related information.

Examples of non-covered entities include:

  • Wearable tech such as FitBit or Apple Watch
  • Health apps you might have downloaded like Noom or MyFitnessPal
  • Providers who don’t deal with electronic data

Be sure to check whether your business is covered or non-covered to make sure you’re fully compliant with all the legal requirements. There can be heavy financial penalties to pay if you’re found to be flouting the law.

What is a BAA?

Covered entities might need to use a business associate to help them process healthcare data.

A BAA is a Business Associate Agreement. To ensure the business associate is compliant, a BAA must be drawn up that outlines exactly what the business associate has been employed to do, and reiterates that they must comply with HIPAA.

A business associate could be a subcontractor like a transcriptionist, or a data transmission service provider. The Legal Information Institute at Cornell Law School outlines their full definition of a business associate, in 45 CFR § 160.103.

A covered entity could also be a business associate of another covered entity.

How can you check if you’re a covered or non-covered entity under HIPAA?

The Department of Health and Human Services, and the Center for Medicare and Medicaid Services have created a tool you can use, to help you understand whether you’re a covered or a non-covered entity.

You can check it out here.

Can Metomic help you comply with HIPAA?

Metomic is a data security software tool that helps security and compliance teams identify where sensitive data is stored in their SaaS apps, and understand who has access to it.

It can help you discover where PHI and PII are stored, and you can set custom rules to remediate or redact data when it’s shared in apps like Slack, Google Drive, or Jira.

Ben Van Enckevort, CTO at Metomic, says:

“Healthcare organisations will hugely benefit from Metomic’s ability to accurately detect sensitive PHI so they can minimise the risk to their business. Real-time employee notifications can help security teams educate the wider workforce on their security policies too so they can start building a culture that really does care about security.”

To find out more how Metomic can help you stay HIPAA compliant, download our one-pager today.

Key Points:

  • Understanding the difference between Covered Entities and Non-Covered Entities is crucial for compliance with HIPAA, especially the Privacy Rule.
  • Covered entities include health plans, clearinghouses, and certain healthcare providers like doctors, pharmacies, and dentists who submit electronic claims.
  • Non-covered entities, not bound by the Privacy Rule, can include wearable tech, health apps, or providers not dealing with electronic data. It's essential to determine your classification to ensure compliance and avoid penalties under HIPAA.

If you’re dealing with healthcare data, and are based in the US, it’s likely you’ll need to comply with HIPAA.

Our ultimate checklist to HIPAA compliance regulations outlines everything you need to know about the federal law, including a breakdown of the different rules you’ll need to abide by.

However, when it comes to the Privacy Rule, you’ll only need to comply if you’re classed as a covered entity.

What is a HIPAA covered entity?

According to the Centers for Medicare and Medicaid Services, a covered entity includes health plans, clearinghouses, and certain health care providers.

That could look like:

  • Health insurance companies
  • Healthcare, such as Medicare, that’s paid for by the government
  • Providers who submit claims electronically, like doctors, pharmacies, and dentists
  • Clearinghouses who transmit data between medical professionals and health plans

Typically, any organisation or person that transmits data around payment transactions for medical treatment or insurance is classed as a covered entity under HIPAA. That could be hospitals, pharmacies, clinics, and nursing homes, as well as certain medical researchers if they are providing healthcare services and transmitting health data.

What is a non-covered entity under HIPAA?

Non-covered entities don’t fall under the Privacy Rule but may still have to comply with other aspects of HIPAA. They are not healthcare providers, healthcare clearinghouses, or health plans, but often store health-related information.

Examples of non-covered entities include:

  • Wearable tech such as FitBit or Apple Watch
  • Health apps you might have downloaded like Noom or MyFitnessPal
  • Providers who don’t deal with electronic data

Be sure to check whether your business is covered or non-covered to make sure you’re fully compliant with all the legal requirements. There can be heavy financial penalties to pay if you’re found to be flouting the law.

What is a BAA?

Covered entities might need to use a business associate to help them process healthcare data.

A BAA is a Business Associate Agreement. To ensure the business associate is compliant, a BAA must be drawn up that outlines exactly what the business associate has been employed to do, and reiterates that they must comply with HIPAA.

A business associate could be a subcontractor like a transcriptionist, or a data transmission service provider. The Legal Information Institute at Cornell Law School outlines their full definition of a business associate, in 45 CFR § 160.103.

A covered entity could also be a business associate of another covered entity.

How can you check if you’re a covered or non-covered entity under HIPAA?

The Department of Health and Human Services, and the Center for Medicare and Medicaid Services have created a tool you can use, to help you understand whether you’re a covered or a non-covered entity.

You can check it out here.

Can Metomic help you comply with HIPAA?

Metomic is a data security software tool that helps security and compliance teams identify where sensitive data is stored in their SaaS apps, and understand who has access to it.

It can help you discover where PHI and PII are stored, and you can set custom rules to remediate or redact data when it’s shared in apps like Slack, Google Drive, or Jira.

Ben Van Enckevort, CTO at Metomic, says:

“Healthcare organisations will hugely benefit from Metomic’s ability to accurately detect sensitive PHI so they can minimise the risk to their business. Real-time employee notifications can help security teams educate the wider workforce on their security policies too so they can start building a culture that really does care about security.”

To find out more how Metomic can help you stay HIPAA compliant, download our one-pager today.

Ben van Enckevort

CTO and Co-Founder

Ben van Enckevort is the co-founder and CTO of Metomic

Latest posts

Securing Google Drive before implementing Claude

Why CISOs Must Secure Google Drive Permissions Before Implementing AI Tools Like Claude

As Claude's Research capabilities expand to access Google Workspace through MCP, CISOs must implement robust permission governance frameworks to address the "permission paradox" where individually appropriate access becomes problematic when aggregated by AI systems.

Blog
Quantifying AI Security Risk

Quantifying the AI Security Risk: 2025 Breach Statistics and Financial Implications

The 2025 AI security landscape reveals alarming statistics – 73% of enterprises experiencing breaches averaging $4.8 million each, with financial services, healthcare, and manufacturing facing the highest risks from attacks like prompt injection and data poisoning.

Blog