"Covered entities" are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) medical care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other medical care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities.

Covered entities can be institutions, organizations, or persons. Researchers are covered entities if they are also medical care providers who electronically transmit health information in connection with any transaction for which HHS has adopted a standard. For example, physicians who conduct clinical studies or administer experimental therapeutics to participants during the course of a study must comply with the Privacy Rule if they meet the HIPAA definition of a covered entity."[ Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule, NIH Publication Number 03-5388 (HIPAA Research)]

If a person is are not dealing with a covered entity, HIPAA does not apply, even for medical treatment. For example, if a person goes a physician who only takes cash payment and does not deal with any health plans or medical care clearinghouses, that physician is not bound by HIPAA. An alternative medicine provider who only deals in cash is unlikely to be covered by HIPAA. Internet medical information questionnaires and online doctors who write prescriptions for drugs like Viagra based on a WWW site questionnaire are probably not protected by HIPAA. In these cases, state law still applies, but it is a very limited protection in the Internet world.

Medical research may or may not be covered by HIPAA. If it is clinical research that is part of routine medical care, it is covered if the routine care is covered by insurance or if the hospital or clinic where the research is done also does care that is covered by insurance. In a clinical trial that is not part of treatment may not be covered, depending on whether the institution doing the research is covered by HIPAA. If the research is covered by HIPAA, it must meet the basic HIPAA requirements, with some special exceptions for research. If the research is not being done by a covered entity, it is not covered by HIPAA.