A covered entity is one of the three actor types HIPAA names directly: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with standard transactions (such as claims). The definition lives at 45 CFR §160.103. These are the parties at the center of the regulated relationship — the ones with the primary, direct duty to protect Protected Health Information (PHI).
For most telemedicine startups, the important realization is that they are usually not covered entities. A software vendor that provides the video platform, the scheduling, or the AI scribe to a clinic is typically a business associate of that clinic, handling PHI on its behalf under a Business Associate Agreement (BAA). The distinction is not cosmetic: it determines whose compliance program is the lead, who holds the direct relationship with the patient, and which side of the BAA each party signs.
The nuance worth flagging is that a single company can occupy both seats. A startup that builds the technology and also employs its own licensed clinicians who treat patients can be a covered entity for the care it delivers and a business associate for the platform services it provides to others. For a product team, the practical implication is to determine your status explicitly and per line of business before designing data flows and contracts, because it dictates your obligations, your patient-facing notices, and your contractual posture. The common pitfall is assuming "we're just the software, so HIPAA is someone else's problem" — a position that collapses the moment your own clinicians are in the loop.
