HIPAA Covered Entities: Who Needs to Comply with HIPAA

HIPAA's Privacy and Security Rules apply to covered entities, which fall into three categories:

• Health care providers: Any provider that conducts standard electronic transactions (billing, eligibility checks) — including physicians, hospitals, dentists, chiropractors, psychologists, pharmacies, home health agencies, and nursing facilities
• Health plans: Health insurance companies, HMOs, Medicare, Medicaid, employer-sponsored health plans, and long-term care insurers
• Health care clearinghouses: Entities that process nonstandard health information into standard formats, or vice versa — typically billing services and health data management companies

If your organization falls into any of these categories, HIPAA compliance is a legal requirement, not an option.

The most common covered entity type is the healthcare provider. Importantly, HIPAA applies to providers who transmit health information electronically in connection with a covered transaction. In practice, this means virtually every provider that accepts insurance:

• Physician practices of all sizes, from solo practitioners to large group practices
• Hospitals and health systems
• Dental practices that submit electronic claims
• Mental health and substance abuse treatment providers
• Physical therapists, occupational therapists, speech therapists
• Home health agencies and visiting nurse services
• Pharmacies
• Urgent care centers and walk-in clinics

A healthcare provider that operates entirely on a cash-pay basis and never conducts electronic transactions is technically not a covered entity — but this is an extremely narrow exception and should be confirmed with legal counsel before relying on it.

Beyond covered entities, HIPAA also directly applies to Business Associates (BAs) — entities that perform functions on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting PHI. Since the HITECH Act of 2009, BAs are directly liable under HIPAA, not just contractually responsible.

Common business associates include:

• EHR vendors and software companies processing health data
• Billing and coding services
• Cloud storage and hosting providers used for ePHI
• IT managed service providers with access to systems containing PHI
• Law firms and accountants who access PHI in the course of their services
• Transcription services
• Web developers building patient-facing applications

Understanding HIPAA's scope also means knowing what it does not cover. The following organizations are generally not HIPAA covered entities:

• Employers who learn about employee health information through general workplace interactions (separate from group health plans)
• Workers' compensation insurers (governed by state law)
• Life insurance companies
• Law enforcement agencies
• Schools and school districts (covered by FERPA instead)
• Consumer health apps that do not share data with covered entities

However, many of these organizations face equivalent obligations under state privacy laws, FTC regulations, or contractual requirements. Not being a HIPAA covered entity does not mean health data can be handled without any legal obligations.

If you are uncertain whether your organization is a covered entity, work through this analysis:

1. Does your organization provide healthcare services, administer a health plan, or process health information for billing purposes?
2. Does your organization transmit health information electronically in connection with a covered transaction?
3. Or does your organization receive, maintain, or transmit PHI on behalf of a covered entity?

If the answer to any of these questions is yes, HIPAA likely applies. Consult with a healthcare attorney to confirm your status and understand your specific obligations. The consequences of assuming you are not covered when you are can be severe — civil and criminal penalties apply regardless of intent.