Who Does HIPAA Apply To?

August 26, 2024

HIPAA, also known as the Health Insurance Portability and Accountability Act, is a federal law that the U.S. government passed way back on August 21, 1996. You know, there are over 629 healthcare regulations out there, and trying to navigate each one precisely can feel pretty difficult.

This really important law protects patient privacy and makes sure patient information stays completely confidential. But then, the big question comes up: who exactly does HIPAA apply to? Well, the answer to that actually depends on whether your business or organization meets the specific criteria for HIPAA compliance.

In this comprehensive guide, we’re going to explore the different bodies and individuals that HIPAA actually applies to. So, brace yourself as we dig into the specifics of this vital policy.

What is a Covered Entity Under HIPAA?

A covered entity under the Health Insurance Portability and Accountability Act (HIPAA) includes organizations and individuals who must follow HIPAA rules to protect patient data. These entities are grouped into two main categories:

Healthcare Providers

• Doctors
• Clinics
• Dentists
• Chiropractors
• Nursing homes
• Pharmacies 

Health Plans

• Health insurance companies
• Health Maintenance Organizations (HMOs)
• Employer-sponsored health plans
• Government programs that pay for healthcare, such as Medicare and Medicaid 

These covered entities are directly responsible for safeguarding Protected Health Information (PHI) in accordance with HIPAA regulations.

What is a Business Associate Under HIPAA?

A “business associate” under HIPAA is typically a person or an organization that handles the use and potential misuse of protected health information (PHI). These business associates are usually service providers who help out covered entities. They really play a critical role in supporting healthcare organizations that fall under HIPAA compliance.

Here are some examples of business associates that come under HIPAA‘s purview:

• Third-Party Administrators: They handle claims processing for health plans.
• Billing Companies: These manage billing and collection services for healthcare providers.
• IT Service Providers: They offer things like data storage, cloud computing, or other tech solutions that involve PHI.
• Law Firms: They provide legal services to covered entities, especially when they need to access PHI.
• Consultants: These folks offer advisory services that might require access to PHI.
• Accountants: They perform financial audits or other accounting services for healthcare entities.
• Shredding Companies: Yes, even companies that securely dispose of documents containing PHI fall into this category.
• Transcription Services: They convert voice-recorded medical reports into written text.

It’s really important that business associates enter into a Business Associate Agreement (BAA) with the covered entity. A BAA outlines their responsibilities and ensures complete protection of PHI.

🔗 Read More: What Is The Purpose of HIPAA in 2024?

What Types of Information Are Covered Under HIPAA’s Privacy Rule?

The HIPAA Privacy Rule is designed to protect Protected Health Information (PHI)—any data that can be used to identify an individual and relates to their physical or mental health, healthcare services, or payment for those services.

Here are the three primary categories of PHI covered under the Privacy Rule:

• Personal Identifiers: This includes names, addresses, contact details, Social Security numbers, medical record numbers, health plan IDs, account numbers, license and certificate numbers, vehicle and device serial numbers, biometric data, full-face photos, IP addresses, web URLs, and any other unique identifying codes or characteristics. 
• Medical Information: Diagnoses, treatment plans, medication lists, medical histories, test results, hospital discharge summaries, and progress notes are all considered PHI when linked to an individual. 
• Payment Information: Billing records, insurance details, and payment histories related to healthcare services also fall under the umbrella of PHI. 

If the information can identify a person and connects to their health or healthcare in any way, it’s protected by HIPAA.

Requirements for Use and Disclosure of
Private Health Information

HIPAA outlines clear rules for how Protected Health Information (PHI) can be used and disclosed. These rules aim to protect patient privacy while still allowing the necessary flow of information for quality care and essential services.

The requirements are organized into several categories:

1. General Requirements

• Only the minimum necessary PHI should be used, disclosed, or requested to fulfill a specific purpose. 
• Written authorization from the patient is required for uses and disclosures not otherwise permitted or required by HIPAA. 

2. Permitted Uses and Disclosures
   PHI can be used and disclosed without patient authorization for:

• Providing, coordinating, or managing healthcare 
• Billing and payment purposes 
• Public health activities (e.g., disease control, adverse reaction reporting) 
• Cases involving abuse, neglect, or domestic violence 
• Health oversight activities like audits and investigations 
• Judicial and administrative processes (e.g., court orders or subpoenas) 
• Law enforcement purposes 
• Approved research under specific conditions 
• Averting serious threats to health or safety 
• Certain government functions (e.g., national security, military) 
• Workers’ compensation claims 

If incidental disclosures occur, immediate and reasonable safeguards must be implemented.

3. Required Disclosures

• Patients have the right to request and access their own PHI. 
• PHI must be shared with the U.S. Department of Health and Human Services (HHS) for compliance investigations. 

4. Safeguards and Compliance

• Administrative: Develop and manage policies and procedures to support security measures. 
• Physical: Control physical access to prevent inappropriate access to PHI. 
• Technical: Use technology to secure and control access to PHI. 

5. Patient Rights
   Patients have several rights under HIPAA, including the ability to:

• Access and receive a copy of their PHI 
• Request corrections to their PHI 
• Obtain a list of disclosures made by the covered entity 
• Request restrictions on how their PHI is used or disclosed 
• Request communications in a specific manner or location 

🔗 Read More: Most Common HIPAA Violations You Should Avoid

As an Employee or Supervisor,What Can You Do To Ensure Compliance?

Maintaining HIPAA compliance is a shared responsibility between employees and supervisors. Each role plays a crucial part in protecting patient privacy and securing health information.

If you’re an employee, follow these steps:

• Understand your organization’s HIPAA policies and procedures. 
• Attend all required HIPAA training sessions and stay informed about updates. 
• Access only the patient information necessary for your role. 
• Keep physical and electronic records secure at all times. 
• Avoid discussing patient information in public or shared spaces. 
• Report any suspected HIPAA violations or security breaches right away. 

If you’re a supervisor, take the following actions:

• Ensure all staff receive HIPAA training, including new hires. 
• Regularly monitor employee access and use of PHI. 
• Develop and enforce HIPAA-compliant policies and procedures. 
• Make sure all electronic systems meet HIPAA security standards, including encryption and access controls. 
• Foster a culture where staff feel safe reporting potential violations. 
• Conduct periodic audits and risk assessments to identify and fix issues in PHI handling.
  

Conclusion

Understanding who HIPAA applies to starts with knowing the law’s core purpose: to protect patient privacy and secure sensitive health information. Whether you’re part of a healthcare facility, an insurance provider, or a third-party vendor handling medical data, HIPAA compliance isn’t optional—it’s a legal and ethical responsibility.

The law primarily applies to healthcare providers, health plans, and those working with them—like business associates. Each of these groups must follow clear rules when using or sharing Protected Health Information (PHI), always with a lawful and well-defined purpose.

By following HIPAA’s guidelines, individuals and organizations help strengthen trust in the healthcare system. Compliance not only protects patients—it also promotes transparency, accountability, and a culture of privacy in every interaction.