HIPAA Rules and Regulations : Who Must Comply

May 23, 2024

In healthcare, privacy isn’t just a policy — it’s a legal obligation. The Health Insurance Portability and Accountability Act (HIPAA) was put in place to protect sensitive patient information and set national standards for how it’s handled. From small clinics to national insurers, HIPAA applies across the healthcare ecosystem.

And it works — compliance with HIPAA has contributed to a 90.49% decrease in healthcare data breaches. That’s not just a number; it’s a clear sign that when the right regulations are followed, patient information stays protected.

Still, many people aren’t sure exactly who is required to follow HIPAA rules and regulations — and who isn’t. This guide breaks it down in simple terms.

Who Needs to Follow HIPAA?

HIPAA applies to a wide range of individuals and organizations that are involved in the healthcare system. If someone handles patient data or helps process healthcare information, there’s a good chance HIPAA applies to them.

• • Healthcare Providers. This includes the familiar faces — your doctor, the nurse at your local clinic, even specialists in large hospitals. If they’re offering care and handling medical records, HIPAA’s part of the job. 

• Health Plans. Insurance companies and programs like Health Maintenance Organizations (HMOs) aren’t off the hook. They deal with a lot of patient data, and that means they’re expected to keep it secure under HIPAA.

• Healthcare Clearinghouses. These aren’t the people treating you, but they move your health information between systems — for billing, records, and more. That access means they’ve got to be HIPAA compliant.

• Business Associates. Companies like billing vendors, IT support, or consultants may not directly provide healthcare — but if they access your data while helping a provider, they need to protect it.

• Subcontractors. HIPAA compliance extends to companies that support healthcare operations but don’t provide care themselves.These may include payment processors, IT contractors and consultants who provide services in the healthcare field.

• Government Bodies. Agencies involved in public health programs or law enforcement roles that may handle patient data.

• Researchers. Individuals conducting studies that involve access to protected health information (PHI).
• Schools and Universities. Institutions engaged in healthcare research or operating clinics within educational programs.

Who Doesn’t Need to Follow HIPAA?

While HIPAA covers many parts of the healthcare system, it doesn’t apply to everyone. Here are some common examples:

• Employers. Job-related health details — like workplace injury records or notes from HR — usually don’t fall under HIPAA. These are considered employment records.

• Most Schools. Student health information managed by schools need not be HIPAA compliant. However, health clinics providing services in schools may still need to comply.

• Law Enforcement. Police departments and similar agencies are generally not subject to HIPAA when using health information for investigations. Other rules like the Privacy Act may apply instead.

• Correctional Institutions. Prisons and jails often have their own policies for handling inmate health information. HIPAA doesn’t apply within these settings.

• Certain Government Programmes. Programs like the Federal Employees Health Benefits Program (FEHB) operate with their own privacy rules. While they handle health data, they don’t always fall under HIPAA.
• Some Research Projects. Not all research studies are required to comply with HIPAA. If a project doesn’t use protected medical data, different rules may apply — though ethical and legal guidelines still matter.

Does HIPAA Apply to Everyone?

Not quite. HIPAA — short for the Health Insurance Portability and Accountability Act — is designed for those who provide or support healthcare services. If you handle personal medical information, there’s a good chance HIPAA applies. But there are specific exceptions, especially outside of the healthcare space.

The key is knowing whether the work involves patient data — and whether that data is protected under HIPAA rules.

Final Thoughts

HIPAA helps protect medical privacy in a system where data moves constantly. Knowing who must comply with HIPAA rules and regulations helps organizations stay on track — and builds trust with patients.

Whether you’re a clinic, an insurance group, or a consultant working behind the scenes, understanding your role is the first step in staying compliant. While HIPAA doesn’t apply to everyone, it plays a major role in keeping patient information safe in the world of healthcare.