Covered Under the HIPAA Privacy Rule: Compliance Requirements and Examples

Covered Entities Overview

The HIPAA Privacy Rule applies to covered entities that handle Protected Health Information (PHI) in any form—electronic, paper, or oral. PHI is any individually identifiable health information tied to a person’s health status, care, or payment.

Covered entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. Organizations may operate as hybrid entities, designating health care components that are subject to the Rule while separating non‑health functions.

PHI excludes de‑identified information and certain employment records held by an employer. When acting in their group health plan capacity, employers must ensure that PHI is handled by the plan, not the employer, with appropriate firewalls and authorizations.

Business Associates Roles

Business associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of covered entities. Their work can include claims processing, data hosting, analytics, or legal and consulting services involving PHI.

A Business Associate Agreement (BAA) is required before sharing PHI. The BAA defines permitted uses and disclosures, mandates PHI safeguards, and requires the associate to report incidents and breaches to the covered entity without unreasonable delay.

Business associates must apply the minimum necessary standard, implement administrative, physical, and technical protections, flow down requirements to subcontractors, and make PHI available for access or amendment when requested by the covered entity.

Compliance Requirements Overview

Core Privacy Standards

Covered entities may use or disclose PHI for treatment, payment, and health care operations, and as otherwise permitted or required by law. Uses beyond these purposes generally require a valid, written authorization.

Entities must adopt the minimum necessary standard, verify requestors’ identities, and document disclosures. De‑identification or use of a limited data set with a data use agreement can reduce privacy risk for secondary purposes.

Individual Rights and Notices

Patients have rights to access and obtain copies of PHI, request amendments, receive an accounting of disclosures, request restrictions, and select confidential communication channels. A clear Notice of Privacy Practices must describe these rights and how PHI is used.

Governance, Documentation, and Training

Each organization must designate a Privacy Officer, maintain written policies and procedures, and retain documentation for required periods. Workforce Training is ongoing, role‑based, and supported by a sanctions policy for violations and a process to receive complaints without retaliation.

Risk Management Integration

A comprehensive Risk Analysis identifies privacy and security risks to PHI across processes and systems. The resulting risk management plan prioritizes mitigation, aligns with PHI Safeguards, and informs incident response preparation and vendor oversight.

Examples of Covered Entities

• Health plans: insurers, HMOs, employer‑sponsored group health plans, and government programs like Medicare or Medicaid components.
• Health care providers conducting standard electronic transactions: hospitals, physicians, clinics, dentists, pharmacies, laboratories, and nursing facilities.
• Health care clearinghouses: entities that transform nonstandard health data into standard formats or vice versa.
• Hybrid entities: universities or municipalities with designated health care components (e.g., student health services) subject to the Privacy Rule.

Examples of Business Associates

• Cloud service providers, data centers, backup and disaster recovery vendors hosting PHI.
• Billing companies, claims processors, and revenue cycle management firms.
• EHR and telehealth platforms, patient engagement or messaging tools handling PHI.
• Law firms, auditors, consultants, and accountants accessing PHI to perform services.
• Shredding, scanning, transcription, and medical device servicing vendors with PHI exposure.
• Data analytics, quality reporting, and health information exchange organizations.

Implementing Privacy Safeguards

Administrative PHI Safeguards

Establish policies addressing access, use, disclosure, retention, and disposal of PHI. Designate a Privacy Officer, conduct a Risk Analysis, manage vendors via BAAs, and maintain an incident response plan with clear escalation paths.

Provide Workforce Training tailored to job duties, apply the minimum necessary standard, and enforce a sanctions policy. Periodically test processes, perform audits, and document corrective actions to demonstrate ongoing compliance.

Technical Safeguards

Use unique user IDs, role‑based access controls, multi‑factor authentication, and automatic logoff on systems containing PHI. Maintain audit logs, monitor anomalous activity, encrypt PHI in transit and at rest, and protect endpoints and mobile devices.

Physical Safeguards

Control facility access, secure workstations, and govern device and media movement and disposal. Employ screen privacy measures, locked storage, visitor logs, and secure destruction methods for paper and electronic media.

Managing Data Breaches

Identify, Contain, and Assess

Upon suspected unauthorized access, immediately contain the incident, preserve logs and evidence, and initiate your incident response plan. Perform a breach risk assessment considering the PHI’s sensitivity, the unauthorized party, whether PHI was actually acquired or viewed, and mitigation steps taken.

Notification Duties and Timelines

If a breach is confirmed, provide a Notice of Data Breach to affected individuals without unreasonable delay and no later than 60 days after discovery. For larger incidents, notify the U.S. Department of Health and Human Services and, when applicable, prominent media outlets in the affected area.

Business associates must notify the covered entity promptly with details sufficient to identify affected individuals. Maintain a breach log and preserve documentation of the assessment, decisions, and remediation.

Content of Notices and Remediation

Notices should describe what happened, the types of PHI involved, steps individuals can take, what the organization is doing to mitigate harm, and how to contact the Privacy Officer. Remediation can include resetting credentials, patching systems, improving PHI Safeguards, and targeted retraining.

Key Takeaways

Understanding who is covered, defining business associate responsibilities via a Business Associate Agreement, implementing layered PHI Safeguards, and executing timely breach response are the core pillars of HIPAA Privacy Rule compliance.

FAQs

What entities are covered under the HIPAA Privacy Rule?

Covered entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. Hybrid organizations can designate health components as covered, while non‑health components remain outside the Rule.

What are the responsibilities of business associates under HIPAA?

Business associates must sign a Business Associate Agreement, use or disclose PHI only as permitted, implement privacy and security safeguards, flow down obligations to subcontractors, support individual rights requests through the covered entity, and report incidents and breaches promptly.

What compliance measures must covered entities implement?

Key measures include a Notice of Privacy Practices, minimum necessary controls, policies and procedures, workforce training, designation of a Privacy Officer, vendor oversight with BAAs, Risk Analysis and risk management, documentation retention, and a tested incident response process.

How should breaches of PHI be handled under HIPAA?

Activate incident response, contain and investigate, and perform a documented risk assessment. If a breach is confirmed, issue a timely Notice of Data Breach to affected individuals, notify regulators and media when required, implement remediation, and update safeguards and training to prevent recurrence.