Do I Need to Be HIPAA Compliant? How to Tell If HIPAA Applies to Your Business

Identifying Covered Entities

Start by asking what role you play in the health care ecosystem. Under HIPAA, “covered entities” include health care providers that transmit standard electronic transactions, health plans, and health care clearinghouses. If you are one of these, HIPAA compliance is mandatory.

Health plans span employer-sponsored group health plans, HMOs, and insurers that pay for care. Providers include hospitals, clinics, pharmacies, dentists, and telehealth practices—but only if you send standard electronic transactions (such as claims or eligibility checks). Clearinghouses convert data between billing formats for providers and plans.

If you never conduct a standard electronic transaction, you may not be a covered entity even if you deliver care. However, using a vendor to submit electronic claims on your behalf counts as transmitting those transactions. Large organizations can be “hybrid entities,” designating specific health care components as covered while keeping unrelated business units outside HIPAA’s scope.

Defining Business Associates

You are a business associate if you create, receive, maintain, or transmit Protected Health Information (PHI) for a covered entity—or for another business associate—to perform regulated functions or provide services. This status depends on what you do with PHI, not on your industry label.

Common business associates include claims processors, third‑party administrators, EHR and patient portal vendors, cloud and backup providers, IT managed service providers, data analytics firms, billing and coding companies, call centers, mailing/statement services, attorneys, accountants, consultants, and shredding companies that handle PHI.

The “conduit” exception is narrow and covers couriers or telecom carriers that merely transport data without persistent storage. Most modern hosting and email services “maintain” PHI and are business associates. Workforce members of a covered entity are not business associates, but subcontractors who handle PHI are and must comply. Business Associate Agreements are required before PHI flows.

Exemptions for Non-Covered Entities

Many organizations handle health-related data without triggering HIPAA. Employers acting as employers, life insurers, workers’ compensation carriers, fitness clubs, researchers using only de-identified data, and schools handling student records governed by FERPA are not covered entities. They may still be subject to other Health Information Privacy Laws, such as state consumer privacy statutes or the FTC’s health breach rules.

Consumer wellness apps and device makers are typically outside HIPAA when they collect data directly from individuals and not on behalf of a covered entity. However, if these companies integrate with a provider or health plan and handle PHI for that client, they become business associates and must follow HIPAA.

Compliance for Employer Health Plans

Employers are not covered entities simply because they employ people. But an employer-sponsored group health plan is a covered entity, and the plan must comply with HIPAA’s Privacy, Security, and Breach Notification Rules. If your plan is self‑funded, you (as plan sponsor) will perform many compliance tasks; if fully insured and you receive only enrollment data and summary health information, your obligations may be limited while the insurer handles most functions.

Keep Employer Health Records (e.g., FMLA, ADA, drug tests, pre‑employment physicals) separate from plan PHI. Those employment records are not PHI under HIPAA, though other laws still govern them. Never use plan PHI for employment decisions; build administrative “firewalls” between HR and plan administration.

Wellness programs, on‑site clinics, and Employee Assistance Programs that provide medical care often fall under the group health plan. Vendors supporting these programs—such as third‑party administrators, COBRA administrators, care management firms, and benefits platforms—are typically business associates and require Business Associate Agreements.

Practical steps for a group health plan include the following:

• Amend plan documents and certify permitted uses/disclosures of PHI for plan administration.
• Designate privacy and security officials; conduct a risk analysis; implement safeguards for ePHI.
• Provide a Notice of Privacy Practices when required and train staff with access to PHI.
• Execute and manage Business Associate Agreements with all relevant vendors and subcontractors.

Role of Consumer Technology Companies

Consumer technology companies—app developers, wearables makers, cloud providers, and digital health platforms—are subject to HIPAA only when they act on behalf of covered entities or business associates. If you host, process, or transmit PHI for a provider or health plan, you are a business associate and must implement HIPAA safeguards.

When you offer a direct‑to‑consumer app and do not provide services to a covered entity, HIPAA generally does not apply—even if the data concerns health. In that case, other Health Information Privacy Laws may govern, including state privacy statutes and FTC rules. If you later sign a provider to use your platform for remote patient monitoring or patient messaging, your status changes and a Business Associate Agreement becomes necessary.

Key readiness actions for tech firms include mapping data flows, segregating consumer data from PHI, enabling strong access controls and audit logs, encrypting data at rest and in transit, and ensuring tracking or analytics tools do not impermissibly disclose PHI when working with covered entities.

Understanding Personal Health Information

HIPAA protects “PHI,” which is individually identifiable health information created or received by a covered entity or business associate that relates to health, care, or payment. Electronic PHI (ePHI) is the digital form of this data. The same blood pressure reading can be PHI in a clinic’s EHR but not PHI in a standalone consumer app that is not acting for a covered entity.

Data is identifiable if it includes any of the following direct identifiers. Removing them under the Safe Harbor method yields de‑identified data that is not PHI:

• Names; postal addresses smaller than a state; elements of dates (except year) related to an individual.
• Telephone numbers; email addresses; Social Security numbers; medical record and account numbers.
• Health plan beneficiary numbers; certificate/license numbers; vehicle and device identifiers; URLs and IP addresses.
• Biometric identifiers (finger/voice prints); full‑face photos; any other unique identifying number or code.

A “limited data set” excludes direct identifiers but may retain dates and some locations; its use requires a data use agreement. Regardless of your role, adopt the minimum necessary principle: access, use, and disclose only the PHI needed for the task.

Importance of Business Associate Agreements

Business Associate Agreements (BAAs) are mandatory before sharing PHI with a vendor or subcontractor. A BAA defines permitted uses and disclosures, requires safeguards for ePHI, mandates breach reporting, and flows HIPAA duties down the chain to subcontractors. Without a BAA, even an otherwise appropriate disclosure can violate HIPAA.

Effective BAAs do more than check a box. They align security controls with your risk analysis, set timelines for incident response, require documentation and audit cooperation, and address data return or destruction at termination. They also clarify whether de‑identified data can be used and how.

When choosing vendors, perform due diligence, verify their HIPAA readiness, and inventory all data exchanges. Keep BAAs current as services change. By correctly identifying whether you are a covered entity or a business associate, understanding what counts as PHI, and using strong BAAs, you can meet HIPAA obligations while supporting care, operations, and innovation.

FAQs

What types of businesses are considered covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit standard electronic transactions (for example, claims, eligibility checks, or remittance advice). Hospitals, clinics, pharmacies, dentists, and telehealth practices typically qualify when they send these electronic transactions. Employer-sponsored group health plans are also covered entities.

When is a business considered a business associate?

You are a business associate when you create, receive, maintain, or transmit Protected Health Information for a covered entity—or for another business associate—to perform regulated functions or provide services. Examples include billing companies, EHR vendors, cloud hosts, TPAs, analytics firms, attorneys, and shredding providers that handle PHI. A Business Associate Agreement must be in place before PHI flows.

Are employers required to comply with HIPAA for employee records?

Ordinary employment records—like ADA accommodations, FMLA documentation, or drug testing results kept in HR files—are not PHI and are not subject to HIPAA. However, an employer’s group health plan is a covered entity and must comply. Keep plan PHI separate from Employer Health Records and use it only for plan administration, not employment decisions.

Do consumer health apps need to follow HIPAA regulations?

Consumer health apps that collect data directly from users typically are not subject to HIPAA unless they provide services to a covered entity and handle PHI on that client’s behalf. If an app contracts with a provider or health plan for functions like remote monitoring or patient messaging, it becomes a business associate and must follow HIPAA, including signing a Business Associate Agreement.