Does the HIPAA Privacy Rule Apply to Your Organization?

The HIPAA Privacy Rule governs how certain organizations use and disclose protected health information (PHI). Determining whether it applies to you depends on your role in the health care ecosystem and the functions you perform.

This guide explains who qualifies as a covered entity or business associate, which health plans are included, common exclusions, and the core compliance steps you must take to meet HIPAA’s administrative simplification requirements.

Covered Entities Under HIPAA

Under the HIPAA Privacy Rule, covered entities fall into three categories. If you operate in any of these roles and handle PHI, the Rule most likely applies to you.

Health plans

Health plans pay for medical care and include group health plans, health insurance issuers, and HMOs. If you sponsor or administer a plan that provides or pays for medical care, you are likely a covered entity for that plan.

Health care clearinghouses

Health care clearinghouses transform nonstandard health information into standard formats (and vice versa) for claims, eligibility, or other administrative transactions. If you reformat data between providers and plans, you are likely a clearinghouse subject to the Rule.

Health care providers who conduct standard transactions

Any provider—facility or professional—becomes a covered entity if it transmits health information in standard electronic transactions (for example, claims or eligibility checks). The trigger is the use of electronic transactions adopted under HIPAA’s administrative simplification, not the size of your practice.

Business Associates and Their Responsibilities

A business associate (BA) is any organization or person that performs services for or on behalf of a covered entity involving PHI. Common BAs include billing companies, cloud storage providers, EHR vendors, e-prescribing gateways, claims processors, consultants, attorneys, actuaries, and accreditation bodies.

Before receiving PHI, BAs must sign business associate agreements defining permitted uses and disclosures, the minimum necessary standard, security safeguards, breach reporting, and downstream obligations for subcontractors that handle PHI.

Key BA obligations

• Use and disclose PHI only as permitted by the agreement and the HIPAA Privacy Rule.
• Implement appropriate safeguards and support standard electronic transactions where applicable.
• Report breaches and non-permitted uses or disclosures to the covered entity.
• Flow down BA terms to subcontractors that access PHI.
• Maintain documentation to prepare for HIPAA compliance audits by regulators.

Types of Health Plans Covered

HIPAA broadly defines “health plan.” If you operate or sponsor any of the following, the Privacy Rule likely applies to that plan component.

Private and employer-sponsored plans

• Group health plans, including self-funded plans and multiemployer arrangements.
• Health insurance issuers and HMOs that underwrite or administer coverage.
• Health FSAs and most HRAs sponsored by employers (the plan is covered, not the employer as an employer).

Government programs

• Medicare, Medicaid, Medicare Advantage, and Medicare supplement policies.
• TRICARE and certain veterans’ health programs.

Other considerations

• Long-term care insurers (excluding nursing home providers acting solely as providers).
• Excepted benefits generally fall outside the definition; evaluate each benefit carefully.
• HSAs are typically not health plans; however, an HSA administrator can be a BA if it handles PHI for a covered entity.

Health Care Providers Subject to the Rule

You are a covered provider if you transmit PHI in any of HIPAA’s standard electronic transactions. This includes submitting claims, checking eligibility or claim status, obtaining prior authorizations, or receiving electronic remittance advice.

Examples of covered providers

• Hospitals, physicians, dentists, chiropractors, physical therapists, and behavioral health professionals.
• Pharmacies using e-prescribing and electronic claims.
• Clinical laboratories and imaging centers exchanging standard electronic transactions.

Providers operating strictly on a cash basis who never conduct standard electronic transactions may not be covered entities. The threshold is the use of those transactions—not whether you use email, a portal, or other technology for nonstandard communications.

Administrative simplification link

Standardized code sets, identifiers, and electronic transactions sit at the core of HIPAA’s administrative simplification. If you participate in these electronic exchanges, the HIPAA Privacy Rule and related obligations apply to your handling of protected health information.

Exclusions from the HIPAA Privacy Rule

Many organizations handle health-related information but are not covered entities and are not BAs unless they provide services for a covered entity involving PHI.

• Employers in their role as employers (HR files are employment records, not PHI).
• Life insurers and most workers’ compensation carriers.
• Schools and school districts when records are subject to FERPA, not HIPAA.
• Law enforcement agencies, fitness centers, and consumer-facing wellness apps that act independently of covered entities.
• Research organizations that receive only de-identified data or a limited data set under a data use agreement (no direct identifiers).
• General websites, personal health record tools, or wearables that do not perform services for a covered entity are typically outside HIPAA.

Be aware that “hybrid entities” (such as universities or municipal health systems) may designate health care components that are covered while other components are not.

Compliance Requirements for Covered Entities

If the HIPAA Privacy Rule applies, you must implement a comprehensive privacy program aligned with the minimum necessary standard and supported by policies, training, and documentation.

Core privacy program elements

• Designate a privacy official and establish written policies and procedures.
• Train workforce members and apply appropriate sanctions for violations.
• Provide a Notice of Privacy Practices to individuals and honor individual rights (access, amendments, and accounting of disclosures).
• Enter into business associate agreements before sharing PHI with vendors.
• Limit uses and disclosures to the minimum necessary for the purpose.
• Maintain documentation for at least six years as required by HIPAA.

Security and breach readiness

• Implement administrative, physical, and technical safeguards for ePHI under the Security Rule.
• Establish incident response and breach notification procedures consistent with HIPAA requirements.
• Conduct periodic internal reviews and prepare for HIPAA compliance audits.

Assessing Organizational Status

Use this quick self-check to determine your HIPAA status and next steps.

Step-by-step self-check

1. Do you operate a health plan that pays for medical care? If yes, that plan is a covered entity.
2. Do you convert health data between standard and nonstandard formats for others? You may be a health care clearinghouse.
3. Are you a provider who sends claims, eligibility checks, or other standard electronic transactions? You are a covered entity.
4. Do you perform services for a covered entity that involve PHI (billing, IT hosting, analytics, consulting)? You are a business associate and need a BAA.
5. Are you an employer handling only employment records, or a consumer app acting independently? You are likely outside HIPAA, unless you also act for a covered entity.

Documentation to gather

• Descriptions of services, data flows, and electronic transactions you use.
• Inventories of PHI you create, receive, maintain, or transmit.
• Existing contracts, especially business associate agreements and data use agreements.
• Privacy and security policies, training materials, and audit logs.

Conclusion

If you are a health plan, health care clearinghouse, or a provider using standard electronic transactions, the HIPAA Privacy Rule applies. Vendors handling PHI for these entities are business associates bound by contract and regulation. Clarify your role, map PHI flows, execute the right agreements, and operationalize the minimum necessary standard to stay compliant.

FAQs.

Which organizations are considered covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit PHI in standard electronic transactions (such as claims, eligibility, or remittance). If you operate in any of these roles, the HIPAA Privacy Rule governs your use and disclosure of protected health information.

What functions classify a business associate under HIPAA?

You are a business associate if you perform services for or on behalf of a covered entity that involve PHI—examples include billing, IT hosting, data analytics, e-prescribing support, legal or actuarial services, and accreditation. You must sign business associate agreements, apply the minimum necessary standard, secure PHI, and report breaches.

Are employers subject to the HIPAA Privacy Rule?

Employers in their role as employers are generally not covered entities, and their HR files are not PHI. However, an employer-sponsored group health plan is a covered entity, and the plan must comply with the Privacy Rule, including using business associate agreements with vendors that access plan PHI.

How can an organization determine if it must comply with HIPAA?

Start by identifying your role: Do you operate a health plan, function as a health care clearinghouse, or provide care while conducting standard electronic transactions? If so, you are a covered entity. If you handle PHI for a covered entity, you are a business associate. If neither applies and you act independently of covered entities, HIPAA may not apply. Map your data flows and contracts to confirm your status and obligations.