Does the HIPAA Privacy Rule Apply to Your Organization? A Practical Guide

Identify Covered Entities

Covered entity definition

The HIPAA Privacy Rule applies to three types of organizations: health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions (such as claims, eligibility checks, and prior authorizations). If you fall into one of these categories, you are a covered entity.

Common examples

• Health plans: employer-sponsored group health plans, individual and government health plans, HMOs.
• Clearinghouses: organizations that translate nonstandard health data into standard formats and vice versa.
• Providers: hospitals, clinics, physicians, dentists, pharmacies, labs, and telehealth providers that conduct standard electronic transactions.

Quick self-check

If you never conduct HIPAA standard transactions electronically (for example, you only accept cash and never bill insurers or check eligibility online), you may not be a covered entity. Most modern providers, however, do perform such transactions and therefore must comply.

Understand Business Associates

Who is a business associate

A business associate is any person or organization that performs functions or services for a covered entity involving the use or disclosure of protected health information (PHI). Subcontractors that handle PHI on behalf of a business associate are also business associates.

Examples you might use

• Billing and revenue cycle vendors, collection agencies, and clearing services.
• EHR and practice management vendors, cloud hosting, data backup, and email providers handling PHI.
• Telehealth platforms, patient engagement tools, e-prescribing networks, and health information exchanges.
• Consultants, attorneys, and accountants who access PHI to provide services.

Business associate agreements

Before sharing PHI, you must execute business associate agreements (BAAs) that restrict permissible uses and disclosures, require safeguards, flow obligations to subcontractors, and address breach reporting. Without a signed BAA, disclosure of PHI to a vendor is generally not permitted.

Define Protected Health Information

What counts as PHI

Protected health information is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate in any form (paper, verbal, or electronic). It relates to an individual’s past, present, or future physical or mental health, health care, or payment for care.

Identifiers and context

Information becomes PHI when it can identify a person (for example, name, address, contact details, device identifiers, full-face photos, or medical record numbers) and is linked to health status, care, or payment. De-identified data, either via expert determination or removal of specified identifiers, is not PHI.

Protected health information requirements

• Use and disclose PHI only for permitted purposes or with a valid authorization.
• Apply safeguards appropriate to risk and limit workforce access to job-based needs.
• Maintain required documentation, notices, and processes supporting individual rights.

Recognize Exemptions from HIPAA

Entities and records outside scope

• Organizations that are not covered entities and not business associates (for example, many life insurers, employers in their employer role, schools, and consumer apps operating on behalf of the individual rather than a provider).
• Education records protected by FERPA and certain student treatment records.
• Employment records held by a covered entity in its employer capacity.
• De-identified data and limited data sets used under a data use agreement.
• Health information of individuals deceased for more than 50 years.

Separate laws may impose additional or different rules (for example, 42 CFR Part 2 for certain substance use disorder records). HIPAA exemptions do not prevent other laws or contracts from restricting data use.

Comply with Administrative Requirements

Core Privacy Rule tasks

• Designate a privacy official and establish written policies and procedures.
• Train your workforce, apply sanctions for violations, and mitigate harmful effects of improper uses or disclosures.
• Implement appropriate administrative, technical, and physical safeguards to protect PHI from impermissible use or disclosure.
• Provide and post a clear Notice of Privacy Practices (NPP) describing uses, disclosures, and individual rights.
• Execute and manage business associate agreements for all vendors that handle PHI.
• Maintain documentation supporting compliance for the required retention period.

Coordinate Privacy Rule activities with Security Rule controls for ePHI and with Breach Notification obligations. Doing so strengthens Privacy Rule enforcement readiness and reduces risk.

Enforce Minimum Necessary Standard

Principle in practice

The minimum necessary disclosure standard requires you to limit PHI uses, disclosures, and requests to the least amount reasonably necessary to accomplish the purpose. Apply role-based access, data segmentation, and targeted queries instead of full-record shares.

Key exceptions

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to the individual or pursuant to a valid authorization.
• Uses or disclosures required by law, or for compliance investigations by HHS.

Document your criteria for common scenarios (claims, quality improvement, audits) so staff consistently meet the minimum necessary requirement.

Exercise Individual Rights

Individual PHI access rights

Individuals have the right to access, inspect, and obtain copies of their PHI in designated record sets, including in the requested readily producible electronic format. Provide timely access, reasonable cost-based fees, and clear processes for requests.

Additional rights

• Request amendments to PHI and include statements of disagreement when requests are denied.
• Request restrictions on disclosures; providers must honor a restriction to a health plan for payment or operations when the individual pays in full out-of-pocket for the item or service.
• Request confidential communications (for example, alternative addresses or contact methods).
• Receive an accounting of certain disclosures.
• Receive and review your Notice of Privacy Practices.

Conclusion

If you are a covered entity—or share PHI as a business associate—you must determine what information is PHI, apply HIPAA exemptions correctly, implement required policies and safeguards, limit minimum necessary disclosures, and honor individual rights. Following these steps builds trust and reduces compliance risk.

FAQs.

Which organizations qualify as covered entities under HIPAA?

Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions such as claims or eligibility inquiries. If you fit one of these categories, the Privacy Rule likely applies.

What types of business associates are subject to the Privacy Rule?

Any vendor or subcontractor that creates, receives, maintains, or transmits PHI for a covered entity is a business associate. Examples include billing services, EHR and cloud providers, telehealth platforms, analytics and quality consultants, and attorneys or accountants who need PHI to perform their services. They must sign business associate agreements and meet applicable safeguard and reporting duties.

How does HIPAA define protected health information?

PHI is individually identifiable health information held or transmitted by a covered entity or business associate in any form that relates to health status, health care, or payment for care. It excludes de-identified information, FERPA-protected education records, employment records held in the employer role, and health information of individuals deceased for more than 50 years.

Are there any exemptions from the HIPAA Privacy Rule?

Yes. Organizations that are not covered entities or business associates are outside HIPAA’s scope, and certain information types are excluded, including FERPA education records, employment records kept by an employer, de-identified data, limited data sets under a data use agreement, and decedent information older than 50 years. Other laws may still apply.

What are the penalties for HIPAA Privacy Rule violations?

HHS’s Office for Civil Rights enforces the Privacy Rule through investigations, corrective action plans, and civil monetary penalties that scale by culpability and can reach substantial amounts per year. Serious or intentional violations may also trigger criminal liability. Strong policies, BAAs, training, and timely mitigation reduce enforcement risk.