HIPAA Privacy Rule Requirements: Who Must Comply and Real-World Examples

Covered Entities Defined

Under HIPAA Privacy Rule Requirements, a “covered entity” is any health plan, health care clearinghouse, or health care provider that transmits health information in connection with standard Electronic Transactions. If you send claims, eligibility checks, referrals, or remittance advice electronically, you’re likely a covered entity.

Covered entities must protect Protected Health Information (PHI), limit uses and disclosures, and honor individual rights. Many organizations are “hybrid entities,” designating their health care component (for example, a university that runs a clinic) to ensure only that component is subject to HIPAA.

Categories of covered entities

• Health plans: HMOs, health insurers, Medicare, Medicaid, and employer-sponsored group health plans.
• Health care providers: hospitals, clinics, physicians, dentists, labs, pharmacies—if they conduct standard Electronic Transactions.
• Health care clearinghouses: entities that translate or reformat nonstandard data into standard transactions (billing service “switches,” repricers).

Real-world examples

• A small physical therapy practice e-files claims; it must train staff, issue a Notice of Privacy Practices, and apply “minimum necessary” rules.
• A pharmacy e-prescribes and checks eligibility; it secures PHI at the counter and in dispensing systems.
• A clearinghouse that scrubs claims for providers must safeguard PHI it processes and limit redisclosures.

Business Associates Compliance

Business associates are vendors or contractors that create, receive, maintain, or transmit PHI for a covered entity (or for another business associate). Your cloud EHR host, billing vendor, or transcription service is a business associate if their work involves PHI.

Before you share PHI, you must execute a HIPAA Business Associate Agreement (BAA) that sets permissible uses/disclosures, requires safeguards, and mandates breach reporting. Subcontractors with PHI are business associates too and need downstream BAAs.

Core obligations for business associates

• Sign and follow a HIPAA Business Associate Agreement.
• Implement administrative, physical, and technical safeguards; conduct risk analyses and apply encryption where reasonable.
• Use/disclose PHI only as allowed by the BAA or as required by law; apply “minimum necessary.”
• Flow down HIPAA duties to subcontractors; monitor and address noncompliance.
• Notify the covered entity of breaches and assist with investigations and mitigation.

Real-world examples

• A cloud hosting provider stores an EHR database; a BAA governs access controls, logging, and breach notification.
• A revenue cycle firm manages claims and remittances; it limits staff access to just what’s needed for Electronic Transactions.
• A secure e-signature service handles HIPAA-Compliant Authorizations; it must protect signed forms and audit access.

Exempt Entities Overview

Not every organization that handles health-related data is subject to the HIPAA Privacy Rule. HIPAA applies to covered entities and their business associates—not to the entire health ecosystem.

Some entities are outside HIPAA, though other laws may still apply. When you decide whether HIPAA covers you, focus on your role and whether you perform covered functions or handle PHI on behalf of a covered entity.

Commonly outside HIPAA’s scope

• Life insurers, employers, schools subject to FERPA, law enforcement, and many consumer health apps used directly by individuals.
• Banks and payment processors handling card transactions (they process payments, not PHI, in their ordinary role).
• Workers’ compensation insurers and state programs (generally recipients under special disclosure rules, not covered entities).

Borderline situations to watch

• Employer vs. group health plan: the plan is a covered entity; the employer is not, but must keep plan PHI separate from HR files.
• A provider that never conducts Electronic Transactions may fall outside HIPAA; once it starts, HIPAA applies.
• Researchers receiving only de-identified data meeting De-identification Standards are not handling PHI.

Permissible Disclosures Under HIPAA

HIPAA permits uses and disclosures of PHI without authorization for treatment, payment, and health care operations (TPO). Outside TPO, many disclosures require a HIPAA-Compliant Authorization that clearly states the purpose and scope.

Even when a disclosure is permitted, you must apply the “minimum necessary” standard (except for treatment) and verify the recipient’s identity and authority.

Permitted or required without authorization

• To the individual (access and copies) and for patient directory purposes with appropriate preferences.
• Public health activities (for example, immunization registries, reportable conditions), and to avert a serious and imminent threat.
• Health oversight activities to a Health Oversight Agency (audits, inspections, licensure actions).
• Judicial and administrative proceedings, including responding to a court order or a subpoena accompanied by a Judicial Protective Order or required assurances.
• Law enforcement purposes, organ and tissue donation, coroners and funeral directors, and specialized government functions.
• Workers’ compensation and similar programs as allowed by state law.

Real-world scenarios

• A hospital provides records to a state regulator (a Health Oversight Agency) during a licensure audit.
• A clinic discloses limited PHI under a court order; counsel ensures a Judicial Protective Order restricts further sharing.
• A pharmacy discloses vaccination data to a public health registry; no patient authorization is required.

Examples of Protected Health Information

PHI is individually identifiable health information that relates to a person’s health, care, or payment and is created or received by a covered entity or business associate. It can be oral, paper, or electronic.

If data meet De-identification Standards—either through expert determination or removal of specified identifiers—then the result is not PHI and may be used or disclosed outside HIPAA’s Privacy Rule.

Common PHI examples

• Names, addresses, phone numbers, email addresses when linked to health details.
• Medical record numbers, account numbers, claim numbers, and device serial numbers.
• Diagnosis codes, lab results, prescriptions, visit notes, images, and billing details.
• Biometric identifiers (fingerprints, voiceprints), full-face photos, IP addresses tied to patient records.

What is not PHI

• Properly de-identified datasets that meet De-identification Standards.
• Education records covered by FERPA and employment records held by an employer in its role as employer.
• Personal health data held by a consumer app not acting for a covered entity or business associate.

Compliance Responsibilities

To meet HIPAA Privacy Rule Requirements, you need a governance framework: designate privacy and security officials, adopt policies, train your workforce, and document decisions. Align with the “minimum necessary” principle and maintain a current risk analysis.

Operationally, you must honor individual rights, secure PHI, and ensure vendors are bound by BAAs. If you conduct Electronic Transactions, you must also follow transaction and code set standards and use the National Provider Identifier where applicable.

Operational requirements

• Notice of Privacy Practices; processes for access, amendments, restrictions, confidential communications, and accounting of disclosures.
• Administrative, physical, and technical safeguards; device and media controls; secure disposal.
• Workforce training, sanctions, and role-based access with auditing and logging.
• Business associate management: inventory vendors, execute and maintain BAAs, and monitor compliance.

Program practices that reduce risk

• Perform periodic risk analyses and penetration tests; encrypt ePHI at rest and in transit where reasonable.
• Use standard Electronic Transactions; monitor clearinghouse edits and reject reports for PHI leakage.
• Test your incident response and breach notification plan; retain required documentation.

Enforcement and Penalties

HIPAA is enforced primarily by the federal civil rights regulator, which investigates complaints, data breaches, and audit findings. State attorneys general may also bring actions, and criminal cases are referred for egregious misuse of PHI.

Outcomes range from technical assistance to resolution agreements with corrective action plans, civil monetary penalties based on culpability tiers, and, for criminal violations (such as selling PHI), fines and potential imprisonment.

How enforcement works

• Complaints and breach reports trigger investigations; documentation and cooperation matter.
• Frequent issues: no BAA with a vendor, inadequate risk analysis, improper disposal, and delays in patient access.
• Corrective actions commonly require policy updates, training, technology controls, and monitoring.

Penalty landscape

• Civil penalties scale by level of intent, with per-violation amounts and annual caps adjusted periodically.
• Criminal cases target knowing misuse or sale of PHI and can carry significant fines and jail time.

Conclusion

Understanding who is covered, what counts as PHI, when you may disclose it, and how to manage vendors forms the core of HIPAA Privacy Rule Requirements. Build a practical program around risk analysis, BAAs, workforce training, and patient rights, and you’ll reduce breaches, avoid penalties, and earn patient trust.

FAQs.

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers who transmit health information in standard Electronic Transactions (such as claims or eligibility checks). Many organizations are hybrids and must designate their health care component.

What responsibilities do business associates have under the HIPAA Privacy Rule?

Business associates must sign and follow a HIPAA Business Associate Agreement, safeguard PHI, use and disclose it only as permitted, ensure subcontractors comply, and promptly notify the covered entity of any breaches. They are directly liable for many Privacy and Security Rule violations.

Which entities are exempt from HIPAA Privacy Rule requirements?

Entities that are not covered entities or business associates—such as life insurers, employers, consumer health apps used directly by individuals, banks, and schools subject to FERPA—are generally outside HIPAA. However, other federal or state laws may still apply.

What types of information are considered protected health information (PHI)?

PHI is individually identifiable health information about a person’s health, care, or payment created or received by a covered entity or business associate. Examples include names linked to diagnoses, medical record numbers, lab results, prescriptions, and billing details. Properly de-identified data is not PHI under HIPAA’s De-identification Standards.