HIPAA Privacy Rule: Who It Applies To, With Real-World Examples

Covered Entities Overview

The HIPAA Privacy Rule applies to covered entities: health plans, health care clearinghouses, and health care providers who transmit health information in connection with Covered Transactions. If a provider never conducts standard electronic billing or eligibility checks, HIPAA may not apply, but most modern providers do.

What counts as Covered Transactions

Examples include electronic claims (837), eligibility and benefit inquiries (270/271), claim status (276/277), referral authorizations (278), and remittance advice (835). Conducting these transactions brings a provider within HIPAA’s scope.

Real-world examples

• A hospital system billing Medicare electronically is a covered entity.
• An independent physical therapist using an EHR to submit claims is covered.
• Employer-sponsored group health plans (even small self-funded plans) are covered entities, though the employer itself is not covered in its employer role.
• A health care clearinghouse converting nonstandard data from a clinic into standard EDI is covered.
• HMOs, Medicaid agencies, and commercial insurers are covered health plans.

Business Associates Roles

Business associates are vendors or partners that create, receive, maintain, or transmit Protected Health Information for a covered entity’s functions. Subcontractors that handle PHI on behalf of a business associate are also business associates.

Business Associate Agreements

Covered entities must execute Business Associate Agreements with each applicable vendor. BAAs define permitted uses and disclosures, require safeguards for Electronic Protected Health Information, mandate breach reporting, flow down obligations to subcontractors, and require PHI return or destruction at contract end.

Real-world examples

• A revenue cycle company managing claim edits and submissions for a clinic.
• A cloud EHR vendor hosting ePHI and providing patient portals.
• An IT MSP with remote admin access to servers storing PHI.
• A transcription or medical scribe service handling encounter notes.
• A data analytics firm producing quality dashboards using PHI.
• A document shredding company destroying old patient records.

Non-Covered Entities Clarification

Not every organization handling health-related data is subject to HIPAA. Employers in their role as employers, life insurers, workers’ compensation carriers, schools (for education records covered by FERPA), and many consumer apps are generally not covered entities. HIPAA Compliance Requirements still apply if they act as a business associate.

Real-world examples

• A fitness or diet app collecting data directly from consumers, not on behalf of a provider, is typically outside HIPAA.
• An employer’s HR team managing sick notes is not a covered entity activity.
• A direct-to-consumer genetic testing company is usually not covered unless it services a provider or plan under a BAA.
• A payment processor handling card data for a clinic without accessing clinical details is not a covered entity but may become a business associate if it stores PHI.
• A school nurse’s records that are part of student education records fall under FERPA, not HIPAA.

Protected Health Information Definitions

Protected Health Information is individually identifiable health information related to health status, care, or payment, created or received by a covered entity or business associate. It can be paper, verbal, or Electronic Protected Health Information.

Identifiers and de-identification

PHI includes data elements like names, addresses, phone numbers, email, dates (other than year), medical record and account numbers, full-face photos, biometric identifiers, device IDs, URLs, and IP addresses. Data is no longer PHI if de-identified via Safe Harbor (removal of specified identifiers) or Expert Determination.

Practical examples

• PHI: a lab result with a patient’s name; an insurance claim with diagnosis codes tied to a member ID.
• Not PHI: aggregated, de-identified quality metrics; employment records held by a hospital about its staff; education records under FERPA.

Permissible Disclosures Explained

Covered entities may use or disclose PHI without an authorization for treatment, payment, and health care operations. For example, sharing records with a specialist (treatment), submitting claims and obtaining prior authorizations (payment), or internal quality improvement (operations).

Public interest and other permitted disclosures

Without patient authorization, disclosures may also occur when required by law; for public health reporting; for abuse, neglect, or domestic violence; to health oversight agencies; for judicial or administrative proceedings; for law enforcement purposes; to coroners, medical examiners, and funeral directors; for organ and tissue donation; for research with a waiver or a limited data set under a data use agreement; to avert a serious threat; for specialized government functions; and for workers’ compensation.

When an Authorized Disclosure is needed

Uses outside these categories—such as marketing, sale of PHI, and most psychotherapy notes—generally require a valid written authorization before disclosure. Minimum necessary applies to many disclosures, but not to treatment.

Common Impermissible Disclosure Scenarios

• Posting patient stories or photos on social media without authorization.
• Emailing or faxing records to the wrong recipient due to lack of verification.
• Discussing a patient in public areas (elevators, hallways) where others can overhear.
• Storing PHI on personal devices or consumer cloud accounts without safeguards.
• Using unencrypted laptops or USB drives that are lost or stolen.
• Accessing records out of curiosity (“snooping”) without a job-related need.
• Texting PHI through unsecured messaging rather than a secure platform.

How to prevent these issues

• Verify recipient identity and contact details before sending PHI.
• Use secure portals, encryption, and role-based access controls.
• Adopt clear social media and photography policies with training and enforcement.
• Apply the minimum necessary standard and audit access regularly.

Compliance Best Practices

Governance and risk management

Designate privacy and security leaders, perform documented risk analyses, and implement policies and procedures aligned to HIPAA Compliance Requirements. Review and update them at least annually and after major changes.

Technical safeguards for ePHI

Protect systems with unique user IDs, least-privilege roles, MFA, encryption in transit and at rest, endpoint protection, secure backups, and monitored audit logs. Use secure messaging and mobile device management for clinicians on the go.

Administrative safeguards

Deliver role-based training, maintain an incident response plan, apply sanctions for violations, and manage vendors with due diligence and Business Associate Agreements. Conduct periodic audits and document everything for Privacy Rule Enforcement readiness.

Physical safeguards

Control facility access, secure workstations, lock file rooms, and use proper media disposal (shredding, wiping, or destruction) for paper and electronic media.

Patient rights and transparency

Publish a clear Notice of Privacy Practices. Enable timely access and amendments, accounting of disclosures, reasonable restrictions, and confidential communications via secure channels.

Summary

Identify whether you are a covered entity or business associate, define permissible uses and disclosures, tighten safeguards for PHI and ePHI, and operationalize vendor and workforce controls. Solid documentation and continuous improvement position you well for Privacy Rule Enforcement and day-to-day compliance.

FAQs.

Who qualifies as a covered entity under HIPAA?

Health plans, health care clearinghouses, and health care providers who conduct standard electronic Covered Transactions qualify as covered entities. Most hospitals, clinics, and individual practitioners that bill electronically are covered; so are employer-sponsored group health plans.

What is the role of a business associate in HIPAA compliance?

A business associate performs services for a covered entity that involve PHI, including subcontractors. They must safeguard PHI and ePHI, follow a signed Business Associate Agreement, report incidents, and ensure their own vendors comply with the same obligations.

Which entities are excluded from HIPAA Privacy Rule?

Employers (in the employer role), life insurers, workers’ compensation carriers, schools for FERPA education records, and many direct-to-consumer apps are generally outside HIPAA. They may fall under HIPAA only when acting as a business associate or running a covered health plan or provider function.

What types of disclosures are permitted without patient authorization?

Disclosures for treatment, payment, and health care operations are permitted, as are those required by law and specific public interest purposes (public health, oversight, certain law enforcement and court orders, decedents, organ donation, research with proper approvals, to avert serious threats, specialized government functions, and workers’ compensation). Other uses typically require an Authorized Disclosure.