What Organizations Does HIPAA Apply To? Covered Entities & Business Associates

When you ask, “What organizations does HIPAA apply to?” the answer centers on Covered Entities and the vendors that support them, known as Business Associates. HIPAA safeguards Protected Health Information across paper, verbal, and Electronic Protected Health Information while setting clear Compliance Requirements for who must follow the rules and how.

Identify Covered Entities

A Covered Entity is any organization that handles health information and transmits it electronically in connection with HIPAA Standard Transactions. This category includes three groups:

• Health care providers that conduct standard electronic transactions (for example, claims or eligibility checks).
• Health plans that pay for or provide the cost of medical care.
• Health care clearinghouses that convert nonstandard data to standard formats and vice versa.

Business Associates are not Covered Entities, but they are directly regulated when they handle PHI on behalf of a Covered Entity. Both must understand where their responsibilities begin and end.

Define Health Care Providers

You are a Covered Entity provider if you furnish, bill for, or are paid for health care and transmit health information in a HIPAA transaction. The format of care—virtual or in-person—doesn’t matter; participation in standard electronic billing or eligibility transactions does.

• Common examples: physicians, dentists, chiropractors, hospitals, clinics, therapists, pharmacies, laboratories, and durable medical equipment suppliers.
• Cash-only or paper-only practices that never conduct HIPAA Standard Transactions electronically may not be Covered Entities, but adopting any standard electronic transaction brings HIPAA obligations.

Provider obligations include protecting Electronic Protected Health Information under the Security Rule and limiting uses and disclosures of PHI under the Privacy Rule.

Explain Health Plans

Health plans are Covered Entities because they arrange for or pay the cost of medical care. If you sponsor or administer a plan that pays claims, HIPAA likely applies.

• Examples: health insurers, HMOs, employer-sponsored group health plans (including self-insured plans), Medicare Advantage and Part D plans, Medicare, Medicaid, and military or federal employee health benefit programs.
• Excepted benefits (such as many workers’ compensation, accident, or disability policies) are generally not HIPAA “health plans,” though they may receive PHI under specific disclosures permitted by law.

Plans must meet Compliance Requirements for privacy notices, member rights, and vendor oversight through Business Associate arrangements.

Describe Health Care Clearinghouses

A Health Care Clearinghouse processes health information from one format to another—for example, converting a provider’s nonstandard claim file into a standard HIPAA transaction or repricing claims. Because they routinely handle PHI and HIPAA Standard Transactions, clearinghouses are Covered Entities by definition.

• Examples: billing services, repricers, value-added networks/switches, and EDI gateways that translate claims, remittance advice, eligibility, or claim status transactions.

Clearinghouses may also act as Business Associates when they provide services to providers or plans, but their Covered Entity status stands on its own.

Outline Business Associates

A Business Associate is any person or organization that performs services for or on behalf of a Covered Entity and, in doing so, creates, receives, maintains, or transmits PHI. If you can view or touch PHI or ePHI to deliver your service, you are likely a Business Associate.

• Examples: EHR and practice management vendors, cloud hosting and data storage providers, IT support, analytics firms, billing and coding vendors, transcriptionists, legal and accounting firms handling PHI, HIEs, and document destruction companies.
• Subcontractors that handle PHI for a Business Associate are also Business Associates and must meet the same safeguards.
• “Conduits” that merely transport data (like the postal service or certain telecoms) without routine access to PHI are generally not Business Associates.

Business Associates must implement Security Rule safeguards for Electronic Protected Health Information and follow Privacy Rule limits on uses and disclosures defined in their contracts.

Emphasize Contractual Obligations

Before a Covered Entity shares PHI with a vendor, it must execute a Business Associate Agreement. This contract defines how PHI may be used, protected, and returned, and it is a core Compliance Requirement for vendor management.

• Specify permitted and required uses/disclosures and apply the minimum necessary standard.
• Require administrative, physical, and technical safeguards for ePHI, including risk analysis and access controls.
• Mandate prompt breach reporting and cooperation with investigation and notification duties.
• Flow down obligations to subcontractors that handle PHI.
• Provide for individual rights support (access, amendments, and accounting of disclosures) where applicable.
• Address return or destruction of PHI at termination and allow termination for material breach.

A Business Associate Agreement does not replace compliance; it allocates and enforces responsibilities so both parties meet HIPAA obligations.

Clarify PHI Usage Rules

Protected Health Information includes any individually identifiable health information held or transmitted by a Covered Entity or Business Associate, in any form, including Electronic Protected Health Information. HIPAA allows certain uses and disclosures without authorization while restricting others.

• Permitted without authorization: treatment, payment, and health care operations; specific public health and safety activities; and disclosures required by law.
• Authorization required: most marketing, sale of PHI, and uses beyond HIPAA’s allowances; psychotherapy notes have special protections.
• Minimum necessary: limit PHI access and disclosures to what is reasonably needed for the purpose.
• De-identified data: once properly de-identified, information is no longer PHI and HIPAA no longer applies.
• Breach Notification Rule: covered organizations must investigate potential compromises of unsecured PHI and notify affected parties as required.

In short, HIPAA applies to Covered Entities—providers, plans, and clearinghouses—and to Business Associates that handle PHI for them. Your obligations span privacy limits, security safeguards for ePHI, breach response, and rigorous vendor oversight through a solid Business Associate Agreement.

FAQs

Which organizations are considered Covered Entities under HIPAA?

Covered Entities include health care providers that conduct HIPAA Standard Transactions electronically, health plans that pay for medical care, and health care clearinghouses that translate nonstandard data to standard formats. If you fall into one of these categories and handle PHI, HIPAA applies.

What roles do Business Associates play in HIPAA compliance?

Business Associates perform services for Covered Entities that involve PHI—such as hosting, billing, analytics, or legal work—and must safeguard Electronic Protected Health Information under the Security Rule. They sign a Business Associate Agreement that limits uses and disclosures and requires breach reporting and subcontractor compliance.

How must Covered Entities manage contracts with Business Associates?

Covered Entities must execute a Business Associate Agreement before sharing PHI, define allowed uses, require minimum necessary access, and mandate administrative, physical, and technical safeguards. They should monitor vendor performance, update agreements as services change, and enforce remedies for noncompliance.

What types of health plans fall under HIPAA regulation?

HIPAA covers health insurers, HMOs, employer-sponsored group health plans (including self-insured plans), Medicare and Medicaid programs, and related arrangements that pay for medical care. Excepted benefits like many workers’ compensation or disability policies are generally not HIPAA “health plans.”