Who Does the HIPAA Privacy Rule Apply To? Covered Entities and Business Associates

Covered Entities Overview

The HIPAA Privacy Rule applies to organizations and individuals that handle Protected Health Information in the U.S. Specifically, it governs covered entities and, through contractual and direct obligations, their business associates. Privacy Rule Compliance centers on what PHI you may collect, how you may use and disclose it, and the safeguards and documentation you must maintain.

Covered entities fall into three categories—health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with HIPAA Covered Transactions. Whether HIPAA applies depends on your role and activities, not simply your industry label.

Health plans

Health plans include group health plans, health insurers, HMOs, Medicare, Medicaid, and certain employer-sponsored plans. If you administer or insure benefits that pay for health care, you are a covered entity with full Privacy Rule responsibilities.

Health care clearinghouses

Health Care Clearinghouses process or translate nonstandard health data into standard formats and vice versa (for example, converting batch claims into standardized transactions). Because they routinely handle PHI for multiple parties, they are covered entities regardless of which customer they serve.

Health care providers who transmit HIPAA covered transactions

Most providers—physicians, dentists, clinics, hospitals, pharmacies, and labs—are covered entities when they conduct HIPAA Covered Transactions electronically, such as submitting claims or checking eligibility. Providers that never conduct these standard electronic transactions may fall outside HIPAA as covered entities, though other laws may still apply.

Hybrid entities and designated components

Organizations that perform both covered and non-covered functions can designate specific health care components as “covered.” HIPAA then applies to those components and their workforce, enabling clearer boundaries and controls for Data Use and Disclosure.

Common misconceptions

HIPAA does not automatically apply to every health app, employer, or wellness program. Unless an entity is a covered entity or a business associate handling PHI for one, HIPAA may not apply—though state privacy laws or other federal rules could.

Business Associates Definition

A business associate is a person or entity that creates, receives, maintains, or transmits PHI for or on behalf of a covered entity to perform regulated functions. Subcontractors that handle PHI on a business associate’s behalf are also business associates. This status brings direct HIPAA obligations and contract-based duties.

Examples of business associates

• Billing services, revenue cycle management, and coding vendors
• Cloud service providers and data centers that store or process PHI
• EHR/PM system vendors, patient portal and telehealth platforms
• Health information exchanges and e-prescribing gateways
• Analytics, quality improvement, utilization review, and care management vendors
• Accreditation, legal, actuarial, consulting, and accounting firms that need PHI

Who is not a business associate

• A covered entity’s workforce (employees, volunteers, trainees)
• “Conduits” that only transmit PHI without persistent storage (for example, certain postal and telecom carriers)
• Entities with incidental, transient contact that does not involve services requiring PHI access

Note that most cloud or hosting providers that maintain PHI—even if encrypted—are business associates and require a Business Associate Agreement.

Business Associate Agreements

A Business Associate Agreement is required whenever a covered entity permits a vendor to create, receive, maintain, or transmit PHI on its behalf. Business associates must also execute BAAs with subcontractors that will handle PHI. The BAA memorializes Privacy Rule responsibilities and allocates operational duties.

Core elements to include

• Permitted and required uses and disclosures of PHI and limits on any other use
• Minimum necessary, safeguards, and Privacy Rule Compliance obligations
• Reporting of security incidents and breaches without unreasonable delay
• Flow-down clauses requiring subcontractors to sign comparable agreements
• Support for individual rights (access, amendment, accounting of disclosures)
• Return or destruction of PHI at termination, if feasible
• Right to audit/monitor compliance and clear termination rights for material breach

Practical tips

• Map PHI flows before contracting to confirm whether a BAA is required
• Tailor permitted uses to the service; prohibit re-identification or secondary use
• Align incident response timelines and breach risk assessment procedures
• Verify encryption, access controls, and audit logging commitments in writing

HIPAA Electronic Transactions

HIPAA Covered Transactions are standardized administrative and financial exchanges (for example, X12 and NCPDP) that streamline claims and related processes. Conducting these electronically is what makes most providers covered entities. Clearinghouses frequently convert data between nonstandard and standard formats to enable these flows.

Common covered transactions

• 837 Health care claim/encounter
• 835 Remittance advice
• 270/271 Eligibility inquiry and response
• 276/277 Claim status request and response
• 278 Referral certification and authorization
• 820 Premium payment and 834 Enrollment for health plan administration
• NCPDP pharmacy claims and related transactions

What this means for you

If you submit claims, check eligibility, or exchange authorizations electronically—directly or through a vendor or clearinghouse—you are performing HIPAA Covered Transactions. That activity triggers your obligations to protect PHI and manage your business associates appropriately.

Compliance Requirements

Covered entities and business associates must implement policies, processes, and records that ensure lawful Data Use and Disclosure, protect individual rights, and support Risk Management. HIPAA sets a national baseline; more stringent state laws may also apply.

Data Use and Disclosure

• Permitted uses and disclosures include treatment, payment, and health care operations
• Authorizations are required for most other purposes, with limited exceptions
• Apply the minimum necessary standard except for treatment and certain mandated disclosures
• Use de-identified data when possible, or a limited data set under a data use agreement

Individual rights

• Right of access to PHI in the requested form and format when readily producible
• Right to request amendments and receive an accounting of certain disclosures
• Right to request restrictions and confidential communications
• Notice of Privacy Practices that explains uses, rights, and contacts

Risk Management and documentation

• Conduct a risk analysis for ePHI and implement a Risk Management plan
• Designate a privacy official, train your workforce, and enforce sanctions
• Maintain written policies, BAAs, logs, and retention consistent with your record schedule

Breach notification

• Evaluate incidents against the breach definition and conduct a risk assessment
• Notify affected individuals without unreasonable delay and no later than 60 days where required
• Business associates must notify covered entities; timing should be set in the BAA

Safeguarding Protected Health Information

Protected Health Information includes individually identifiable health data held or transmitted by covered entities or business associates in any form—electronic, paper, or oral. Safeguards are administrative, technical, and physical measures that prevent impermissible uses or disclosures and reduce risk.

Administrative safeguards

• Risk analysis, Risk Management, and periodic reassessments
• Policies for access, minimum necessary, and Data Use and Disclosure
• Vendor due diligence and Business Associate Agreement oversight
• Contingency planning, including data backup and disaster recovery
• Workforce training, awareness, and role-based access

Technical safeguards

• Unique user IDs, strong authentication, and role-based authorization
• Encryption in transit and at rest for ePHI where reasonable and appropriate
• Audit logs, integrity controls, and alerting for anomalous activity
• Secure configurations, patch management, and endpoint/device protection

Physical safeguards

• Facility access controls and visitor management
• Workstation security and screen privacy
• Device and media controls, including secure disposal and reuse procedures

Minimum necessary and de-identification

Limit PHI use and disclosure to the minimum necessary to achieve the purpose. When feasible, rely on de-identified data (via safe harbor or expert determination) or a limited data set to reduce privacy risk and streamline sharing.

Role of Health Care Providers

As a health care provider, your HIPAA status typically turns on whether you conduct standard electronic transactions. Once covered, you must embed Privacy Rule Compliance in daily operations, manage business associates, and continuously safeguard PHI throughout the care and revenue cycle.

Determining applicability

• Do you submit claims, check eligibility, or get remittances electronically? If yes, you are a covered entity.
• If you never conduct HIPAA Covered Transactions electronically, HIPAA may not apply to you as a covered entity.
• Regardless, vendors that maintain PHI for you are likely business associates and must sign BAAs.

Everyday compliance actions

• Provide a clear Notice of Privacy Practices and honor patient rights requests
• Apply minimum necessary in phone calls, emails, faxes, and portal messages
• Use secure channels for telehealth and e-prescribing; verify BAAs with those vendors
• Monitor access logs, address anomalies, and refresh training regularly
• Review BAAs and risk assessments annually and after major system changes

Conclusion

The HIPAA Privacy Rule applies to covered entities—health plans, health care clearinghouses, and providers that conduct HIPAA Covered Transactions—and to their business associates. By executing robust Business Associate Agreements, managing Data Use and Disclosure, and implementing layered safeguards and Risk Management, you can protect PHI and meet your obligations with confidence.

FAQs

What types of entities are considered covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with HIPAA Covered Transactions. If you fit one of these categories—based on your activities—you must comply with the Privacy Rule.

What is a business associate under the HIPAA Privacy Rule?

A business associate is a person or organization that creates, receives, maintains, or transmits PHI for or on behalf of a covered entity to perform regulated functions, or provides certain services that require PHI access. Subcontractors that handle PHI are also business associates.

When is a business associate agreement required?

A Business Associate Agreement is required before a covered entity shares PHI with a vendor that will create, receive, maintain, or transmit PHI on its behalf, and before a business associate allows a subcontractor to handle PHI. The BAA defines permitted uses, safeguards, breach reporting, and termination terms.

How does HIPAA protect patient health information?

HIPAA limits PHI uses and disclosures, grants patient rights (access, amendment, accounting, restrictions), and requires administrative, technical, and physical safeguards. It also mandates breach notification and oversight of business associates through enforceable agreements to ensure Privacy Rule Compliance.