Who Is Covered Under HIPAA? Who Must Comply—and Whose Data Is Protected

If you’ve ever wondered who is covered under HIPAA, the answer centers on three things: which organizations must comply, who counts as a business associate, and what qualifies as Protected Health Information (PHI). Understanding these boundaries helps you handle health data lawfully and avoid costly missteps.

Below, you’ll find a clear breakdown of covered entities, business associates, the scope of PHI, core compliance duties under the HIPAA Privacy Rule and HIPAA Security Rule, how the Office for Civil Rights (OCR) enforces the law, and the major exceptions.

Covered Entities

Covered entities are the organizations directly regulated by HIPAA. They include health plans, health care clearinghouses, and health care providers who transmit health information electronically in standard transactions (such as claims, eligibility checks, or benefits inquiries).

Health plans

Health plans include commercial insurers and HMOs, government programs (e.g., Medicare and Medicaid), and employer-sponsored group health plans—including Small Group Health Plans. The plan itself is the covered entity, not the employer; plan sponsors may receive PHI only for plan administration as permitted by HIPAA and plan documents.

Health care providers

Any provider (e.g., hospitals, physicians, pharmacies, labs) that transmits health information electronically in a standard HIPAA transaction is a covered entity. A provider that never conducts such electronic transactions may fall outside HIPAA’s covered entity definition, though other laws may still apply.

Health care clearinghouses

Clearinghouses process nonstandard health information into standard formats (or vice versa). They are covered entities because they routinely handle PHI in the course of translating transactions.

Hybrid and affiliated structures

Some organizations designate themselves as hybrid entities, limiting HIPAA coverage to their health care components (e.g., a university that also runs a clinic). Affiliated Covered Entities and Organized Health Care Arrangements allow related organizations to coordinate HIPAA compliance while sharing PHI for operations.

Business Associates

Business associates are persons or organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity (or another business associate). Typical examples include claims processors, third‑party administrators, billing companies, EHR and cloud service providers, health information exchanges, consultants, attorneys, and analytics vendors.

Business associates—and their subcontractors that handle PHI—must comply with applicable HIPAA requirements and are directly liable for violations. Covered entities must ensure appropriate Business Associate Agreements are in place before sharing PHI.

Business Associate Agreements (BAAs)

BAAs define what PHI the associate may use or disclose and for what purposes. They require administrative, physical, and technical safeguards; breach reporting; flow‑down obligations to subcontractors; access and accounting support; and returning or securely destroying PHI at the end of the engagement.

Protected Health Information

Protected Health Information (PHI) is individually identifiable health information created or received by a covered entity or business associate that relates to a person’s health status, care, or payment for care. PHI can be oral, paper, or electronic (ePHI) and includes identifiers such as names, addresses, full‑face photos, device IDs, account numbers, and more when linked to health information.

What is not PHI

• De‑identified data (via expert determination or safe harbor removal of specified identifiers).
• Employment records held by an employer in its role as employer.
• Education records subject to FERPA and certain student health records.
• Information about individuals deceased for more than 50 years.

Limited data sets

A limited data set excludes most direct identifiers but may include elements like dates or ZIP codes. It can be shared for research, public health, or health care operations under a Data Use Agreement.

Compliance Requirements

HIPAA Privacy Rule

The HIPAA Privacy Rule governs when PHI may be used or disclosed, with broad permissions for treatment, payment, and health care operations (TPO). It requires a Notice of Privacy Practices, the minimum necessary standard, and processes to manage authorizations and restrictions.

Individuals have rights to access and obtain copies of their PHI (generally within 30 days, with one documented extension), request amendments, and receive an accounting of certain disclosures. Covered entities must also limit plan sponsor access to the minimum necessary for plan administration.

HIPAA Security Rule

The HIPAA Security Rule applies to ePHI and requires a risk analysis and ongoing risk management, supported by administrative, physical, and technical safeguards. Core controls include access and audit controls, transmission security, integrity protections, device and media handling, workforce training, and contingency planning.

Breach Notification Rule

When unsecured PHI is impermissibly used or disclosed, covered entities and business associates must assess the probability of compromise. If a breach occurred, affected individuals (and, when applicable, the media and OCR) must be notified within required timeframes. Proper encryption provides strong safe‑harbor protection.

Operations, vendors, and documentation

• Appoint privacy and security officials; adopt written policies and procedures; train the workforce and apply sanctions for violations.
• Execute and manage Business Associate Agreements; vet vendors handling PHI; monitor downstream subcontractors.
• Maintain documentation and risk analyses; review and update safeguards regularly. Small Group Health Plans must meet the same Privacy, Security (for ePHI), and Breach Notification obligations, scaled to their size and risk.

Enforcement

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services enforces HIPAA through investigations, compliance reviews, and audits. Outcomes range from technical assistance and corrective action plans to monetary settlements or civil monetary penalties for willful or persistent noncompliance.

Criminal enforcement by the Department of Justice may apply to knowing misuse of PHI (e.g., obtaining or disclosing PHI under false pretenses or for gain). State attorneys general can also bring civil actions. Frequent enforcement themes include failure to conduct an enterprise‑wide risk analysis, insufficient access controls, missing BAAs, improper disclosures, and delays in meeting the HIPAA Right of Access.

Exceptions

HIPAA does not cover every organization or every type of health‑related data. Most employers, life insurers, workers’ compensation carriers, and many schools are not covered entities (though a school clinic that bills electronically can be). Consumer apps that collect health information but are not business associates generally fall outside HIPAA, even if other laws like the FTC Act or state privacy laws apply.

Covered entities may disclose PHI without authorization in specific situations: public health reporting, health oversight, judicial or law‑enforcement requests, to avert a serious threat, for specialized government functions, or for research with Institutional Review Board approval or a waiver. De‑identified data falls outside HIPAA, and limited data sets can be shared under a Data Use Agreement.

Key takeaways

• Covered entities are health plans (including Small Group Health Plans), clearinghouses, and certain providers; business associates and their subcontractors are directly liable when handling PHI.
• Protected Health Information (PHI) includes identifiable health, care, and payment data; de‑identified data and employment records are not PHI.
• Compliance hinges on the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule, executed through risk management, BAAs, training, and documented policies.
• OCR enforces HIPAA via investigations, settlements, and penalties; criminal and state actions are also possible.

FAQs.

What entities are considered covered under HIPAA?

Covered entities are health plans (including employer‑sponsored group health plans and Small Group Health Plans), health care clearinghouses, and health care providers that transmit health information electronically in standard transactions like claims or eligibility checks.

Who qualifies as a business associate under HIPAA?

A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity (or another business associate). Examples include claims processors, TPAs, billing firms, EHR and cloud vendors, consultants, and attorneys. They must execute Business Associate Agreements and comply with applicable HIPAA requirements.

What types of information are protected by HIPAA?

HIPAA protects Protected Health Information (PHI), meaning individually identifiable health information related to a person’s health, care, or payment that is created or received by a covered entity or business associate. PHI spans paper, oral, and electronic formats; de‑identified data and employment records are not PHI.

Are there exceptions to HIPAA coverage?

Yes. Many organizations (e.g., most employers, life insurers, workers’ compensation programs) are not covered entities, and some data—like de‑identified information, FERPA‑covered education records, and employment records—is outside HIPAA. HIPAA also permits specific disclosures without authorization for public health, oversight, law enforcement, research with waiver, and other defined purposes.