Who Is Required to Comply with the HIPAA Privacy Rule? Examples and Risks

Covered Entities Under HIPAA

The HIPAA Privacy Rule applies to organizations and individuals defined as “covered entities.” Covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with HIPAA Transaction Standards (for example, claims, eligibility inquiries, or remittance advice).

Protected Health Information (PHI) is individually identifiable health information relating to a person’s health, care, or payment for care. PHI can be paper, electronic, or oral. De‑identified data (or a properly created limited data set under a data use agreement) is not PHI.

Types of covered entities

• Health plans: insurers, HMOs, government programs (e.g., Medicare, Medicaid), and most employer-sponsored group health plans.
• Health care providers: any provider (from hospitals to solo practitioners and telehealth practices) who conducts HIPAA-standard electronic transactions.
• Health care clearinghouses: entities that translate nonstandard health information into HIPAA-standard formats and vice versa.

Special cases you should know

• Hybrid entities: organizations with both covered and noncovered functions (such as a university with a student clinic) must designate “covered components.”
• Employers, life insurers, and consumer apps may not be covered entities when acting in their non‑health plan roles, but they can still receive PHI from you only as permitted by law.

Covered Entity Obligations include implementing policies and procedures, training the workforce, honoring individual rights (such as access and amendments), applying the minimum necessary standard, and managing vendors that handle PHI on your behalf.

Business Associates and Their Responsibilities

A business associate is any person or company that performs services for a covered entity (or another business associate) involving PHI—think cloud service providers, billing companies, EHR and e‑prescribing vendors, analytics firms, legal counsel, or document destruction services.

Business associates have direct compliance duties. They must implement appropriate safeguards, limit uses and disclosures, support individual rights where applicable, report incidents and breaches, and ensure downstream subcontractors follow the same rules.

Business Associate Agreements

Business Associate Agreements (BAAs) are required before sharing PHI. A sound BAA should specify permitted uses and disclosures, mandate administrative, physical, and technical safeguards, require breach and security incident reporting, flow down obligations to subcontractors, allow audits or assurances, and address return or destruction of PHI upon termination.

Common pitfalls for vendors and covered entities

• Working with a vendor that accesses ePHI without a signed BAA.
• Allowing a subcontractor to handle PHI without BAA “flow‑down” terms.
• Using PHI for product development, AI training, or marketing beyond what the BAA and Privacy Rule allow.

Safeguarding Protected Health Information

The Privacy Rule requires “reasonable” safeguards to prevent uses or disclosures of PHI in violation of the rule. In practice, you should align Privacy Rule Safeguards with Security Rule controls for electronic PHI to ensure consistent protection across paper, verbal, and electronic information.

Administrative safeguards

• Designate a privacy official and a contact person, adopt written policies, train your workforce, and enforce sanctions for violations.
• Apply the minimum necessary standard, role‑based access, and a need‑to‑know culture.
• Maintain a Notice of Privacy Practices and processes for authorizations, complaints, and mitigation of harmful disclosures.

Physical and technical safeguards

• Secure areas where PHI is stored or discussed; use clean‑desk and secure disposal practices for paper and media.
• For ePHI, implement access controls, unique user IDs, multi‑factor authentication, audit logging, encryption in transit and at rest, device and mobile media management, and backup/restore procedures.

Data sharing and de‑identification

• Use data use agreements for limited data sets and obtain valid authorizations for marketing, sale of PHI, or use of psychotherapy notes.
• Leverage expert determination or the safe harbor method to de‑identify data before broader sharing.

Compliance Requirements and Best Practices

To comply efficiently, treat privacy as a program, not a project. Integrate day‑to‑day controls with governance, documentation, and continual improvement.

Program governance

• Appoint privacy leadership, conduct privacy risk assessments, map PHI data flows, and document policies and procedures.
• Keep a living inventory of vendors and BAAs; review them annually and upon material changes.

Individual rights and core workflows

• Access: provide records generally within 30 days (with a limited extension) and charge only cost‑based fees.
• Amendment and accounting of disclosures: maintain timely, documented processes.
• Restrictions and confidential communications: honor reasonable requests, including restrictions on disclosures to health plans when patients pay in full out of pocket.

Operational controls

• Apply minimum necessary to routine disclosures, standardize verification of requestors, and validate faxes/emails before sending.
• Run tabletop exercises for incidents and breach notification; document investigations and decisions.
• For HIPAA Transaction Standards, ensure your systems or clearinghouse use correct formats and code sets for claims and related transactions.

Training and culture

• Deliver role‑based onboarding and annual training with scenario‑based refreshers.
• Reinforce “pause‑to‑verify” habits, social media rules, and secure disposal practices.

Enforcement and Penalties for Violations

Office for Civil Rights Enforcement (within HHS) investigates complaints, conducts audits, issues resolution agreements and corrective action plans, and can impose civil monetary penalties. Aggravating factors include the scale of exposure, duration, willful neglect, and failure to correct known issues.

Civil and Criminal Penalties both apply. Civil penalties follow a tiered structure per violation with annual caps adjusted for inflation. Criminal violations—prosecuted by the Department of Justice—can include fines and imprisonment, with higher penalties for offenses committed under false pretenses or for personal gain or malicious harm.

State attorneys general may also bring civil actions. Recurrent enforcement themes include missing BAAs, lack of risk analysis, right‑of‑access failures, device theft without safeguards, and impermissible marketing uses of PHI.

Examples of Noncompliance Risks

• Sending PHI to the wrong recipient due to missing identity verification or miskeyed addresses.
• Storing ePHI with a cloud vendor before executing a Business Associate Agreement.
• Lost or stolen unencrypted laptop, phone, or USB drive containing patient data.
• Workforce “snooping” in records without a job‑related need, detected after audit logs are finally reviewed.
• Using patient lists for marketing without a valid authorization or required disclosures.
• Delaying or denying a patient’s record request beyond permitted timeframes or charging impermissible fees.
• Posting patient stories or images on social media, even if identifiers seem “removed,” but context still reveals identity.
• Improper disposal of paper charts or labels in regular trash rather than secure destruction.
• Over‑disclosing PHI to family members or employers without patient authorization or a permitted exception.
• Failure to use HIPAA Transaction Standards, causing claim rejections and drawing compliance scrutiny.

Implementing Privacy Rule Safeguards

A practical rollout roadmap

• First 30 days: appoint leads; inventory PHI and data flows; identify lawful bases for each use/disclosure; freeze high‑risk practices until controls exist.
• Days 31–60: update policies, BAAs, and the Notice of Privacy Practices; implement role‑based access, encryption, audit logs, and secure disposal; launch role‑specific training.
• Days 61–90: test incident response and right‑of‑access workflows; remediate gaps; establish metrics (e.g., access request turnaround, BAA coverage, audit log review frequency).

Quick wins

• Activate email and device encryption defaults; enforce MFA and automatic logoff.
• Use standardized forms for authorizations and patient access requests to reduce errors.
• Centralize vendor intake so every PHI‑touching engagement triggers a BAA review.

Conclusion

If you are a covered entity—or a vendor handling PHI on behalf of one—you must comply with the HIPAA Privacy Rule. By clarifying roles, executing strong Business Associate Agreements, applying Privacy Rule Safeguards, meeting Covered Entity Obligations, and aligning daily operations with best practices, you reduce risk and protect the trust patients place in you.

FAQs.

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with HIPAA Transaction Standards. Providers range from large health systems to solo practices and telehealth clinics if they conduct standard electronic transactions.

What are business associates required to do?

Business associates must sign Business Associate Agreements, use or disclose PHI only as permitted, implement safeguards (including for ePHI), report incidents and breaches, ensure subcontractors follow the same rules, and support requests tied to access, accounting, or audits as required.

What are the penalties for violating the HIPAA Privacy Rule?

Penalties include civil monetary penalties under a tiered scheme and, for certain conduct, criminal prosecution with fines and possible imprisonment. Office for Civil Rights Enforcement can require corrective action plans, and state attorneys general may also bring civil actions.

How does HIPAA protect patient information?

The Privacy Rule limits when PHI can be used or disclosed, grants patients rights (access, amendments, restrictions, and more), and requires reasonable administrative, physical, and technical safeguards. When combined with the Security Rule for ePHI, these Privacy Rule Safeguards help ensure confidentiality, integrity, and appropriate use of patient data.