Who Must Comply with the HIPAA Privacy Rule? Requirements Explained

Covered Entities Under HIPAA

Under the HIPAA Privacy Rule, compliance applies first to covered entities. If you create, receive, maintain, or transmit health information in defined ways, you may be a covered entity and must follow the Rule.

Who qualifies as a covered entity

• Health plans: insurers, HMOs, employer-sponsored group health plans, and government programs such as Medicare and Medicaid.
• Health care providers: any provider (for example, physicians, hospitals, clinics, pharmacies) that conducts standard electronic transactions, such as submitting electronic claims.
• Health Care Clearinghouses: organizations that transform or route nonstandard health data into standard formats and back (for example, billing or EDI intermediaries).

Special structures

• Hybrid entities: organizations with both covered and non-covered functions that designate “health care components” subject to HIPAA.
• Organized health care arrangements: clinically or operationally integrated groups that share PHI for joint operations and must coordinate compliance.

Your workforce members (employees, volunteers, trainees, and others under your control) must also follow your HIPAA policies and procedures.

Business Associates and Their Roles

Business associates are persons or companies that perform services for a covered entity involving access to Protected Health Information (PHI). If you rely on outside partners, you likely need Business Associate Agreements to define each party’s obligations.

Examples of business associates

• Claims processing, billing, collections, and practice management vendors.
• Cloud service providers, data centers, email and secure messaging platforms that store or transmit PHI.
• EHR vendors, health information exchanges, analytics firms, and transcription services.
• Third-party administrators for group health plans, consultants, legal and accounting firms with PHI access.

Business Associate Agreements (BAAs)

• Define permitted and required uses/disclosures of PHI and prohibit anything not authorized by the covered entity or the Privacy Rule.
• Require appropriate administrative, physical, and technical safeguards and breach reporting duties.
• Flow down obligations to subcontractors that create, receive, maintain, or transmit PHI on the business associate’s behalf.

Business associates are directly liable for compliance failures, not just contract breaches. You must vet, document, and monitor these relationships.

Standards for Protecting PHI

PHI is individually identifiable health information in any form—paper, verbal, or electronic—held by a covered entity or business associate. You must limit its use and disclosure and protect it throughout its lifecycle.

Core Privacy Rule principles

• Use and disclosure for treatment, payment, and health care operations (TPO) is generally permitted; other purposes often require a valid authorization.
• Minimum necessary: access and disclose only the least amount of PHI needed to accomplish the purpose.
• Individual rights: provide a Notice of Privacy Practices and honor rights to access, obtain copies, request amendments, receive an accounting of disclosures, request restrictions, and choose confidential communication channels.
• De-identification: remove specified identifiers or apply expert determination to create data that is no longer PHI.

Safeguards that work in practice

• Administrative: role-based access, workforce training, sanction policies, and contingency planning.
• Physical: facility access controls, device/media management, and secure disposal.
• Technical: unique user IDs, strong authentication, encryption or equivalent protections, automatic logoff, and audit logging for ePHI.

These privacy standards are complemented by the HIPAA Security Rule for electronic PHI, which sets the baseline for technical and operational protections.

Enforcement and Penalties

The Department of Health and Human Services enforces the Privacy Rule through its Office for Civil Rights (OCR). OCR investigates complaints and breach reports, conducts compliance reviews and audits, and negotiates resolution agreements with corrective action plans.

Civil and criminal exposure

• Civil Penalties: a tiered monetary penalty structure applies based on the level of culpability, with per-violation amounts and annual caps. OCR weighs factors such as the nature, extent, and duration of the violation, harm caused, and organizational size/resources.
• Criminal Penalties: the Department of Justice may prosecute knowing misuse or wrongful disclosure of PHI, with penalties that escalate for false pretenses or intent to sell or use PHI for personal gain, commercial advantage, or malicious harm.
• State enforcement: state attorneys general can also bring civil actions on behalf of residents for certain HIPAA violations.

Beyond fines, enforcement often requires sustained remediation, monitoring, and demonstrable culture change around privacy.

Compliance Responsibilities

To comply with the HIPAA Privacy Rule, you need a documented privacy program that fits your risk profile and operations. Build it into everyday workflows so requirements are met without friction.

• Governance: appoint a privacy official, coordinate with your security official, and define clear lines of authority and accountability.
• Policies and procedures: tailor them to your environment, implement version control, and maintain documentation for required retention periods.
• Training and awareness: train the workforce at onboarding and periodically; reinforce through reminders, simulations, and sanctions for violations.
• Business Associate Agreements: inventory all vendors and subcontractors with PHI access, execute BAAs, and monitor performance and security attestations.
• Risk management: conduct risk analyses for ePHI, remediate findings, manage access consistently, and consider encryption to reduce exposure.
• Breach response: maintain an incident response plan, investigate promptly, mitigate harm, and deliver breach notifications as required by the Breach Notification Rule.

Electronic Transmission Requirements

If you transmit health information electronically, you must adhere to HIPAA’s Administrative Simplification standards and protect ePHI in transit and at rest.

Transactions, code sets, and identifiers

• Use standard electronic transactions where applicable, such as claims (837), eligibility (270/271), remittance advice (835), and prior authorization (278).
• Rely on standard code sets (for example, ICD-10-CM, CPT, HCPCS) to promote interoperability and consistency.
• Use National Provider Identifiers (NPIs) and other required identifiers accurately in all designated transactions.

Transmission safeguards

• Protect ePHI during transmission using secure protocols and encryption or equivalent measures that align with your risk analysis.
• Secure email, texting, telehealth, portals, eFax, and API-based exchanges with authentication, access controls, and monitoring.
• Ensure Business Associate Agreements cover vendors that store or transmit ePHI, including cloud and integration partners.

Scope of HIPAA Privacy Rule

The Privacy Rule applies to covered entities and their business associates handling PHI. It reaches PHI in any medium and governs how you may use, disclose, and safeguard it while preserving patient rights.

What HIPAA does not cover

• De-identified data and limited data sets (when shared under a data use agreement) are outside the core PHI framework.
• Employment records held by an employer in its role as employer are not PHI.
• Most consumer health apps, wearables, or personal health records that are not acting on behalf of a covered entity are typically outside HIPAA, though other laws may apply.
• Education records protected by FERPA are not subject to HIPAA.

In short, if you are a covered entity or a business associate that touches PHI, you must comply with the HIPAA Privacy Rule. Map your data flows, implement role-based access, execute and manage Business Associate Agreements, train your workforce, and continuously monitor and improve your program to stay compliant.

FAQs

Which entities are considered covered entities under HIPAA?

Covered entities include health plans, Health Care Clearinghouses, and health care providers that conduct standard electronic transactions. Some organizations are hybrid entities that designate HIPAA-covered components; their HIPAA obligations apply to those components and any unit that functions as a covered entity.

What defines a business associate in HIPAA?

A business associate is any person or organization that performs functions or services for a covered entity involving PHI. Typical examples include billing firms, cloud providers, EHR vendors, analytics companies, and TPAs. Business Associate Agreements are required and must flow down to subcontractors that handle PHI.

How does the OCR enforce HIPAA compliance?

The Office for Civil Rights within the Department of Health and Human Services investigates complaints and breach reports, conducts audits, and issues findings. Outcomes may include corrective action plans, monitoring, and Civil Penalties, with factors such as harm, duration, and organizational diligence influencing results.

What are the penalties for violating the HIPAA Privacy Rule?

Violations can trigger tiered Civil Penalties per violation with annual limits, along with mandated remediation. Serious misconduct may also lead to Criminal Penalties for knowing misuse or wrongful disclosure of PHI, which can include fines and potential imprisonment.