Who Does HIPAA Apply To? Covered Entities & Business Associates (2024)

The Health Insurance Portability and Accountability Act (HIPAA) is a significant piece of legislation that aims to protect sensitive patient health information. Many individuals and organizations may wonder to whom this federal law applies and what their specific responsibilities are when handling patient data, which begs the question:

Who does HIPAA apply to and who is subject to HIPAA compliance?

HIPAA extends its regulations to entities such as healthcare providers, health plans, employers, business associates, subcontractors, and researchers who electronically transmit or use health information in various contexts. 

In this article, we will delve into the specifics of who HIPAA applies to, the requirements and responsibilities of these entities, and provide examples for clarity.

Who Does HIPAA Apply To And Who Has to Follow HIPAA Regulation?

HIPAA, the Health Insurance Portability and Accountability Act, is a critical piece of legislation that aims to safeguard the privacy and security of patients' healthcare information. Its requirements apply to various entities within the healthcare ecosystem, ensuring the proper handling of sensitive, personal health information (PHI).

Covered Entities

Covered entities under HIPAA include three types of organizations that deal with protected health information (PHI). These entities are:

  1. Healthcare Providers: This category includes doctors, clinics, hospitals, nursing homes, and pharmacies that transmit information electronically in connection with certain healthcare transactions.
  2. Health Plans: Health Plans include health insurance carriers, HMOs, company-sponsored health plans, government programs like Medicare and Medicaid, and other entities that pay for medical care.
  3. Healthcare Clearinghouses: These are organizations that act as intermediaries, processing non-standard health information to conform to standards for electronic data interchange (EDI).

Business Associates

Business associates are external individuals or businesses that provide services involving the use or disclosure of PHI on behalf of a covered entity. Examples of business associates include:

  • Billing services
  • Attorneys or legal consulting services
  • CPA firms
  • Accounting services

These business associates must sign a HIPAA-compliant business associate agreement (BAA) outlining their compliance with the necessary HIPAA rules.


Subcontractors are individuals or businesses that provide certain services to covered entities, and in doing so, may have direct or indirect access to PHI. Examples include IT service providers and shredding companies. Subcontractors are considered business associates when they create, receive, maintain, or transmit PHI and must also sign BAAs.

Hybrid Entities

Hybrid entities are organizations with multiple business units, where some are subject to HIPAA and others are not. An example of a hybrid entity is a university with both healthcare and educational divisions. In such cases, only the healthcare-related business units are required to comply with HIPAA rules, and measures must be in place to protect PHI within the overall organization structure.


Researchers who access, use, or disclose PHI for research purposes are also subject to HIPAA regulations. They must obtain authorization or waivers from patients whose PHI is being used, as well as adhere to the same privacy and security standards as other covered entities and business associates.

HIPAA can also apply to vendors of personal health records in specific instances, such as when they experience a data breach. In these cases, they need to report the breach to the Federal Trade Commission under the Breach Notification Rule.

It is important to note that there are some entities that may not be fully covered by HIPAA but are still subject to certain health data privacy rules. For example, some organizations may be partial or hybrid entities, or subject to more stringent state laws governing the privacy and security of health information. In these cases, compliance with HIPAA may be more complex and dependent on the unique circumstances of each entity.

In conclusion, HIPAA applies to a wide range of persons and organizations involved in the handling, storage, and transmission of PHI. Both covered entities and business associates are required to adhere to HIPAA rules, safeguarding the privacy and security of health information.

Who Does HIPAA Not Apply To?

HIPAA primarily applies to Covered Entities and Business Associates that handle, process, or transmit Protected Health Information (PHI). However, there are some entities and individuals that HIPAA does not apply to, as they don't typically handle, use, or disclose PHI on behalf of covered entities.

For example, ambulance services that bill electronically are subject to HIPAA, but in counties without electronic billing, HIPAA does not apply to these ambulance services. These exemptions acknowledge that not all entities pose the same level of risk to the privacy and security of PHI.

Another category of HIPAA non-applicability includes certain employers and workers' compensation carriers. While they may handle some health-related information, they are not generally required to comply with HIPAA regulations, as they do not qualify as covered entities or business associates under the law.

Other notable examples of organizations that are not bound by HIPAA regulations include life insurance companies, schools, law enforcement agencies, state agencies, and some researchers. These organizations may still have access to PHI or sensitive health information, but they are not directly subject to HIPAA, as their primary activities do not involve providing healthcare services, healthcare payment processing, or healthcare administration.

It is important to note that although these entities are not required to comply with HIPAA, they likely have other federal, state, or local regulations they must follow for handling, storing, or using health information. These alternative regulations help ensure the privacy and security of health information even when HIPAA does not apply.

Does HIPAA Apply to Employers?

HIPAA does apply to employers in certain circumstances. It is essential for employers to understand these specific situations to avoid violating HIPAA rules. The main focus of HIPAA is to protect individuals' health information, and it primarily impacts health care providers, health plans, and health care clearinghouses.

Employers might be subject to HIPAA regulations if they sponsor or co-sponsor employee health insurance plans or administer self-insured health plans, meaning they handle employees' personal health information (PHI). In such cases, employers must adhere to HIPAA privacy and security rules, ensuring the confidentiality and protection of their employees' PHI.

However, not all employer-sponsored health plans are subject to HIPAA. For instance, if an employer provides benefits through an insurance company and does not create, store, or receive PHI, the employer may not be bound by HIPAA regulations. In addition, workplace wellness programs may or may not be covered by HIPAA, depending on how they are designed and administered. If a program shares PHI with the employer, it is necessary to comply with the HIPAA Privacy Rule.

Who Must Comply With HIPAA? Key Takeaways

HIPAA, the Health Insurance Portability and Accountability Act, sets standards for protecting sensitive patient information and ensuring privacy in the healthcare industry. Understanding who must comply with HIPAA is vital for maintaining compliance and avoiding penalties. 

In summary, entities that deal with ePHI must comply with HIPAA, including healthcare providers, health plans, healthcare clearinghouses, business associates, hybrid entities, subcontractors, and researchers. Compliance with HIPAA ensures that sensitive patient information remains confidential and secure, reducing the likelihood of privacy violations and data breaches in the healthcare industry.


Does HIPAA Apply To Private Individuals?

HIPAA primarily applies to covered entities and business associates, not private individuals. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates are those who perform certain functions or activities on behalf of covered entities that involve the use or disclosure of protected health information (PHI). However, individuals can still violate HIPAA if they unlawfully access, use, or disclose someone else's PHI without authorization.

Does HIPAA Apply During Public Health Emergencies?

HIPAA generally remains in effect during public health emergencies. However, the Department of Health and Human Services (HHS) may issue temporary waivers or relax some requirements under certain circumstances to facilitate the provision of healthcare services and ensure public safety.

Does HIPAA Apply To Subcontractors Of Business Associates?

Yes, HIPAA applies to subcontractors of business associates. Subcontractors who create, receive, maintain, or transmit PHI on behalf of a business associate must comply with the HIPAA Privacy and Security Rules and are subject to the same level of accountability.

Does HIPAA Apply To Researchers?

Researchers may be subject to HIPAA regulations if they receive or access PHI when conducting research. They must follow HIPAA requirements to obtain patient authorization or seek a waiver, alteration of authorization, or an exemption from an Institutional Review Board (IRB) or Privacy Board.

Does HIPAA Apply To Employers’ Self-Insured Health Plans?

When an employer sponsors a self-insured health plan, that health plan is generally considered a covered entity under HIPAA, while the employer itself is not. The self-insured health plan must comply with HIPAA regulations.

Does HIPAA Only Apply To Healthcare Workers?

HIPAA applies to all employees of covered entities and business associates who handle PHI, not just healthcare workers. Employees who have access to PHI must comply with HIPAA's privacy and security requirements.

Does HIPAA Apply To All Employees Of Covered Entities And Business Associates?

As mentioned above, HIPAA applies to employees of covered entities and business associates who have access to PHI. It is essential for these organizations to ensure proper training and foster a culture of HIPAA compliance among their workforce.

What Happens If An Employee Violates HIPAA By Accident?

Accidental HIPAA violations may still result in penalties or sanctions depending on the circumstances. Covered entities and business associates should have procedures in place to address such incidents, including conducting an internal investigation, implementing corrective actions, and reporting breaches to HHS if required.

Can A Non-Medical Person Violate HIPAA?

Yes, a non-medical person can potentially violate HIPAA, especially if they access, use, or disclose PHI without proper authorization. This may occur, for example, when working in an administrative role within a covered entity or business associate.

What Are The Penalties For HIPAA Non-Compliance For Business Associates And Covered Entities?

Penalties for HIPAA non-compliance can range from civil monetary penalties to, in more severe cases, criminal penalties. The amount depends on the level of knowledge, intent, and harm caused by the violation. Civil penalties can range from $100 to $50,000 per violation, with an annual maximum of $1.5 million for identical violations.

How Do Covered Entities Prove HIPAA Compliance?

Covered entities can demonstrate HIPAA compliance by developing and implementing required policies and procedures, conducting regular risk assessments, providing workforce training, and having incident response plans in place. HHS, through its Office for Civil Rights (OCR), may also conduct audits and investigations to ensure compliance with HIPAA rules.

Start automating your
healthcare workflows

Free trial account
Cancel anytime
Get started free