Who Does HIPAA Apply To [Top 5 Entities]

Pritesh Vora

Pritesh Vora

Sep 30, 2023

Who Does HIPAA Apply To

Key Points

  • HIPAA is a US Federal Law that uses a series of criteria to determine if an entity must be HIPAA compliant or not.
  • HIPAA generally applies to covered entities, business associates, hybrid entities, subcontractors, and researchers.
  • If your cloud-hosted company falls under any of the above categories, certain business contracts and practices must be modified to reflect HIPAA compliance.


Looking for answers to questions like who does HIPAA apply to? Or ‌ whether HIPAA applies to you and your employees? 

The answers to these questions simply depend on whether your cloud-hosted company meets the criteria of HIPAA compliance.

HIPAA, also known as the Health Insurance Portability and Accountability Act, is a US Federal Law that ensures baseline privacy and security standards for Protected Health Information (PHI).

It uses a series of criteria to determine if an entity needs to be HIPAA compliant. And in case any covered entity violates HIPAA regulations (knowingly or unknowingly), it can face civil action lawsuits, criminal charges, and hefty monetary penalties ranging between $100-$1.5 million per violation.

This article discusses who HIPAA applies to, and will help you figure out if your cloud-hosted company is a covered entity as per HIPAA regulations. 

Who Does HIPAA Apply To?

The HIPAA rules apply to any individual, healthcare organization, and cloud-hosted company that meets the definition of a covered entity as stated in HIPAA guidelines. 

who does hipaa apply to

Following are the five distinct entities who is covered under HIPAA:

1. Covered Entities

There are various kinds of entities that fall under the Covered Entity category, as described below.

  • Healthcare Providers – Any healthcare organization or institution that collects protected health information (PHI) must be HIPAA compliant. This includes doctors, dentists, psychologists, physiologists, clinics, pharmacies, nursing homes, etc.
  • Healthcare Plans – Any corporations that give healthcare plans such as health insurance companies, group health plans, health maintenance organizations, and government-funded health plans like Medicare & Medicaid are a covered entity.
  • Healthcare Clearinghouses – All healthcare clearinghouses that convert PHI data into a uniform format for electronic transmission also fall under covered entities.

2. Business Associates

A business associate is any person or entity that executes certain operations or responsibilities that involve disclosing or using the PHI, either on behalf of or as a service provider to a covered entity. 

Following are some primary examples of business associates:

  • An external or independent hospital consultant who conducts evaluations
  • An external administrator who helps healthcare plan to process claims
  • A third-party CPA firm that requires access to the PHI for providing its accounting services to covered entities

Business associates don’t require direct interaction with patients to perform their services for covered entities. However, the covered entities must execute a business associate agreement (BAA) to ensure their partnered business associates safeguard the shared PHI as per HIPAA regulations.

In addition, business associates are directly liable for any HIPAA violation and are subject to the same penalties that apply to covered entities. 

3. Subcontractors

who does hipaa not apply to

A subcontractor is an individual or entity that creates, maintains, and transmits health information on behalf of a business associate. In fact, a HIPAA subcontractor bears the same legal responsibilities as any business associate we discussed earlier.

For example, a covered entity’s business associate may hire an external agency to destroy documents containing the PHI or avail a cloud service to store & process the PHI. In both scenarios, the external agency falls under the Subcontractor category and is required to comply with most of the HIPAA regulations.

4. Hybrid Entities

A hybrid entity usually conducts both HIPAA-covered and non-covered tasks as a business.

A perfect example of this is any large organization that has a self-insured healthcare plan for its employees. In this type of organization, only a part of the company is considered a covered entity, and only that ‌part (also called the health care component) is subject to HIPAA compliance. 

Other examples of hybrid entities include grocery stores that have a pharmacy and universities that have a medical centers. 

An organization that is a hybrid entity must ensure that its healthcare component does not disclose the PHI to any non-covered component within the organization.

5.  Researcher

HIPAA regulations allow covered entities to share PHI with researchers if patients have given their consent to disclose and use their PHI for research ‌. In such cases, there is no need to sign a business associate agreement. However, the covered entity must draw and enter a data use agreement with the partnered researcher before disclosing the PHI. 

The data use agreement helps to instill a satisfying assurance that you will strictly adhere to the HIPAA compliance guidelines for the ‌limited data set.

Who Does HIPAA Not Apply To?

Just as there are many individuals and businesses required to comply with HIPAA, there are also many that are not required to. And even then, sometimes health information is still available to these people and businesses. 

Following are some examples of those who aren’t required to comply with HIPAA regulations:

  • Term & life insurance companies
  • Gyms and fitness studios
  • Schools & districts
  • Health and fitness mobile apps
  • The majority of law enforcement firms
  • State agencies like child welfare 
  • Certain government departments
  • Employers
  • Workers’ compensation insurance companies

More examples of such entities are available on HHS Guidance Materials for Consumers.

Does HIPAA Apply to Everybody?

As per GDPR Compliance, the Department of Health and Human Services (HHS) can only enforce HIPAA penalties against covered entities and business associates as stated in the HIPAA compliance regulations. 

As per the defined regulations, covered entities include all healthcare organizations, healthcare clearinghouses, and health plans who engage in electronic transmissions of the PHI. 

Now, this definition of covered entities is fairly broad and covers not only hospitals, clinics, and insurance companies but also private companies, non-profit organizations, and even government agencies that provide some kind of healthcare services.

The entire scope of parties does not end here. Many employers across the world have discovered that they fall under the covered entities category because of functions or activities such as a group health plan for all employees.

Though these employers urge to be treated as hybrid entities to limit HIPAA restrictions, these employers must conduct the usual HIPAA compliance checklist activities, even as a hybrid entity.

Aside from employers, HIPAA applies to individuals and cloud-hosted companies that require the use of PHI for providing services to covered entities. These individuals and cloud-hosted companies fall under the business associates category. While they’re not liable for HIPAA compliance penalties, they are required to renegotiate certain business contracts along with additional business practices to reflect the HIPAA privacy compliance requirements


Now that you have the answer to, “who does HIPAA apply to” and whether your cloud-hosted company needs to be HIPAA compliant, you’re halfway through ensuring HIPAA compliance. 

That said, if you find it difficult to navigate the complicated legislation of HIPAA correctly, we’ve got you covered. Sprinto, an automated compliance software, can help to become HIPAA compliant with minimal fuss. For more information, please visit our website.

FAQ: Who Does HIPAA Laws Apply To?

What is considered Protected Health Information (PHI)?

Protected health information (PHI) includes patients’ demographic information, medical history, laboratory results, insurance information, health conditions, and any other data that can help to identify, locate, or contact an individual.

What if a covered entity violates HIPAA regulations by accident?

Unfortunately, it is impossible to prevent every accidental violation of HIPAA regulations. And as far as penalty is concerned, the circumstances, along with the assessment of the damage caused by the accidental violation, will determine the outcome in terms of penalty. 

Does HIPAA still apply during emergencies?

Suppose the president declares a national emergency or any time the Department of Health and Human Services (HHS) declares public health emergencies. In that case, penalties against non-compliant covered entities can be waived. Although, the waiving of the HIPAA penalty will only apply to specific provisions of the HIPAA privacy rule and not the Privacy Rule in its entirety. 

Pritesh Vora

Pritesh Vora

Pritesh is a founding team member and VP Growth & Marketing at Sprinto. He comes with over a decade of experience and is a data-driven dynamo in growth strategy, sales, and marketing! His strategies have crafted the success of not one, but two early-stage SaaS startups to 7-digit revenues within a year – he’s your go to guy for all things growth.

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.