Who Does HIPAA Apply To [Top 5 Entities]

Pritesh Vora

Pritesh Vora

Mar 01, 2024

Who Does HIPAA Apply To

Looking for answers to questions like who does HIPAA apply to? Or ‌ whether HIPAA applies to you and your employees? 

The answers to these questions simply depend on whether your cloud-hosted company meets the criteria of HIPAA compliance.

HIPAA, also known as the Health Insurance Portability and Accountability Act, is a US Federal Law that ensures baseline privacy and security standards for Protected Health Information (PHI).

It uses a series of criteria to determine if an entity needs to be HIPAA compliant. And in case any covered entity violates HIPAA regulations (knowingly or unknowingly), it can face civil action lawsuits, criminal charges, and hefty monetary penalties ranging between $100-$1.5 million per violation.

This article discusses who HIPAA applies to, and will help you figure out if your cloud-hosted company is a covered entity as per HIPAA regulations. 

Key Points:
  • HIPAA is a US Federal Law that uses a series of criteria to determine if an entity must be HIPAA compliant or not.
  • HIPAA generally applies to covered entities, business associates, hybrid entities, subcontractors, and researchers.
  • If your cloud-hosted company falls under any of the above categories, certain business contracts and practices must be modified to reflect HIPAA compliance.

Who does HIPAA apply to?

The HIPAA rules apply to any individual, healthcare organization, and cloud-hosted company that meets the definition of a covered entity as stated in HIPAA guidelines. 

who does hipaa apply to

Following are the five distinct entities who is covered under HIPAA:

1. Covered Entities

There are various kinds of entities that fall under the Covered Entity category, as described below.

  • Healthcare Providers – Any healthcare organization or institution that collects protected health information (PHI) must be HIPAA compliant. This includes doctors, dentists, psychologists, physiologists, clinics, pharmacies, nursing homes, etc.
  • Healthcare Plans – Any corporations that give healthcare plans such as health insurance companies, group health plans, health maintenance organizations, and government-funded health plans like Medicare & Medicaid are a covered entity.
  • Healthcare Clearinghouses – All healthcare clearinghouses that convert PHI data into a uniform format for electronic transmission also fall under covered entities.

Does it seem too much to handle? Don’t worry. 

With Sprinto, you can easily map and manage HIPAA requirements all in one place. Sprinto’s continuous compliance monitoring capabilities are seamlessly integrated to ensure that your day-to-day practices align with HIPAA standards.

If you have more questions on whether you are a covered entity, we have a simple checklist for you to make the decision:

2. Business Associates

A business associate is any person or entity that executes certain operations or responsibilities that involve disclosing or using the PHI, either on behalf of or as a service provider to a covered entity. 

Following are some primary examples of business associates:

  • An external or independent hospital consultant who conducts evaluations
  • An external administrator who helps healthcare plan to process claims
  • A third-party CPA firm that requires access to the PHI for providing its accounting services to covered entities

Business associates don’t require direct interaction with patients to perform their services for covered entities. However, the covered entities must execute a business associate agreement (BAA) to ensure their partnered business associates safeguard the shared PHI as per HIPAA regulations.

In addition, business associates are directly liable for any HIPAA violation and are subject to the same penalties that apply to covered entities. 

We know that many health tech businesses find it challenging to define the scope for HIPAA compliance, but with Sprinto, you can simplify the process. 

Implement HIPAA essentials in a structured and prioritized manner tailored to your business context. Our experts will guide you through the steps, eliminating the need to navigate through a lengthy checklist. 

Sprinto ensures thorough program implementation, and with continuous monitoring, you can stay compliant, avoiding penalties and non-compliance issues.

3. Subcontractors

who does hipaa not apply to

A subcontractor is an individual or entity that creates, maintains, and transmits health information on behalf of a business associate. In fact, a HIPAA subcontractor bears the same legal responsibilities as any business associate we discussed earlier.

For example, a covered entity’s business associate may hire an external agency to destroy documents containing the PHI or avail a cloud service to store & process the PHI. In both scenarios, the external agency falls under the Subcontractor category and is required to comply with most of the HIPAA regulations.

4. Hybrid Entities

A hybrid entity usually conducts both HIPAA-covered and non-covered tasks as a business.

A perfect example of this is any large organization that has a self-insured healthcare plan for its employees. In this type of organization, only a part of the company is considered a covered entity, and only that ‌part (also called the health care component) is subject to HIPAA compliance. 

Other examples of hybrid entities include grocery stores that have a pharmacy and universities that have a medical centers. 

An organization that is a hybrid entity must ensure that its healthcare component does not disclose the PHI to any non-covered component within the organization.

5.  Researcher

HIPAA regulations allow covered entities to share PHI with researchers if patients have given their consent to disclose and use their PHI for research ‌. In such cases, there is no need to sign a business associate agreement. However, the covered entity must draw and enter a data use agreement with the partnered researcher before disclosing the PHI. 

The data use agreement helps to instill a satisfying assurance that you will strictly adhere to the HIPAA compliance guidelines for the ‌limited data set.

Who Does HIPAA Not Apply To?

Just as there are many individuals and businesses required to comply with HIPAA, there are also many that are not required to. And even then, sometimes health information is still available to these people and businesses. 

Following are some examples of those who aren’t required to comply with HIPAA regulations:

  • Term & life insurance companies
  • Gyms and fitness studios
  • Schools & districts
  • Health and fitness mobile apps
  • The majority of law enforcement firms
  • State agencies like child welfare 
  • Certain government departments
  • Employers
  • Workers’ compensation insurance companies

More examples of such entities are available on HHS Guidance Materials for Consumers.

Who does the HIPAA privacy rule apply to?

The HIPAA Privacy Rule establishes national standards to safeguard individuals’ medical documents and any kind of identifiable health information. It is applicable to health plans, health care clearinghouses, and certain health care providers. 

These entities, collectively referred to as “covered entities,” must adhere to the privacy standards, even when outsourcing some functions to “business associates.” 

It’s important to note that the rule doesn’t grant the Department of Health and Human Services (HHS) the authority to regulate other private businesses or certain public agencies, such as employers, life insurance companies, or those providing social security or welfare benefits.

Will you be affected by hipaa’s requirements?

HIPAA’s requirements impact specific individuals and organizations. You will be under the purview of its effects if you are one of the following:

  • Health care providers
  • Health plans
  • Health information clearinghouses
  • Business associates of covered entities
  • Workers for those organizations

However, also note that:

  • The Privacy Rule applies exclusively to covered entities. Not all organizations dealing with health information will be covered entities, and therefore, they may not need to comply with the Privacy Rule.
  • The Privacy Rule doesn’t extend to research itself; it applies to covered entities. Researchers, who may or may not be covered entities, could be affected as it might influence their access to information.
  • While the Privacy Rule doesn’t directly regulate researchers or research, it could impact researchers’ access to PHI. Researchers may need to provide documentation to covered entities to meet the Privacy Rule’s requirements, conditions, and limitations for accessing PHI for research purposes.

If you are in the list of the organization that is affected by HIPAA requirements, do not worry. Sprinto sets up guardrails that simplify the right actions and make the wrong ones challenging. It ensures a top-notch, continuously monitored HIPAA compliance program, effortlessly supporting the technical and administrative safeguards mandated by HIPAA.

Sprinto brings you a continuous audit stream, taking a proactive approach to HIPAA compliance. Identify issues swiftly, address them promptly, and enhance your reporting capabilities for better compliance management.

Does HIPAA apply to researchers?

Yes, HIPAA applies to researchers in specific scenarios. 

HIPAA privacy requirements apply to research when conducted alongside the provision of healthcare information or services. This includes activities like reviewing medical records or conducting surveys that obtain PHI from patients undergoing treatment.

A covered entity, as per the HIPAA Privacy Rule, can rely on a researcher’s documentation of Privacy Board waiver of authorization. This waiver confirms that the information requested is the minimum necessary for the research purpose.

Will the HIPAA Privacy Rule hinder medical research?

No, the HIPAA Privacy Rule is not expected to hinder medical research. In fact, it is believed that patients or any other health plan members may be more willing to provide the disclosure of their information for research when they know their data is protected.

While the Privacy Rule may require changes in the practices of certain covered health care providers regarding documenting different kinds of research cases and disclosures, it will not impede research. 

However, do note that some providers and plans may find the Rule’s requirements for research cases and disclosures burdensome, leading them to consider limiting researchers’ access to PHI.

What is not subjected to HIPAA regulations?

HIPAA regulations are not subjected to the following categories and companies:

  • Employers in their capacity as employers
  • Life insurance companies
  • Law enforcement agencies
  • Marketing companies (not working on behalf of a covered entity)
  • Cosmetic service providers (not processing healthcare transactions)
  • Workers’ compensation carriers
  • Auto insurance companies (excluding health benefits)
  • Schools and school districts (not providing healthcare services)
  • State agencies unrelated to healthcare administration or services
  • Family and friends of the patient (unless acting as a personal representative)
  • Fitness and health clubs
  • Researchers (not obtaining PHI from a covered entity)
  • Attorneys (not working on behalf of a covered entity)
  • Pharmacies selling over-the-counter products without PHI
  • Alternative medicine practitioners (not processing healthcare transactions)

Does HIPAA Apply to Everybody?

As per GDPR Compliance, the Department of Health and Human Services (HHS) can only enforce HIPAA penalties against covered entities and business associates as stated in the HIPAA compliance regulations. 

As per the defined regulations, covered entities include all healthcare organizations, healthcare clearinghouses, and health plans who engage in electronic transmissions of the PHI. 

Now, this definition of covered entities is fairly broad and covers not only hospitals, clinics, and insurance companies but also private companies, non-profit organizations, and even government agencies that provide some kind of healthcare services.

The entire scope of parties does not end here. Many employers across the world have discovered that they fall under the covered entities category because of functions or activities such as a group health plan for all employees.

Though these employers urge to be treated as hybrid entities to limit HIPAA restrictions, these employers must conduct the usual HIPAA compliance checklist activities, even as a hybrid entity.

Aside from employers, HIPAA applies to individuals and cloud-hosted companies that require the use of PHI for providing services to covered entities. These individuals and cloud-hosted companies fall under the business associates category. While they’re not liable for HIPAA compliance penalties, they are required to renegotiate certain business contracts along with additional business practices to reflect the HIPAA privacy compliance requirements


Now that you have the answer to, “who does HIPAA apply to” and whether your cloud-hosted company needs to be HIPAA compliant, you’re halfway through ensuring HIPAA compliance. 

That said, if you find it difficult to navigate the complicated legislation of HIPAA correctly, we’ve got you covered. Sprinto, an automated compliance software, can help to become HIPAA compliant with minimal fuss. For more information, please visit our website.

FAQ: Who Does HIPAA Laws Apply To?

What is considered Protected Health Information (PHI)?

Protected health information (PHI) includes patients’ demographic information, medical history, laboratory results, insurance information, health conditions, and any other data that can help to identify, locate, or contact an individual.

What if a covered entity violates HIPAA regulations by accident?

Unfortunately, it is impossible to prevent every accidental violation of HIPAA regulations. And as far as penalty is concerned, the circumstances, along with the assessment of the damage caused by the accidental violation, will determine the outcome in terms of penalty. 

Does HIPAA still apply during emergencies?

Suppose the president declares a national emergency or any time the Department of Health and Human Services (HHS) declares public health emergencies. In that case, penalties against non-compliant covered entities can be waived. Although, the waiving of the HIPAA penalty will only apply to specific provisions of the HIPAA privacy rule and not the Privacy Rule in its entirety. 

Pritesh Vora

Pritesh Vora

Pritesh is a founding team member and VP Growth & Marketing at Sprinto. He comes with over a decade of experience and is a data-driven dynamo in growth strategy, sales, and marketing! His strategies have crafted the success of not one, but two early-stage SaaS startups to 7-digit revenues within a year – he’s your go to guy for all things growth.

How useful was this post?

0/5 - (0 votes)

Found this interesting?
Share it with your friends

Get a wingman for
your next audit.

Schedule a personalized demo and scale business

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.