Who must comply with HIPAA?

HIPAA compliance applies primarily to “covered entities” and their business associates who handle protected health information (PHI). These regulations safeguard patient privacy and data security in the U.S. healthcare ecosystem.​ 1. Covered entities Covered entities form the core group required to comply with HIPAA’s Privacy, Security, and Breach Notification Rules. Health plans encompass health insurance companies, HMOs, employer-sponsored group health plans, and government programs such as Medicare and Medicaid. Healthcare providers encompass doctors, clinics, hospitals, dentists, pharmacies, psychologists, nursing homes, and any who electronically transmit PHI for transactions like billing. Healthcare clearinghouses process nonstandard data into standard formats for payments or transactions.​ 2. Business associates Business associates extend HIPAA obligations beyond covered entities. These are vendors or contractors creating, receiving, maintaining, or transmitting PHI on behalf of covered entities, such as billing firms, IT services, transcriptionists, document storage providers, lawyers, and cloud platforms. The 2013 Omnibus Rule mandates business associates sign Business Associate Agreements (BAAs) and comply directly with HIPAA, including subcontractors. Non-compliance risks fines up to $1.5 million per violation type annually. 3. Additional entities Certain organizations handling PHI must also adhere. Pharmacies, long-term care facilities, research institutions, public health authorities, employers (for health plans), schools, and universities qualify if they meet covered entity criteria. Workforce members like employees, volunteers, interns, students, or contractors, must adhere to the implemented policies. 4. Exceptions and scope HIPAA does not apply universally. Life insurers, most employers without health plans, or non-electronic transmitters are exempt. Only electronic PHI in standard transactions triggers “covered” status for providers. Compliance involves administrative, physical, and technical safeguards, risk assessments, and training. The HHS Office for Civil Rights (OCR) enforces via audits and penalties.