Three types of entities are directly subject to HIPAA: health care providers, health plans, and health care clearinghouses. These are called “covered entities.” A fourth category, business associates, also falls under HIPAA because they handle protected health information on behalf of a covered entity. Beyond these groups, HIPAA does not apply, even if an organization collects or stores health-related data.
Health Care Providers
Doctors, dentists, psychologists, chiropractors, clinics, nursing homes, and pharmacies are all health care providers under HIPAA, but with one important qualifier: they are only covered if they transmit health information electronically in connection with certain standard transactions. Those transactions include submitting insurance claims, checking patient eligibility, requesting referral authorizations, processing payments, and coordinating benefits between insurers.
In practice, this electronic transmission requirement captures nearly every provider that bills insurance. A solo therapist who only accepts cash and never files electronic claims could technically fall outside HIPAA, but the moment that therapist submits a single electronic claim, the full scope of HIPAA applies to their practice.
Health Plans
Health plans include any individual or group plan that pays the cost of medical care. The category is broad: health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and military and veterans health care programs all qualify. Dental, vision, and prescription drug plans are included too.
Employer-sponsored group health plans are a common source of confusion. The plan itself is a covered entity, but the employer that sponsors it is not automatically one. If a small company simply pays premiums to an insurer and never touches employees’ health data, HIPAA obligations fall on the insurer, not the employer. Larger self-funded plans, where the employer takes on the financial risk and processes claims data, bring the plan squarely under HIPAA.
Health Care Clearinghouses
Clearinghouses are the least familiar category for most people. These are entities that take nonstandard health information from a provider or plan and convert it into a standard electronic format, or the reverse. Examples include billing services, repricing companies, community health management information systems, and the electronic networks that route claim data between providers and insurers. In most cases, clearinghouses handle individually identifiable health information only when providing processing services to a provider or plan, which means they typically operate as business associates at the same time.
Business Associates
A business associate is any person or organization that performs certain functions or services for a covered entity and, in doing so, accesses protected health information. This is a wide net. Functions that create business associate status include claims processing, data analysis, utilization review, billing, benefit management, practice management, and repricing. Services that trigger it include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial work.
The relationship is formalized through a business associate agreement, a contract that spells out what the associate can and cannot do with the data. Business associates are directly liable for HIPAA violations, not just contractually liable. They must also extend the same protections downstream: if a business associate hires a subcontractor that creates or receives protected health information, that subcontractor needs its own business associate agreement. If the business associate learns the subcontractor is violating the agreement and does nothing, the business associate is out of compliance.
Hybrid Entities
Some organizations perform both covered and non-covered functions under a single legal structure. A university, for instance, may run a student health clinic (covered) alongside academic departments that never touch patient data (not covered). HIPAA allows these organizations to designate themselves as hybrid entities. They identify the specific components that perform covered functions, called health care components, and apply HIPAA requirements only to those units and the support staff that serve them.
Cornell University, as one example, formally designates its health care components and requires them to comply with HIPAA while keeping protected health information segregated from non-health care parts of the university. An organization that qualifies as a hybrid entity but does not make this designation is subject to HIPAA across the entire organization.
Affiliated Covered Entities
Legally separate covered entities under common ownership or control can choose to designate themselves as a single affiliated covered entity for HIPAA purposes. A hospital system with multiple hospitals and clinics, each a separate legal entity, might do this to streamline compliance, allowing a unified set of privacy policies and a single notice of privacy practices rather than duplicating everything across each entity. The designation must be documented and maintained in writing or electronic form.
Health Apps and Wearable Devices
A fitness tracker or health app does not automatically fall under HIPAA just because it collects health data. The deciding factor is whether the app operates on behalf of a covered entity. If a hospital contracts with a developer to build a patient portal app, that developer is a business associate and HIPAA applies. If an independent company builds a sleep-tracking app sold directly to consumers with no connection to a covered entity, HIPAA does not apply, even if the app stores sensitive health information.
This gap means a large amount of consumer health data sits outside HIPAA’s reach. The Federal Trade Commission, rather than the Department of Health and Human Services, has jurisdiction over most standalone health apps and requires them to maintain reasonable privacy and security practices under the FTC Act.
Entities That Are Not Subject to HIPAA
Many organizations handle health-related information without triggering HIPAA. Life insurers, workers’ compensation carriers, most employers (in their role as employers), and most schools and school districts fall outside the law’s scope. Your employer can ask for a doctor’s note to justify sick leave, and HIPAA does not govern what happens to that note. The Privacy Rule explicitly does not protect employment records, even when those records contain health information. If you work for a hospital or health plan, your own employment file is still not covered. Your medical records as a patient of that hospital, however, are.
Gyms, most workplace wellness programs run independently of a group health plan, and social media platforms that collect health-related posts are also outside HIPAA. The law is narrowly targeted at the health care system’s data flows, not at every organization that happens to learn something about your health.