Three types of organizations, known as “covered entities,” must comply with the HIPAA Privacy Rule: health plans, health care providers who transmit information electronically, and health care clearinghouses. A fourth category, business associates, must also comply with key provisions of the rule when they handle protected health information on behalf of a covered entity.
Health Plans
Any organization that pays for medical care is considered a health plan under HIPAA. This covers a wide range of payers: health insurance companies, HMOs, employer-sponsored group health plans, and government programs like Medicare, Medicaid, and military and veterans’ health programs. If a plan provides or pays for the cost of medical care, whether it’s a private individual policy or a large group benefit, it falls under the Privacy Rule.
Health Care Providers
Not every health care provider is automatically subject to HIPAA. The rule applies only to providers who transmit health information electronically in connection with certain standard transactions. These transactions include submitting insurance claims, checking a patient’s eligibility for coverage, requesting referral authorizations, processing payments, and coordinating benefits between multiple insurers.
In practice, this captures the vast majority of doctors, hospitals, clinics, pharmacies, dentists, psychologists, chiropractors, and nursing homes, because nearly all of them file electronic claims. A provider who handles everything on paper and never sends any of these transactions electronically would technically fall outside the rule, but that scenario is rare today.
Health Care Clearinghouses
Clearinghouses are organizations that sit between providers and health plans, converting health information from nonstandard formats into the standardized electronic formats required by HIPAA (or vice versa). Billing services and repricing companies often fall into this category. If a business processes or facilitates the processing of health information for another legal entity and performs this kind of format translation, it qualifies as a clearinghouse and must comply with the Privacy Rule.
Business Associates
Many organizations that aren’t covered entities themselves still handle protected health information because they provide services to a covered entity. These are called business associates, and the list is broader than most people expect. It includes companies that perform claims processing, billing, data analysis, utilization review, quality assurance, practice management, and benefit management. It also includes professionals providing legal, accounting, consulting, actuarial, and financial services when those services involve access to patient information.
A few concrete examples: a CPA firm that does accounting for a medical practice and can see patient records, an attorney advising a health plan on matters involving patient data, or a consultant conducting utilization reviews for a hospital. Cloud storage vendors, IT companies managing electronic health records, and shredding companies that destroy paper records also commonly qualify.
Before sharing protected health information with a business associate, a covered entity must obtain written assurances, typically through a Business Associate Agreement, that the business associate will use the information only for the purposes it was hired to perform, safeguard it from misuse, and help the covered entity meet its obligations under the Privacy Rule.
Direct Liability for Business Associates
Business associates weren’t always directly on the hook for HIPAA violations. That changed in 2009 with the HITECH Act, and a 2013 final rule from the Office for Civil Rights spelled out exactly which provisions apply. Business associates are now directly liable for failing to comply with the HIPAA Security Rule, impermissible uses and disclosures of patient information, failing to report breaches to the covered entity, and failing to limit data to the minimum necessary for the task at hand. They must also enter into business associate agreements with their own subcontractors if those subcontractors create or receive protected health information. In short, the chain of responsibility extends downstream: if your subcontractor mishandles patient data, you bear responsibility for not having proper agreements and safeguards in place.
Hybrid Entities
Some organizations perform both HIPAA-covered and non-covered functions under a single legal entity. A university is a common example: it may run a campus health clinic (a covered function) and also operate academic departments that have nothing to do with health care. These organizations can designate themselves as “hybrid entities,” which limits HIPAA compliance obligations to the specific components that perform covered functions.
Choosing hybrid status isn’t automatic. The organization must formally define and designate its health care components. Any research lab or department that functions as a health care provider and engages in standard electronic transactions must be included. Components that provide health care but don’t transmit electronic transactions can be included or excluded at the entity’s discretion. If a covered entity decides not to designate itself as a hybrid, every part of the organization is subject to the full Privacy Rule.
Who Does Not Have to Comply
Many organizations that handle health-related information are not covered by HIPAA at all. Life insurers, employers (in their role as employers, not as health plan sponsors), workers’ compensation carriers, and most schools fall outside the rule. Fitness apps, wearable device makers, and direct-to-consumer genetic testing companies generally aren’t covered entities or business associates unless they have a specific contractual relationship with one.
School health records are a common point of confusion. Student health records maintained by a school, including those kept by campus health clinics, are generally protected under FERPA (the Family Educational Rights and Privacy Act) rather than HIPAA. This applies even when the records are created by licensed health care providers on campus.
How to Determine Your Status
CMS provides a decision tool built around a short series of questions. For providers, the two key questions are: Does the person or business furnish, bill, or receive payment for health care in the normal course of business? And does it transmit any covered transactions electronically? If both answers are yes, it’s a covered entity. For health plans, the core question is whether the plan provides or pays for the cost of medical care. For clearinghouses, the question is whether the business converts health information between nonstandard and standard formats for another legal entity.
If your organization doesn’t fit neatly into one of these categories but regularly handles patient data on behalf of an entity that does, you’re likely a business associate and still need to comply with significant portions of the Privacy Rule.