Who Does HIPAA Apply To?

Who Does HIPAA Apply To

Most sources tackling the question who does HIPAA apply to tend to rely on the applicability clause of the Administration Simplification General Provisions for their answer (45 CFR § 160.102). This clause, and other applicability clauses in HIPAA, state:

Except as otherwise provided, the standards, requirements, and implementation specifications […] apply to the following entities:

(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a covered transaction.

In addition to the three types of Covered Entity, the applicability clause states, “where provided, the standards, requirements, and implementation specifications […] apply to a business associate.”


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

While this looks like a straightforward answer to the question who does HIPAA apply to, anybody familiar with HIPAA will know that very little is straightforward when it comes to dissecting the text of the Administration Simplification provisions. For example, in just this small section of text alone there are three phrases that add uncertainty to the idea of a “straightforward answer”:

  • “Except as otherwise provided”,
  • “In connection with a covered transaction”, and
  • “Where provided”.

Who Does HIPAA Apply to “Except as Otherwise Provided”?

When the HIPAA Privacy Rule was published, it created a federal floor of privacy protections that pre-empts state laws except for when a state law:

  • Provides greater privacy protections and/or better patient rights,
  • Provides for the reporting of an event for the purposes of public health investigation, or
  • Requires health plans to include PHI in reports such as management and financial audits.

In addition to these “except as otherwise provided” exceptions, states, Covered Entities, and individuals can apply to the Department of Health and Human Services (HHS) for an exemption to Privacy Rule compliance if the exemption meets certain criteria – for example to better prevent fraud and abuse related to the provision of or payment for health care.

There are multiple other examples in which Covered Entities may be exempt from complying with certain standards of HIPAA. For example, the Military Command Exception allows Armed Forces medical personnel to disclose PHI without authorization in certain circumstances, while the Privacy Rule (§164.522(b)) requires healthcare providers to accommodate reasonable requests from patients to communicate PHI via an unsecure channel of communication.

What Does “In Connection with a Covered Transaction” Mean?

While all health plans and health care clearinghouses are HIPAA Covered Entities regardless of the nature of their operations, healthcare providers are only considered to HIPAA Covered Entities if they exchange information electronically with another party for a transaction covered by the HIPAA Transactions and Code Sets Rule (45 CFR § Part 162 Subparts K – S). These transactions include:

  • Payment and remittance advice
  • Claims status
  • Eligibility
  • Coordination of benefits
  • Claims and encounter information
  • Enrollment and disenrollment
  • Referrals and authorizations
  • Premium payment

In most cases, healthcare providers will be Covered Entities if they file electronically with Medicare. However, some private or small medical practices might not qualify as Covered Entities. If your organization is in any doubt whether it qualifies as a Covered Entity, HHS has produced an interactive Decision Tool with helpful explanations at the end of the document.

How Does HIPAA Apply to Business Associates, Partial Entities, and Hybrid Entities?

In addition to applying to Covered Entities, HIPAA applies to Business Associates, Partial Entities, and Hybrid Entities – although not in the same ways. With regards to Business Associates, HHS has published a list of HIPAA violations for which the Office for Civil Rights is authorized to take enforcement action against Business Associates. This list shows Business Associates are required to comply with elements of the Privacy and Breach Notification Rules as well as the Security Rule.

Partial Entities are organizations that conduct covered transactions internally between separate legal entities. An example of a Partial Entity is an employer who administers a self-insured health plan. In this example, the employer and the health plan are separate legal entities and HIPAA applies to PHI maintained by the health plan which is shared electronically with the employer for administration purposes. Note: The employer cannot use the PHI for organizational operations.

Hybrid Entities are single legal entities whose business activities include both covered transactions and non-covered transactions. An example of a Hybrid Entity is a medical school that provides health care facilities for both students and non-students. As mentioned previously, student medical records are covered by FERPA, but the component of the school´s activities that provide health care facilities for non-students is covered by HIPAA and this component must comply with all the HIPAA Rules.

What Companies Does HIPAA Apply To?

There are three types of companies that HIPAA applies to – either completely or partially. The first type is a HIPAA Covered Entity. This type of company is usually a health plan, health care clearinghouse, or a qualifying healthcare organization that conducts covered transactions electronically. These types of companies have to comply with all applicable HIPAA Rules.

The second type of company is a Business Associate. This type of company provides a service for or on behalf of a Covered Entity and has to comply with the Security Rule and Breach Notification Rule by law. The company may also have to comply with General Provision and Privacy Rule standards depending on the nature of service provided and the terms of a Business Associate Agreement.

The third type of company is one that develops, sells, or provides services for Personal Health Records when data is created, received, maintained, or transmitted to or from more than a single device. This type of company has to comply with the Breach Notification Rule under Section 5 of the Federal Trade Commission Act, and compliance with this requirement is policed by the FTC.

When HIPAA Does Not Apply

There are many circumstances when HIPAA does not apply – the most common being when an employer collects health information about an employee but does not use it in connection with a covered transaction. Other circumstances can include when an individual discloses their vaccination status to an airline or applies to a local authority for a disabled parking permit.

Additionally, although HIPAA applies to most instances when healthcare is paid for by an insurance provider, HIPAA does not apply in all instances. For example, if payment for healthcare is secondary to a non-health related insurance policy (for example, auto insurance that pays the insured’s medical expenses after an accident), HIPAA does not apply to the auto insurance provider.

There are also times when HIPAA applies, but is not enforced. These usually occur during regional or national emergencies (i.e., the Californian wildfires and the COVID-19 Pandemic), and the “Notices of Enforcement Discretion” that announce them explain which areas of HIPAA compliance are not being enforced (i.e., telehealth) and how long the period of discretion will last.

Who Does HIPAA Not Apply To?

HIPAA does not apply to healthcare providers that do not meet the criteria to be HIPAA covered entities. Examples of healthcare providers to whom this exclusion might apply include therapists that only bill clients directly for their services and rural medical centers that still conduct covered transactions through the mail, rather than electronically.

However, if a healthcare provider that does not qualify as a covered entity provides a service for on behalf of a healthcare provider that does qualify as a covered entity – and the service involves a use or disclosure of PHI – the non-qualifying healthcare provider becomes a business associate of the qualifying healthcare provider and HIPAA applies to both for the duration of the service.

Similarly, most public school medical facilities that meet the criteria for being a covered entity are exempt from complying with HIPAA due to student medical records being classified as “educational records” under FERPA. This example of who does HIPAA not apply to is also subject to change if the public school medical facility provides healthcare services to the public.

The HIPAA Rules do not apply to financial institutions in their role as a payment processor even when a transaction infers personal medical information about an individual that would be considered PHI in any other circumstances. This exclusion also applies to any third party involved in “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution”.

When Health Data Privacy Rules Apply to Non-Covered Entities

It was mentioned in the introduction to this article that there are scenarios in which organizations can be subject to more stringent health data privacy rules than HIPAA even though they are not Covered Entities (or Business Associates, Partial Entities, or Hybrid Entities) under HIPAA. An example of such a scenario relates to the Texas Medical Records Privacy Act that was updated in 2011 by HB 300 to expand the definition of a Covered Entity.

Since 2011, any person or organization that “assembles, collects, analyzes, uses, evaluates, stores, or transmits [the] Protected Health Information [of a Texas resident]” is a Covered Entity under the Texas Medical Records Privacy Act. Consequently, researchers, accountants, IT service providers, government agencies, and individuals who maintain a website that collects, stores, or interacts with PHI is required to comply with health data privacy rules – even if they are located outside of Texas.

The Texas Medical Records Privacy Act preempts HIPAA as it provides greater privacy protections and better patient rights (one of the exceptions discussed earlier). Confusingly, a Business Associate under HIPAA that is located outside of Texas could be a Covered Entity under the Medical Records Privacy Act if the Business Associate processes PHI provided to it by a Covered Entity (also outside of Texas) that includes PHI relating to a Texas citizen. HIPAA is rarely straightforward!

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/