Overview —

Who Must Comply with HIPAA?

HIPAA applies to covered entities and business associates handling PHI, requiring safeguards and formal BAAs.

Share this article

Contents

No headings found on page

Who Must Comply with HIPAA?

"Healthcare providers, health plans, and clearinghouses" is the right list, but it skips the actual legal trigger that determines whether a given provider is covered at all — and that trigger produces genuinely counterintuitive results. A cash-only practice that never submits an electronic claim, eligibility check, or other standard transaction defined under 45 CFR Part 162 is not a covered entity, regardless of how much sensitive health information it handles. A provider that submits even one electronic claim through a billing service is covered, even if every other interaction with patients happens on paper. The trigger is the electronic transaction, not the sensitivity of the information itself.

The Three Categories of Covered Entity, Precisely

Health plans are covered by default — insurers, HMOs, Medicare, Medicaid, employer-sponsored group health plans, and government health benefit programs. There's no electronic-transaction threshold here; if an organization pays for or finances medical care, it's covered.

Healthcare clearinghouses are also covered by default, and this is the category most often overlooked because clearinghouses never interact with patients directly. A clearinghouse translates nonstandard health information into standard formats (or the reverse) on behalf of providers or plans — claims processing intermediaries, EDI gateways, repricing organizations performing standardization functions. They're covered entities in their own right, separate from whatever business associate relationship they might also have with the organizations they serve.

Healthcare providers are covered conditionally — specifically, when they transmit health information electronically in connection with a standard transaction (claims, eligibility inquiries, referral authorizations, claim status requests, payment and remittance advice). Using a billing service or vendor to conduct these transactions on the provider's behalf still counts as the provider's own transmission for HIPAA purposes — outsourcing the mechanics doesn't remove the coverage trigger. In practice, this means almost every modern provider qualifies, since cash-only, paper-only practice has become rare — but it's not automatic, and a provider that genuinely never conducts a standard electronic transaction falls outside HIPAA's coverage entirely.

What This Means for Edge Cases

A few patterns are worth naming because they're genuinely common sources of confusion:

  • Employers are not covered entities, even though their group health plans are. HR-held employee health records (sick leave, workers' comp claims) aren't PHI in the employer's hands, even at an organization that also operates a covered health plan.

  • Schools and educational institutions are generally governed by FERPA, not HIPAA, for student health records — even when a school operates a health clinic, this can require careful scoping of which records fall under which framework.

  • A vendor that processes PHI on a covered entity's behalf is a business associate, not a covered entity — unless that vendor independently qualifies as one of the three categories itself (a billing service that also performs clearinghouse-style standardization functions, for instance).

Hybrid Entities: When Only Part of an Organization Is Covered

A single legal entity that performs both HIPAA-covered and non-covered functions can designate itself a hybrid entity — applying HIPAA's requirements only to the specific components that handle PHI, rather than to the entire organization by default. This is common for:

  • Health departments that run both HIPAA-covered clinical services (a newborn screening program, for instance) and non-covered public health reporting functions

  • Universities operating a student health center (HIPAA-covered) alongside general academic operations (not covered)

  • Municipalities that run a hospital alongside unrelated city services

To use this designation, the organization has to formally document which components are covered and apply HIPAA's rules consistently to those components — it's not an informal assumption, it's a documented election under 45 CFR §164.105. Done correctly, this meaningfully narrows compliance scope without leaving any genuinely PHI-handling function unprotected; done incorrectly (assuming hybrid status without the formal designation, or failing to apply HIPAA consistently within the designated components), it creates exactly the kind of scope confusion that surfaces badly during an OCR investigation.

Common Misclassification Errors

A few mistakes recur often enough to call out directly: assuming coverage depends on accepting insurance rather than on conducting electronic transactions; treating a vendor as a covered entity when it's actually a business associate (or the reverse); assuming an entire organization is covered when only a hybrid-designated component actually is; and overlooking that a clearinghouse is covered in its own right even though it never treats a patient directly.

Why Getting This Right Matters Before Anything Else

Every other page in this cluster — risk assessment, policies, BAAs, breach notification — assumes you already know whether your organization is in scope and, if so, which parts. Getting this wrong in either direction has real consequences: treating a non-covered function as covered wastes compliance effort on activities the law doesn't actually reach, while missing genuine coverage means building a compliance program with a gap nobody's accounted for.

For what business associates specifically need in place once a covered entity relationship exists, see Understanding HIPAA Business Associate Agreements

In the Spotlight

Start your HIPAA compliance journey with DSALTA's complete checklist.

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive health information. Any organization handling protected health information (PHI)— from hospitals to SaaS vendors serving healthcare—must comply.

HIPAA compliance may feel overwhelming, but with DSALTA®’s automation, you can reduce manual work, continuously monitor safeguards, and stay prepared for audits. This checklist outlines the essential steps to meet HIPAA requirements.

Read more about HIPAA compliance with DSALTA.

Stop losing deals to compliance.

Get compliant. Keep building.

Join 100s of startups who got audit-ready in days, not months.