Who Does HIPAA Apply To?
A plain-language guide to HIPAA applicability — covered entities, business associates, subcontractors, and the real-world edge cases that trip organizations up.
725,000+
Covered entities in the U.S.
2M+
Business associates subject to HIPAA
$2.19M
Max annual civil penalty per category (2026)
The Three Types of Covered Entities
HIPAA defines three categories of covered entities that must comply with the Privacy Rule, Security Rule, and Breach Notification Rule. The key trigger is whether you electronically transmit health information in connection with HIPAA-covered transactions.
Healthcare Providers
Doctors, dentists, hospitals, clinics, nursing homes, pharmacies, psychologists, and chiropractors who transmit health information electronically in connection with covered transactions.
Real-World Examples
- Family medicine practice billing insurance electronically
- Hospital submitting claims to Medicare
- Pharmacy filling prescriptions and transmitting to PBMs
Health Plans
Health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, military and veterans' health programs, and most dental/vision plans.
Real-World Examples
- Blue Cross Blue Shield processing member claims
- Self-insured employer plan with 50+ participants
- Medicare Advantage plan
Healthcare Clearinghouses
Entities that process nonstandard health information into standard formats (or vice versa). They act as intermediaries between providers and payers.
Real-World Examples
- Billing services converting claims to X12 format
- Repricing companies standardizing claim data
- Community health information systems
Not every healthcare worker is a covered entity.
A provider who never transmits health information electronically in connection with covered transactions is not a HIPAA covered entity. For instance, a therapist who only accepts cash and keeps paper records may not be a covered entity — though many still voluntarily comply as a best practice.
Business Associates: The Extended HIPAA Chain
A business associate is any person or organization that performs functions involving the use or disclosure of protected health information (PHI) on behalf of a covered entity. Since the 2013 HIPAA Omnibus Rule, business associates are directly liable under HIPAA — not just contractually bound.
Every business associate relationship requires a Business Associate Agreement (BAA) that specifies permitted uses of PHI, security obligations, and breach notification duties.
IT Companies
Managed service providers, EHR vendors, and IT support firms that can access PHI on servers or devices they manage.
BAA required
Cloud Storage Providers
AWS, Google Cloud, Azure, or any cloud platform storing ePHI — even if they never view the data.
BAA required
Medical Billing Services
Third-party billing and coding companies that handle patient claims data and insurance information.
BAA required
Attorneys & Consultants
Lawyers and compliance consultants who receive PHI to provide legal or advisory services.
BAA required
Answering Services
After-hours call services that take patient messages and relay appointment or health details.
BAA required
Shredding & Disposal Companies
Document destruction services that handle physical or electronic media containing PHI.
BAA required
Subcontractors Are Business Associates Too
If a business associate hires a subcontractor that handles PHI, that subcontractor is also a business associate under HIPAA. The chain of liability extends downward: a cloud hosting provider used by a billing company that serves a hospital is subject to HIPAA — and needs its own BAA.
This "downstream" requirement was introduced by the 2013 Omnibus Rule and catches many vendors by surprise. Use our HIPAA risk assessment template to identify all vendors in your PHI chain.
Covered Entity vs. Business Associate
Both covered entities and business associates face HIPAA enforcement, but their obligations differ. Use this comparison to understand where your organization fits, then run through our HIPAA compliance checklist to verify your status.
| Aspect | Covered Entity | Business Associate |
|---|---|---|
| HIPAA coverage | Directly covered by all HIPAA rules | Directly liable since 2013 Omnibus Rule |
| Examples | Hospitals, insurers, clearinghouses | IT vendors, billing companies, cloud providers |
| Privacy Rule | Full compliance required | Limited provisions apply (use/disclosure of PHI) |
| Security Rule | Full compliance required | Full compliance required for ePHI |
| Breach notification | Must notify individuals, HHS, and media (if 500+) | Must notify the covered entity within 60 days |
| BAA requirement | Must have BAAs with all business associates | Must sign BAA with covered entity (and downstream subcontractors) |
| Penalties | Up to $2.19M per violation category per year (2026) | Same penalty tiers — directly enforceable by OCR |
| Risk assessment | Required — must be documented | Required — must be documented |
Does HIPAA Apply to My Business?
Question 1 of 4
Does your organization provide, pay for, or facilitate healthcare services or health insurance?
Real-World Scenarios: Does HIPAA Apply?
These are the most common questions we hear from businesses trying to figure out if HIPAA applies to them. Each answer considers the minimum necessary rule and current HHS guidance.
Does my cleaning company need to comply with HIPAA?
If your cleaning staff works in a healthcare facility and could access patient records (paper charts on desks, computer screens with PHI), you may be considered a business associate. Many hospitals require BAAs with janitorial vendors. However, if your contract explicitly prevents access to PHI and you never handle patient information, HIPAA may not apply.
Does my IT company need a BAA?
If you provide IT services (managed services, cloud hosting, network management, helpdesk support) to a covered entity and you can access systems containing PHI, you are a business associate. This applies even if you never intentionally view patient data — the ability to access it is enough.
Is a medical billing company a business associate?
Medical billing services routinely handle patient names, diagnoses, treatment codes, and insurance information — all PHI. They are definitively business associates and must sign a BAA with every covered entity they serve.
Does HIPAA apply to my SaaS product?
If healthcare organizations use your SaaS product to store, process, or transmit PHI, you are a business associate. This includes EHR platforms, telehealth tools, patient scheduling software, and even email services used for patient communication. If your product never touches PHI, HIPAA does not apply.
Does HIPAA apply to a fitness app?
Consumer fitness and wellness apps (Fitbit, Apple Health, MyFitnessPal) are generally not covered by HIPAA because they are not created or maintained by covered entities. However, if a healthcare provider prescribes the app and it exchanges data with the provider's EHR, the app developer may become a business associate.
Does HIPAA apply to employers?
Employers are not covered entities just because they have employee health data. However, employer-sponsored group health plans with 50+ participants are covered entities. And if HR staff access PHI from the group health plan, HIPAA rules apply to how they handle that data.
What Happens If You Get It Wrong
The HHS Office for Civil Rights (OCR) enforces HIPAA with a four-tier penalty structure. These penalties apply equally to covered entities and business associates. Amounts are adjusted annually for inflation — 2026 figures shown below.
Did not know and would not have known by exercising reasonable diligence
$145 – $73,011
Reasonable cause but not willful neglect
$1,461 – $73,011
Willful neglect, corrected within 30 days
$14,602 – $73,011
Willful neglect, not corrected within 30 days
$73,011 – $2,190,294
Beyond financial penalties, organizations face mandatory corrective action plans, public breach reporting, and reputational damage. Criminal penalties — including imprisonment — can apply to individuals who knowingly obtain or disclose PHI in violation of HIPAA. Start with a risk assessment to identify gaps before OCR does.
Quick Reference: Who Must Comply with HIPAA
Covered entities
Healthcare providers (electronic transmitters), health plans, clearinghouses
Business associates
Any vendor handling PHI on behalf of a covered entity — requires a BAA
Subcontractors
Vendors of business associates are also directly liable since 2013
Related Tools & Guides
BAA Template Generator
Generate a customized Business Associate Agreement in minutes.
HIPAA Compliance Checklist
Step-by-step checklist covering Privacy, Security, and Breach rules.
HIPAA Risk Assessment
Identify and document risks to ePHI in your organization.
HIPAA Minimum Necessary Rule
Understand when and how to limit PHI access.
Is Zoom HIPAA Compliant?
What you need before using Zoom for patient communication.