HIPAA covers HIPAA Covered Entities, their Business Associates, and Business Associate subcontractors that create, receive, maintain, or transmit protected health information for regulated functions, while most individuals and organizations outside those roles are not directly subject to the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule.
HIPAA Covered Entities fall into three categories. A health plan is a person or organization that provides or pays the cost of medical care, including many private insurers and public programs. A health care clearinghouse is an entity that processes health information to convert nonstandard data into standard transactions or the reverse. A health care provider is covered when the provider transmits health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted a standard, such as certain billing and payment transactions.
Business Associates are also covered by HIPAA when they perform functions or activities on behalf of, or provide certain services to, a HIPAA Covered Entity that involve the use or disclosure of protected health information. Common functions include claims processing, billing, utilization review, data analysis, quality assurance, and practice management. Common services include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services when the service involves protected health information. A Business Associate may be a vendor, contractor, consultant, or other external party, and a covered health care provider, health plan, or health care clearinghouse can act as a Business Associate of another HIPAA Covered Entity when it performs a Business Associate function for that entity.
Business Associate obligations extend to subcontractors. When a Business Associate uses another person or entity to create, receive, maintain, or transmit protected health information on the Business Associate’s behalf, that subcontractor becomes a Business Associate under HIPAA. Covered Entities and Business Associates manage these relationships through written business associate agreements that define permitted uses and disclosures and require safeguards. Business Associates also carry direct regulatory liability for compliance with applicable HIPAA requirements and for impermissible uses and disclosures.
Members of a HIPAA Covered Entity’s workforce do not become separate HIPAA Covered Entities or Business Associates, but their actions can create HIPAA liability for the organization. Workforce members include employees, volunteers, trainees, and other persons under the direct control of a HIPAA Covered Entity or Business Associate when they perform work for the organization. Organizations address workforce handling of protected health information through policies, role-based access, training, supervision, and sanctions for violations.
HIPAA does not apply to every organization that handles health-related information. Many employers, schools, life insurers, and most consumer health apps do not qualify as HIPAA Covered Entities because they do not operate as a health plan, health care clearinghouse, or qualifying health care provider. A vendor does not become a Business Associate solely by offering a product or service, but becomes a Business Associate when it performs functions for a HIPAA Covered Entity or another Business Associate that involve protected health information.
HIPAA coverage can also depend on how an organization is structured. A large organization may operate both HIPAA-regulated and non-regulated activities, and the HIPAA obligations attach to the covered components and the protected health information handled for regulated functions. When protected health information moves between components, the organization must apply HIPAA Privacy Rule and HIPAA Security Rule controls consistent with its organizational designations, access rules, and disclosure limits.
Determining who is covered by HIPAA requires identifying whether the organization is a health plan, health care clearinghouse, or a health care provider that conducts standard electronic transactions, and whether any third party creates, receives, maintains, or transmits protected health information on behalf of a HIPAA Covered Entity or another Business Associate. Compliance scope then follows the protected health information flows, the functions performed, and the contractual and operational controls required by the HIPAA Rules.