Who Must Comply With HIPAA? (Scope & Applicability)

HIPAA applies to two kinds of organizations

At its core, HIPAA applies to two categories: covered entities and business associates. If your organization fits into either category, HIPAA applies to you and you are responsible for protecting the protected health information (PHI) you handle. If you fit into neither, HIPAA generally does not apply — though other privacy laws still might.

Determining your category is the first and most important step in scoping HIPAA compliance, because it dictates which rules and obligations you must meet.

Covered entities

Covered entities are the organizations at the heart of the healthcare system. There are three types. The first is healthcare providers — doctors, clinics, hospitals, pharmacies, dentists, and similar — but only if they transmit health information electronically in connection with certain standard transactions, such as billing a claim. The second is health plans, including health insurers, HMOs, company health plans, and government programs like Medicare and Medicaid. The third is healthcare clearinghouses, which process health information between standard and non-standard formats.

If you are a covered entity, you are directly responsible for the full Privacy and Security Rules and must have agreements in place with any vendor that handles PHI on your behalf.

Business associates

A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity to perform a function or service. This is an enormous and often overlooked category. It includes SaaS platforms that store patient data, cloud hosting providers, billing and coding companies, analytics firms, transcription services, IT and security providers, and many consultants.

Since the 2013 Omnibus Rule, business associates are directly liable under HIPAA — not merely contractually responsible to the covered entity. If your product or service touches PHI, you are almost certainly a business associate, regardless of whether you ever interact with patients directly.

Subcontractors are business associates too

HIPAA’s scope extends down the supply chain. When a business associate engages a subcontractor that will handle PHI, that subcontractor also becomes a business associate with its own direct obligations. This means a cloud provider used by a billing company, which serves a hospital, is within HIPAA’s scope. Each link in the chain must have a Business Associate Agreement with the next.

What it means to ‘transmit electronically’

For healthcare providers, a subtle point determines coverage: HIPAA applies if you transmit health information electronically in connection with a covered transaction, such as submitting claims, checking eligibility, or processing payments. In practice, almost every provider that bills insurance electronically is a covered entity. A cash-only provider that never conducts these electronic transactions may, in narrow cases, fall outside HIPAA — though this is rare and worth confirming carefully.

Who is NOT covered by HIPAA

HIPAA does not regulate every organization that touches health information. Many entities people assume are covered are not. Life insurers, most employers (in their role as employers), workers’ compensation carriers, many schools, and most consumer health apps that operate outside the covered-entity relationship are generally not subject to HIPAA. A fitness tracker or a direct-to-consumer wellness app, for instance, typically falls outside HIPAA, even though it handles health-related data — though other laws like the FTC Act or state privacy laws may apply.

How to determine your status

To establish where you stand, ask three questions. First, are you a healthcare provider, health plan, or clearinghouse conducting standard electronic transactions? If yes, you are a covered entity. Second, do you create, receive, maintain, or transmit PHI on behalf of a covered entity or another business associate? If yes, you are a business associate. Third, if neither applies, you likely fall outside HIPAA — but you should still consider other applicable privacy laws.

When in doubt, err toward caution. The cost of wrongly assuming HIPAA does not apply — a missing risk analysis, no Business Associate Agreements, no safeguards — is far higher than the cost of confirming your status and building a compliant program.

Why scope matters so much

Your scope determines everything downstream: which rules apply, what documentation you need, what agreements you must sign, and what your liability looks like if something goes wrong. A clear, defensible determination of whether you are a covered entity, a business associate, or outside HIPAA entirely is the foundation on which the rest of your compliance program is built.

Hybrid and affiliated entities

HIPAA recognizes that some organizations perform both covered and non-covered functions. A “hybrid entity” is one whose business includes both HIPAA-covered activities and others; such organizations can designate which components are covered and apply HIPAA protections to those parts specifically. Affiliated covered entities, meanwhile, allow legally separate but related organizations under common control to designate themselves as a single covered entity for compliance purposes.

These designations let complex organizations apply HIPAA precisely where it is required, without unnecessarily extending its full weight across unrelated business lines.

State laws and other regulations

HIPAA sets a federal floor, not a ceiling. Many states have privacy laws that are stricter than HIPAA, and where they conflict, the more protective standard generally applies. Other regulations — such as the FTC Act, the FTC Health Breach Notification Rule, and state consumer-privacy laws — may also apply to health data, including data held by organizations outside HIPAA’s direct scope.

This is why concluding “HIPAA does not apply to us” is rarely the end of the analysis. Organizations should consider the full landscape of applicable privacy laws, not HIPAA alone.

Consumer health apps and the gray area

One of the most contested areas of HIPAA’s scope is consumer health technology. A fitness app, a symptom checker, or a wellness platform that a consumer uses directly — outside any relationship with a covered entity — typically falls outside HIPAA. But the moment that same technology is offered through a healthcare provider or health plan, or handles PHI on their behalf, it can become a business associate subject to HIPAA.

For health-tech founders, the lesson is that scope depends on relationships and data flows, not on the product alone. The same app can be inside or outside HIPAA depending on how it is deployed.

Documenting your scope decision

Whatever you conclude about your status, document the analysis. Record whether you are a covered entity, a business associate, or outside HIPAA, and the reasoning behind it. If you are outside HIPAA, note which other privacy laws you considered. This documentation is valuable evidence of good-faith diligence and a reference point as your business and data flows change over time.

Confirm your status, then build accordingly

Determining whether HIPAA applies to you — and in what role — is the single most important step you can take before investing in compliance. A covered entity, a business associate, and an organization outside HIPAA’s scope each face very different obligations, and acting on the wrong assumption is costly either way.

Work through the analysis carefully: examine your relationships, your data flows, and the laws beyond HIPAA that may apply. Document your conclusion and revisit it whenever your business changes. With a clear, defensible understanding of your status in hand, every subsequent decision about safeguards, agreements, and documentation becomes dramatically easier to make.