The Health Insurance Portability and Accountability Act (HIPAA) applies to people as well as health insurance companies. Each individual to who does HIPAA apply to, has access to personally identifiable health information, giving them the ability to review it and request changes for any errors or omissions. However, because of the Act’s broad reach and specific focus on protecting individually identifiable health information, determining the exact scope of the law can be challenging.

The complexity arises from the wording of the Act as well as the variety of organizations that are subject to its jurisdiction. Certain sorts of organizations may find themselves subject to the requirements of HIPAA, depending on the particular portion that is being examined. Because of this, a complex environment may arise, making it unclear to people and organizations whether they must abide by HIPAA regulations.

It is therefore vital to know the specifics of who exactly is covered under HIPAA. There may be uncertainties about which firms need to implement HIPAA compliance plans, even after carefully reading through the relevant parts. This issue highlights the importance of a clear understanding of who does HIPAA apply to, ensuring that both individuals and businesses may traverse its rules with confidence and in accordance with the law. Understanding who does HIPAA apply to is critical to compliance and the proper management of personally identifiable health information.


Individuals, healthcare entities, and cloud-hosted organizations that meet the established criteria for covered entities are subject to HIPAA laws. These guidelines cover a wide range of topics and assure the protection of individually identifiable health information. Compliance with HIPAA criteria is required for those who come within the scope of covered entities. The following are the five unique entities that are protected under HIPAA:

1.  Covered Entities: Various types of entities are classified within the Covered Entity category, detailed as follows:

  • Healthcare Providers: Clinics, pharmacies, nursing homes, psychologists, doctors, dentists, and other medical professionals are included in the list of covered entities. Any entity that gathers protected health information (PHI) must comply with HIPAA to ensure patient privacy and confidentiality.
  • Healthcare Plans: These are categorized as covered entities and include health maintenance organizations, group health plans, insurance firms, and government-funded health plans such as Medicare and Medicaid. To preserve the privacy and security of people’s health information, these businesses must abide by HIPAA standards.
  • Healthcare Clearinghouses: These organizations are categorized as covered entities as well since they are in charge of standardizing and electronically transmitting protected health information (PHI). To protect the privacy and security of PHI during electronic data exchanges, these companies must adhere to HIPAA standards.

2.  Business Associates: Businesses or people that work specifically for a covered entity and disclose or utilize Protected Health Information (PHI) on that entity’s behalf are considered business associates. Healthcare plan administrators, outside hospital consultants, and independent CPA companies that offer accounting services to covered entities are a few examples.

Establishing a Business Associate Agreement (BAA) is essential for covered organizations to guarantee compliance with HIPAA laws and secure PHI, even though business associates may not interact directly with patients. In the event that business associates violate HIPAA, they will be subject to fines equal to those imposed on covered corporations.

3. Subcontractors: Under HIPAA, subcontractors have the same legal obligations as general business associates and are essential to the management of health information on behalf of business associates. For example, when a business associate employed by a covered company uses a cloud service to store and process Protected Health Information (PHI) or outsources work like document destruction to an outside organization, the hired external entity is classified as a subcontractor. To maintain the security and privacy of health information in their care, these subcontractors must strictly abide by the majority of HIPAA standards.

4. Hybrid Entities: Large enterprises in charge of self-insured healthcare plans are an example of a hybrid entity, which strikes a balance between HIPAA-covered and non-covered operations. Within these organizations, compliance with HIPAA laws is restricted to the designated covered segment, sometimes known as the healthcare component. Hybrid arrangements are found in a variety of industries, such as pharmacies attached to grocery shops and medical clinics located in universities. It is crucial for a hybrid entity to enforce the non-disclosure of Protected Health Information (PHI) from the healthcare component to non-covered segments of the enterprise in order to ensure PHI protection. This approach preserves compliance while protecting private health data within the complex framework of hybrid organizations.

5. Researchers: HIPAA standards allow researchers to access Protected Health Information (PHI) when patients grant permission for study usage. Researchers must have a data use agreement with the covered entity, as opposed to a business associate agreement, to guarantee HIPAA compliance for the restricted data set. This agreement creates a strong foundation, guaranteeing adherence to policies and encouraging confidence in the appropriate management of PHI. The focus on getting patient consent and putting data usage agreements in place shows a careful balance between promoting important research and ensuring the security and privacy of people’s health information.



HIPAA mainly targets covered entities, which include health plans, healthcare clearinghouses, and healthcare providers, as well as their business connections. HIPAA requirements are typically circumvented by companies and people that do not handle Protected Health Information (PHI) on behalf of covered entities. Nevertheless, in accordance with additional federal and state privacy rules, these non-covered companies might still be responsible for protecting sensitive data. The key requirement for HIPAA applicability is that the organization or person handle, use, or disclose PHI on behalf of a covered entity.

Here are some instances of people who are exempt from HIPAA requirements:

  1. Employers 
  2. Life Insurance Companies
  3. Workers’ compensation carriers
  4. Automobile insurance companies 
  5. Schools and districts 
  6. Law enforcement agencies
  7. State agencies are not involved in healthcare administration or services.
  8. The patient’s family and friends
  9. Fitness and health clubs
  10. Marketing Companies
  11. Researchers 
  12. Attorneys 
  13. Cosmetic service providers 
  14. Alternative medicine practitioners 
  15. Pharmacies selling over-the-counter products without


Entities and individuals free from HIPAA laws include those who do not handle, use, or disclose Protected Health Information (PHI) on behalf of covered entities. HIPAA’s primary goal is to protect individuals’ health information, and these exclusions acknowledge that not all businesses pose an equal risk to the security and privacy of PHI. The legislative framework recognizes the various roles and duties of different entities, customizing its application to those directly involved in maintaining or processing sensitive health data, guaranteeing a balanced and effective approach to protecting PHI.


    According to HIPAA compliance laws, only covered businesses and business associates are subject to the Department of Health and Human Services (HHS) enforcement of HIPAA penalties under GDPR compliance.

    As stated, “covered entities” refers to a broad range of businesses, including clearinghouses, health plans, and healthcare organizations that transmit PHI electronically. This category includes private businesses, nonprofit organizations, and even government organizations that provide healthcare services in addition to more traditional healthcare institutions like hospitals and clinics.

    The reach doesn’t end there. A lot of multinational companies are classified as covered organizations for doing things like managing employee group health plans. These employers are required to follow the normal HIPAA compliance checklist even though they are pursuing hybrid entity designation in an effort to lessen HIPAA constraints.

    In addition to employers, HIPAA also applies to individuals and cloud-hosted businesses that come under the business associates category and use PHI to provide services to covered entities. They are required to renegotiate specific business contracts and modify processes to comply with HIPAA privacy compliance rules, even though they are not subject to HIPAA penalties.


    The Breach Notification Rule specifies the particular HIPAA criteria that vendors providing personal health records (PHRs) must follow. That means that the privacy and security requirements of HIPAA are not applicable when a person uses a health app that gathers health data, like via a fitness tracker, and the data is stored on the vendor’s servers.

    As for “what does HIPAA not cover?” it’s essential to note that HIPAA compliance doesn’t extend to banks or payment processors. HIPAA does not apply to any health information that is disclosed to a payment processor, such as when making payments to a clinic. Although covered entities are allowed to take payments from other sources, it is better for the security and privacy of health information if patients pay directly instead of healthcare providers asking for payments or creating invoices through potentially unsafe platforms like PayPal. This method creates a stronger protective structure that extends beyond the constrained parameters of HIPAA laws.


    What entities fall within the specific categories covered by HIPAA, and who does HIPAA apply to?

    HIPAA covers healthcare providers, plans, clearinghouses, business associates, and more. It applies to individuals, entities, and organizations handling protected health information, ensuring privacy and security.


    HIPAA applies to individuals, healthcare entities, and cloud-hosted organizations meeting the criteria for covered entities. Understanding the scope of HIPAA is essential for compliance and the proper handling of personally identifiable health information.


    Covered entities under HIPAA include healthcare providers (e.g., clinics, pharmacies), healthcare plans (e.g., insurance firms), healthcare clearinghouses, business associates, subcontractors, hybrid entities, and researchers. Each category has distinct responsibilities for protecting PHI.


    Business associates working for covered entities and handling PHI, must establish Business Associate Agreements (BAAs) to ensure compliance with HIPAA laws. BAAs outline the responsibilities and obligations to protect PHI, even if business associates do not directly interact with patients.


    HIPAA does not cover entities like employers, insurers, schools, and others. Exemptions are based on activities or nature. Understanding these exclusions is crucial for compliance with health information regulations.



    In the realm of healthcare, privacy and security are paramount. Ensuring the confidentiality of sensitive medical information is not just a best practice; it's the law. Enter the Health Insurance Portability and Accountability Act (HIPAA), a groundbreaking piece of...

    read more

    Get In Touch 

    have a question? let us get back to you.