The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is applicable to all entities in the Healthcare Industry. It outlines the rules and regulations with regard to the use and disclosure of protected health information (PHI) by organizations in the industry. The Department of Health and Human Services (HHS) regulates HIPAA Compliance while the Office for Civil Rights (OCRenforces it. While healthcare providers who directly work with patients are aware of the regulation, it is crucial to understand the entire landscape of the healthcare service delivery ecosystem to which the Act applies. The insights below clarify the answer to another commonly asked question ‘Who needs to be HIPAA compliant?’.

There are three types of organizations that need to be HIPAA compliant:

  1. Covered Entities
  2. Business Associates (third-party service providers who work with covered entities)
  3. Subcontractors (Business Associates of Business Associates)

Who is covered under HIPAA?

Covered Entities
Business Associates
A Covered Entity consists of 3 types of organizations that directly work with patients and administer healthcare. They are: A Healthcare Provider, A Health Plan & A Healthcare Clearing House.
A “business associate” is a person or entity that performs specific functions or renders services to a covered entity, which involve the use or disclosure of protected health information. A covered entity can be a business associate of another covered entity.
Business Associates hire subcontractors to process, create, or store PHI. They usually don’t have a business associate agreement or a direct relationship with covered entities. However, because they handle patient data, they need to be HIPAA compliant.
A Healthcare Provider includes Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies… if they transmit any information electronically
Services rendered by business associates are: legal; actuarial; accounting; web-hosting; managed IT and security services; financial, consulting; management; accreditation; data aggregation, data transmission;  administrative; accreditation agencies, medical equipment service companies.
A hosted service provider like Amazon Web Services is a classic example of a subcontractor. With the increase in cloud-based services, there is an increased dependence on subcontractors by covered entities and business associates. 
A Health Plan includes Health Insurance Companies, HMOs, Company Health Plans, Government programs that pay for healthcare like Medicaid, Medicare, Healthcare programs for veterans / military
Some examples of business associate functions and activities include: • data analysis, processing or administration • claims processing or administration • utilization review • quality assurance • billing • benefit management • practice management • repricing
A Healthcare Clearing House includes entities that process nonstandard health information that they receive from another entity into a standard (e.g. a standard electronic format / data content) or vice versa
HIPAA Compliance
Business Associate Agreement
Required between a Covered Entity and a Business Associate / Subcontractor
Required between a Covered Entity and a Business Associate / Subcontractor
Required between a Business Associate and Contractor
Penalties, Fines & Jail Time
Applicable & Direct
Applicable & Direct
Applicable & Direct
All HIPAA rules are applicable to the healthcare service delivery ecosystem, which consists of organizations that fall into one of these three categories. Even if they are not directly engaged in delivering healthcare services, their employees and vendors need to undergo HIPAA Compliance Training every year to ensure they are aware of the organization’s security protocols and understand their accountability under HIPAA. They are required to have HIPAA-compliant policies and procedures and a Business Associate Agreement (BAA) with the entity that hires them or the entities they hire. They also need to prove that they are complying with HIPAA rules by undergoing an annual attestation.

Organizations under all three categories are required to register with the Department of Health and Human Services (HHS). The Office for Civil Rights (OCR) is authorized to enforce all HIPAA rules, including compliance with new best practices shared by them on a regular basis.

If you are wondering whether your organization is covered under HIPAA or if you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:


7 Benefits of HIPAA Compliance

What is HIPAA?

Last Updated on September 13, 2022 By Aditi SalhotraIn HIPAA/HITECH Compliance Assurance