When most people think of HIPAA compliance, hospitals and doctors' offices come to mind. The reality extends far beyond clinical settings. According to research published by the Association of Academic Health Centers, 72% of clinical research was negatively affected by HIPAA regulations, revealing how deeply the law reaches into organizations that don't immediately appear healthcare-related.
The Health Insurance Portability and Accountability Act defines three categories of "covered entities":
However, HIPAA's reach extends further through "business associates," any person or entity that performs functions involving the use or disclosure of protected health information (PHI) on behalf of a covered entity. As official HHS guidance explains, "A covered entity may engage business associates to assist in de-identifying PHI, to prepare limited data sets, or to perform data aggregation."
This framework pulls organizations into HIPAA compliance that their leaders may never have anticipated. A university that seems focused on education, a cloud storage company that considers itself a technology firm, a billing service that views itself as a financial operation, all may find themselves bound by federal healthcare privacy law the moment they touch patient data.
The IBM Cost of a Data Breach Report 2025 found that healthcare breaches cost an average of $7.42 million per incident, making healthcare the most expensive sector for data security failures for the 14th consecutive year. Organizations that don't recognize their compliance obligations face regulatory penalties, litigation exposure, and reputational damage when breaches occur.
Universities with medical schools, teaching hospitals, or health research programs often don't realize the full scope of their HIPAA obligations. As HHS guidance explains, "A university may be a single legal entity that includes an academic medical center's hospital that conducts electronic transactions for which HHS has adopted standards. Because the hospital is part of the legal entity, the whole university, including the hospital, will be a covered entity."
This means the entire institution, not just the medical components, falls under HIPAA's jurisdiction unless it takes specific steps to designate itself as a "hybrid entity" and clearly define which components must comply.
The Association of Academic Health Centers conducted focus groups with researchers nationwide and found widespread confusion about these requirements. One focus group reported that "fear of regulatory punishment is driving IRB/Privacy Board, Privacy Officer and Organizational decision-making in clinical research." Another noted that community hospitals and physicians were "often reluctant to become engaged in research, largely due to HIPAA requirements."
Research institutions face particular challenges because HIPAA wasn't designed with research in mind. As HHS guidance acknowledges, "Researchers are not themselves part of the covered entity, and HIPAA was not designed to affect health research. However, researchers are affected by the rule if they receive their data from health care providers, which are covered by the rule."
The practical implications are substantial. Research involving electronic health records, clinical trials that submit data to the FDA, retrospective studies reviewing past medical records, and even prospective studies where researchers contact a participant's physician all involve PHI and trigger HIPAA requirements. According to guidance from the University of California’s Human Research Protection Program, "Most sponsored clinical trials that submit data to the FDA will involve PHI because study monitors have an obligation to compare research records to the medical records of participants."
The Association of Clinical Research Professionals confirms that "clinical research facilities are among those covered by HIPAA's PHI rules."
These facilities must navigate overlapping regulatory frameworks. HIPAA's Privacy Rule governs PHI, while the HHS Protection of Human Subjects Regulations (the "Common Rule") and FDA regulations protect research participants. As a presentation from the University of Michigan and Aetna legal counsel explains, these frameworks have different focuses, "HIPAA: Privacy rights. Common Rule: Protection of subjects."
The requirements differ in important ways. HIPAA requires "Authorization" for research uses of PHI, while the Common Rule requires "Informed Consent." HIPAA waivers focus on minimal risk to privacy with specific criteria including adequate plans to protect identifiers and destroy them at the earliest opportunity. Common Rule waivers focus on minimal risk to subjects and whether the waiver will adversely affect their rights and welfare.
Clinical research organizations must comply with both when their work involves human subjects and PHI. According to HHS guidance, "The Privacy Rule does not replace or act in lieu of these human subject protection regulations, so some researchers who are also (or who work for) covered entities may find themselves responsible for complying with multiple sets of regulations."
The migration of healthcare data to cloud computing has brought technology companies firmly into HIPAA's scope. As peer-reviewed research in the International Journal of Science, Architecture, Technology, and Environment explains, "The moment a healthcare institution contracts a third-party cloud service provider for the storage or processing of ePHI data, that provider is understood to serve as a business associate in compliance with HIPAA."
Major cloud providers including Amazon Web Services, Microsoft Azure, and Google Cloud Platform now offer "HIPAA-eligible" services and standard Business Associate Agreements specifically because healthcare clients require compliance. But the relationship creates obligations that many technology companies don't fully appreciate.
The research identifies a "shared responsibility model" that divides security obligations between the cloud provider and the healthcare customer. "While CSP may be responsible for the physical security of its data centers and underlying infrastructure, the customer is responsible for securing virtual machines, applications, identity management, and encryption configurations."
This division of responsibility creates compliance gaps. The 2022 IBM Cost of a Data Breach Report found that "a significant number of cloud data breaches occur not because of the cloud service provider, but mostly due to misconfiguration or negligence on the customer's side." Healthcare organizations may assume their cloud vendor handles compliance, while the vendor assumes the customer has configured services properly.
The research peer-reviewed documents successful implementations across organization sizes. Mayo Clinic partnered with Google Cloud using HIPAA-eligible services, encryption in transit and at rest, and NIST SP 800-53 controls. Boston Children's Hospital built hybrid cloud infrastructure on AWS with least-privilege access controls and automated security logging through AWS CloudTrail and GuardDuty. Even a small rural clinic in West Texas achieved compliance using Microsoft Azure's pre-built HIPAA blueprints and compliance management tools.
They found that, "Small-sized health providers can achieve compliance with HIPAA and NIST without requiring the massive internal IT resources usually associated with pre-configured compliance blueprints and cloud security templates."
Learn more: The role of cloud technology in HIPAA compliance
Organizations that process healthcare payments or convert clinical documentation into written records handle PHI as a core function, making them business associates under HIPAA regardless of whether they consider themselves "healthcare" companies.
Medical billing companies process claims containing patient names, diagnoses, treatment codes, and insurance information. Transcription services convert physician dictations into medical records, accessing detailed clinical information about conditions, treatments, and prognoses. Both handle the exact categories of information HIPAA was designed to protect.
HHS guidance defines business associates as persons or entities "performing or assisting in performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews." The definition explicitly includes "legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services" when those services involve disclosure of individually identifiable health information.
Before these companies can receive PHI from covered entities, HIPAA requires a written Business Associate Agreement specifying how the information will be protected. The agreement must include provisions addressing permitted uses and disclosures, safeguarding requirements, breach notification obligations, and data return or destruction at contract termination.
Healthcare organizations rely on external analytics companies to identify trends, optimize operations, and improve patient outcomes. These firms work with datasets containing PHI, placing them within HIPAA's business associate framework.
Population health management involves analyzing data across patient populations to identify high-risk individuals, predict disease progression, and measure intervention effectiveness. The data powering these analyses includes diagnoses, medications, lab results, and utilization patterns, all protected under HIPAA when connected to individual identifiers.
HHS guidance describes limited data sets as health information that "excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or a waiver." However, even limited data sets require data use agreements establishing permitted uses and prohibiting re-identification of individuals.
Attorneys representing healthcare organizations and accountants auditing their finances may not think of themselves as subject to healthcare regulations. But when their work involves access to PHI, HIPAA applies.
HHS guidance explicitly includes "legal, actuarial, accounting, consulting" services in the business associate definition when those services involve individually identifiable health information. A law firm reviewing medical records for a malpractice defense, an accounting firm auditing a hospital's patient accounts, or a consulting firm analyzing a health system's operations may all handle PHI in ways that trigger compliance obligations.
The AAHC research found that healthcare organizations faced challenges "engaging different parties (such as university departments and the hospitals) in joint ventures due to HIPAA-related complications." The same complexity affects external professional services firms that must implement safeguards they may not have anticipated when accepting healthcare clients.
Organizations that shred paper records or destroy electronic media for healthcare clients become business associates through the disposal process itself. Secure destruction requires temporary custody of the information being destroyed, and that custody involves PHI.
HHS guidance on business associates covers entities performing functions that involve "the use or disclosure of individually identifiable health information." Document destruction companies must handle, transport, and process materials containing PHI before completing destruction, creating a window where HIPAA protections apply.
Healthcare organizations must ensure their destruction vendors sign Business Associate Agreements and maintain appropriate safeguards during the destruction process. The vendor's failure to properly destroy information or a breach during transportation creates liability for both the covered entity and the business associate.
Medical answering services that take patient messages after hours or schedule appointments access PHI as a routine function. When a patient calls to describe symptoms, request prescription refills, or confirm appointment details, the call center employee handles PHI that must be protected under HIPAA.
These services often operate outside traditional healthcare settings with staff who may not have healthcare backgrounds or extensive privacy training. Yet they function as business associates with full HIPAA compliance obligations including workforce training, access controls, and incident response procedures.
The challenge intensifies for services handling calls for multiple healthcare clients. Each client relationship requires appropriate agreements and controls, and the answering service must prevent information from one client's patients from being accessible to staff handling another client's calls.
A hybrid entity is a single legal organization that performs both covered and non-covered functions. For example, a university with a teaching hospital conducts healthcare operations (covered) and general education (not covered). By designating itself as a hybrid entity and clearly defining its healthcare components, the organization can limit HIPAA requirements to the portions that actually handle PHI rather than applying compliance obligations organization-wide.
A limited data set is health information that has had 16 categories of direct identifiers removed, including names, addresses, Social Security numbers, and medical record numbers but may still contain dates, city, state, ZIP code, and ages. Limited data sets can be used for research, public health, or healthcare operations without individual authorization, but require a data use agreement that establishes permitted uses and prohibits any attempt to re-identify individuals.
Authorization and informed consent serve different purposes under different regulatory frameworks. HIPAA Authorization focuses specifically on privacy rights, it grants written permission for a covered entity to use or disclose an individual's PHI for stated purposes, such as research. Informed consent, required under the Common Rule and FDA regulations, focuses on protecting research subjects by explaining the study's nature, risks, benefits, and confidentiality protections. Research involving human subjects and PHI typically requires both.