Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Who needs to be HIPAA compliant?

Who needs to be HIPAA compliant?

HIPAA regulations ensure that patient privacy and security are protected. Any party involved in handling protected health information (PHI) is required to adhere to HIPAA regulations. The following entities must be HIPAA compliant.  


1. Covered entities

The HIPAA compliance framework primarily focuses on these three main categories of covered entities:

  • Healthcare providers: This includes hospitals, clinics, physicians, dentists, psychologists, chiropractors, and any other entities or individuals that deliver medical services directly to patients. 
  • Health plans: Health plans include health insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, government programs, and other entities that collect, process, and store individuals' health information as part of their insurance or benefit programs. 
  • Healthcare clearinghouses: Healthcare clearinghouses include entities that convert non-standard electronic data formats into standardized formats or those that facilitate the transmission of claims or other administrative transactions. Clearinghouses, as intermediaries, handle vast amounts of sensitive health information. 

Related: How to know if you're a covered entity?


2. Business associates

Business associates are individuals or entities that perform certain functions or activities involving the use or disclosure of PHI on behalf of covered entities. Examples of business associates include:

  • Medical billing companies: These companies handle the billing and claims processing for healthcare providers and health plans. They have access to patients' electronic PHI. They must comply with HIPAA regulations to protect the privacy and security of the information they handle.
  • IT service providers: Technology companies that manage the network infrastructure, data storage, or software systems for covered entities are considered business associates. They have access to electronic PHI as part of their services and must adhere to HIPAA's privacy and security provisions.
  • Transcription services: Companies or individuals that provide medical transcription services fall under the category of business associates. They convert voice recordings into written medical records, which involves accessing patient information.
  • Cloud storage providers: Entities that offer cloud storage solutions to covered entities, allowing them to store and manage patient data digitally, are categorized as business associates. 

Business associates must sign a business associate agreement (BAA) with the covered entity, which outlines their responsibilities and obligations to protect patient information.

Related: How to know if you're a business associate 


3. Subcontractors and sub-business associates

Subcontractors and sub-business associates work with business associates and also have access to electronic PHI. This means they must comply with HIPAA regulations. 

  • Subcontractors of business associates: These entities are hired by business associates to perform specific tasks or services related to electronic PHI. For example, if an IT service provider hires a third-party developer to enhance their healthcare software, the developer becomes a subcontractor and must adhere to HIPAA regulations.
  • Sub-business associates: These entities are hired by subcontractors to perform services that involve accessing electronic PHI. For instance, if the developer hires a data analytics company to analyze patient data for insights, the analytics company becomes a sub-business associate and must comply with HIPAA regulations.


4. Small providers and compliance exceptions

Small healthcare providers, such as solo practitioners or those with limited resources, must still ensure the privacy and security of patient information to the best of their abilities within the framework of HIPAA. According to the HHS, as a general rule, HIPAA does not make special exceptions for smaller healthcare providers. Rather, subject to a few more technical exceptions, all regulated HIPAA health care providers must comply with similar baseline requirements under HIPAA – whether a large health system or a sole practitioner.


Healthcare professionals must be HIPAA compliant

Within the healthcare industry, HIPAA compliance ensures patient privacy and data security. Any party involved in the handling of PHI must be HIPAA compliant. This includes covered entities, business associates, subcontractors, and sub-business associates. These entities can create a secure environment for handling sensitive patient data by complying with HIPAA requirements.

Read More: Top HIPAA compliant email services

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.