Who needs to be HIPAA compliant?

Written by Tshedimoso Makhene | April 10, 2024

HIPAA regulations ensure that patient privacy and security are protected. Any party involved in handling protected health information (PHI) is required to adhere to HIPAA regulations. The following entities must be HIPAA compliant.

1. Covered entities

The HIPAA compliance framework primarily focuses on these three main categories of covered entities:

Healthcare providers: This includes hospitals, clinics, physicians, dentists, psychologists, chiropractors, and any other entities or individuals that deliver medical services directly to patients.
Health plans: Health plans include health insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, government programs, and other entities that collect, process, and store individuals' health information as part of their insurance or benefit programs.
Healthcare clearinghouses: Healthcare clearinghouses include entities that convert non-standard electronic data formats into standardized formats or those that facilitate the transmission of claims or other administrative transactions. Clearinghouses, as intermediaries, handle vast amounts of sensitive health information.

Covered entities make up 84% of data breaches from 9 June 2025 to 8 August 2025, as reported by the US Department of Health and Human Services (HHS). These numbers demonstrate the susceptibility of covered entities to data breaches and therefore their need to comply with HIPAA to prevent these breaches.

2. Business associates

Business associates are individuals or entities that perform certain functions or activities involving the use or disclosure of PHI on behalf of covered entities. Examples of business associates include:

Medical billing companies: These companies handle the billing and claims processing for healthcare providers and health plans. They have access to patients' electronic PHI. They must comply with HIPAA regulations to protect the privacy and security of the information they handle.
IT service providers: Technology companies that manage the network infrastructure, data storage, or software systems for covered entities are considered business associates. They have access to electronic PHI as part of their services and must adhere to HIPAA's privacy and security provisions.
Transcription services: Companies or individuals that provide medical transcription services fall under the category of business associates. They convert voice recordings into written medical records, which involves accessing patient information.
Cloud storage providers: Entities that offer cloud storage solutions to covered entities, allowing them to store and manage patient data digitally, are categorized as business associates.

Business associates account for 16% of data breaches from the period 9 June 2025 to 8 August 2025. This indicates that business associates too need to comply with HIPAA to reduce the risk of a data breach.

3. Subcontractors and sub-business associates

According to the HHS, “A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.” Subcontractors and sub-business associates work with business associates and also have access to electronic PHI. This means they must comply with HIPAA regulations.

For example, an IT firm, the business associate, hires a developer, the subcontractor, who engages a data analytics firm, the sub-business associate. Each of these parties must adhere to HIPAA through appropriate contractual agreements.

4. Small providers and compliance exceptions

Small healthcare providers, such as solo practitioners or those with limited resources, must still ensure the privacy and security of patient information to the best of their abilities within the framework of HIPAA. According to the HHS, “Covered entities of all types and sizes are required to comply with the Privacy Rule. To ease the burden of complying with the new requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the Rule provides a more efficient and appropriate means of safeguarding protected health information than would any single standard.” This scalability and flexibility allows:

“The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.
The training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
The policies and procedures of small providers may be more limited under the Rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.”

Best practices for maintaining HIPAA compliance

Whether you’re a covered entity, a business associate, or a subcontractor, being HIPAA compliant is a must. Here are some best practices to consider:

Conduct regular risk assessments

Under the HIPAA Security Rule’s Administrative safeguards (§164.308(a)(1)(ii)(A)), a risk analysis is a required implementation specification. Under this specification, HIPAA requires HIPAA-regulated entities to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” This will allow regulated entities to:

Identify where PHI is stored, received, maintained, or transmitted.
Evaluate potential threats (e.g., ransomware, insider breaches, data theft).
Document findings and mitigation plans.

Implement access controls

Furthermore, HIPAA’s administrative safeguards require regulated entities to “Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.” Entities must use:

Unique user IDs and strong passwords
Role-based access controls (RBAC)
Automatic logoff
Two-factor or multi-factor authentication (MFA)

Encrypt PHI at rest and in transit

On December 30, 2024, the U.S. Department of Health and Human Services (HHS) introduced the first major updates to the HIPAA Security Rule in over a decade, aiming to strengthen cybersecurity across the healthcare industry. The draft Notice of Proposed Rulemaking (NPRM) was set to be published in the Federal Register on January 6, 2025. Under this update, HIPAA covered entities are required to encrypt ePHI at rest and in transit to protect data from unauthorized access.

Go deeper: HHS proposes updated HIPAA security rule

Train staff

HIPAA’s Security Rule requires covered entities to “train all members of its workforce on the policies and procedures with respect to protected health information.” Staff members must trained on HIPAA’s Privacy, Security, and breach notification rules. The training must cover how to properly handle PHI, recognize potential security threats like phishing attempts, follow organizational policies and procedures, and respond appropriately to data breaches or unauthorized disclosures.

Create and enforce policies and procedures

HIPAA requires:

“Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”

This documentation must:

Be retained for at least six years from its creation or last effective date, whichever is later.
Be made available to individuals responsible for implementing the procedures.
Be periodically reviewed and updated to reflect environmental or operational changes.

Prepare for data breaches

Despite best efforts, breaches happen, and organizations must be prepared:

Establish a Breach Response Plan.
Designate a HIPAA Privacy and Security Officer.
Maintain a log of all breach incidents (even minor ones).
Know when and how to notify affected individuals and the HHS OCR.

Audit and monitor systems

Continuous monitoring helps detect and respond to suspicious activity.

Use audit logs to track who accessed what data and when.
Review logs regularly to identify patterns or anomalies.
Implement intrusion detection systems (IDS) where appropriate.

Stay informed and updated

HIPAA isn’t static. Regulations, technologies, and threats evolve. To stay up-to-date, organizations can:

Subscribe to the HHS OCR newsletter and HIPAA Journal updates.
Attend HIPAA webinars and industry compliance conferences.
Periodically review your compliance posture with legal counsel or consultants.

FAQS

What qualifies as protected health information (PHI)?

PHI includes any individually identifiable health information related to a person’s health status, provision of healthcare, or payment for healthcare that is created, stored, or transmitted by a covered entity or business associate. This includes names, addresses, Social Security numbers, medical records, and more.

Read also: What are the 18 PHI identifiers?

What are the penalties for HIPAA violations?

Penalties range from $141 to $71,146 per violation, with a maximum annual penalty over $2 million per provision violated. Serious violations may also result in criminal charges, including fines and imprisonment.

View full post