Live Webinar | 26 June 2025 9AM PT
From Black Box to Boardroom: Operationalizing Trust in AI Governance
November 29, 2024

Which entities are covered under HIPAA?

Grace Arundhati
Technical Content Writer at
Scrut Automation

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation enacted in 1996 to safeguard the privacy and security of individuals' health information.

As the healthcare arena has evolved, so has the need for regulations protecting patient data in an increasingly digital world. Understanding HIPAA is crucial for healthcare providers, insurers, and other entities managing health information.

One of the most important aspects of HIPAA is the classification of covered entities—organizations that are required to comply with its provisions. Grasping who qualifies as a covered entity is vital for ensuring compliance and maintaining patient trust in the healthcare system.

What is HIPAA?

HIPAA is designed to improve the efficiency of the healthcare system while protecting patient information from unauthorized access and disclosure. Its primary purpose is to ensure that individuals' medical records and other personal health information are kept private and secure.

Key provisions of HIPAA focus on:

Key provisions of HIPAA

These provisions not only empower patients by granting them control over their health data but also impose strict guidelines on how healthcare entities handle sensitive information.

Also read: Guardians of healthcare data: Mastering HIPAA audit trail requirements

HIPAA's role in protecting patient privacy

HIPAA plays a crucial role in protecting patient information by establishing strict regulations around the use and disclosure of protected health information (PHI).

The Act mandates that covered entities implement appropriate safeguards, both administrative and technical, to ensure that sensitive health data is secure from unauthorized access.

Key provisions include the right of patients to:

  • Access their health records
  • Request corrections
  • Receive notifications in the event of a data breach.

These protections not only help maintain the confidentiality of patient information but also empower individuals by giving them control over their own health data.

Also read: How to map HIPAA to ISO 27001?

Impact of HIPAA on patient trust and healthcare practices

The implementation of HIPAA has significantly enhanced patient trust in the healthcare system.

When patients know their health information is protected, they are more likely to share sensitive details with their healthcare providers, which is vital for accurate diagnoses and effective treatment.

This trust fosters better patient-provider relationships and encourages open communication, ultimately improving the quality of care.

Additionally, HIPAA has influenced healthcare practices by promoting standardized processes for handling patient information, which helps reduce errors and enhances efficiency in care delivery.

Also read: GDPR vs HIPAA compliance: What's the difference?

Who enforces HIPAA?

HIPAA is enforced by several government agencies in the United States, each with its own specific responsibilities related to HIPAA compliance.

The main entities responsible for enforcing different aspects of HIPAA are:

A. Office for Civil Rights (OCR)

The OCR, a part of the U.S. Department of Health and Human Services (HHS), is the primary enforcer of HIPAA. Its main role is to oversee and enforce the Privacy Rule and the Security Rule, which pertain to the privacy and security of protected health information (PHI). The OCR investigates complaints, conducts audits, and provides guidance to covered entities and business associates to ensure compliance with these rules.

B. Centers for Medicare & Medicaid Services (CMS)

CMS is responsible for enforcing the Administrative Simplification provisions of HIPAA, which include the transaction standards, code sets, and unique identifiers. CMS ensures that covered entities use standardized electronic transactions when dealing with healthcare information for billing and other purposes.

C. Department of Justice (DOJ)

The DOJ may become involved in HIPAA enforcement in cases where willful criminal violations of HIPAA occur, such as healthcare fraud, identity theft, or intentional unauthorized disclosure of PHI. The DOJ can prosecute individuals and entities for criminal violations of HIPAA.

D. State Attorneys General

State Attorneys General also have a role in enforcing HIPAA, particularly with regard to state laws that are more stringent than federal HIPAA regulations. They can investigate and take legal action against entities for HIPAA violations that affect residents in their respective states.

E. HHS Office of Inspector General (OIG)

The OIG investigates cases of healthcare fraud and abuse, which may include violations of HIPAA. While the OIG primarily focuses on financial misconduct, it may collaborate with other agencies, such as the OCR or DOJ, when investigating HIPAA-related matters.

Consequences of non-compliance with HIPAA

Also read: Who enforces HIPAA?

Covered entities under HIPAA

Covered entities under HIPAA

Covered entities are defined as organizations or individuals that must comply with HIPAA regulations. This designation includes those who create, receive, maintain, or transmit protected health information (PHI) in electronic form.

Compliance requirements for covered entities

Health care providers

Health care providers include hospitals, physicians, dentists, and other professionals who provide medical services. To be considered a covered entity, these providers must engage in electronic health transactions, such as billing or claims processing. By doing so, they are obligated to adhere to HIPAA's privacy and security requirements.

Health plans

Health plans consist of organizations like insurance companies, health maintenance organizations (HMOs), and government programs (such as Medicare and Medicaid). Their primary responsibilities under HIPAA involve safeguarding PHI and ensuring that patient information is handled in compliance with regulatory standards.

Health care clearinghouses

Healthcare clearinghouses are entities that process health information received from other covered entities, often converting it into standardized formats. They play a critical role in the healthcare system by facilitating the exchange of information and ensuring that data is accurately transmitted between providers and payers.

Examples include billing services and electronic data interchange (EDI) companies, which are essential for the smooth functioning of healthcare transactions.

Understanding these categories is essential for compliance with HIPAA regulations and for promoting a secure and trustworthy environment for managing health information.

Also read: What is the difference between SOC 2 vs HIPAA compliance?

Role of business associates

Business associates are individuals or entities that perform services on behalf of a covered entity that involve the use or disclosure of protected health information (PHI).

They play a vital role in the healthcare ecosystem by providing essential services, such as data processing, billing, or legal consulting.

Because they have access to sensitive health information, ensuring that business associates comply with HIPAA is critical for protecting patient privacy and maintaining trust in the healthcare system.

Common examples of business associates include

HIPAA business associates have specific responsibilities and obligations under HIPAA:

  • Business associate agreements (BAAs): They must enter into BAAs with HIPAA-covered entities before handling PHI. These agreements outline the terms and conditions for safeguarding PHI and complying with HIPAA regulations.
  • Security safeguards: HIPAA business associates are required to implement appropriate administrative, physical, and technical safeguards to protect PHI. This includes measures to prevent unauthorized access, disclosure, and breaches.
  • HIPAA training: Employees of HIPAA business associates should receive training on HIPAA regulations to ensure they understand their responsibilities and the importance of PHI protection.
  • Incident reporting: HIPAA business associates must report any breaches or security incidents involving PHI to the covered entity promptly.
  • Subcontractor compliance: If HIPAA business associates use subcontractors (sub-business associates) who will have access to PHI, they must ensure that these subcontractors also comply with HIPAA regulations.

Failure to comply can result in significant penalties, making it essential for both covered entities and their business associates to prioritize HIPAA compliance.

Also read: 13 Best HIPAA Compliance Software

HIPAA: Exceptions and non-covered entities

HIPAA: Exceptions and non-covered entities

While HIPAA covers many organizations in the healthcare sector, certain entities are not considered covered entities. These include:

  • Employers: Generally, employers are not subject to HIPAA unless they provide health plans. However, they must adhere to other privacy laws regarding employee health information.
  • Life Insurers: Insurance companies that offer life insurance products are not covered under HIPAA, as they do not provide healthcare services or health plans.
  • Certain educational institutions: Schools and universities that handle student health records may be governed by FERPA (Family Educational Rights and Privacy Act) rather than HIPAA.

The lack of coverage under HIPAA means that these entities are not bound by its privacy and security requirements. However, they still have legal and ethical obligations to protect personal information.

For instance, employers must ensure that employee health data is kept confidential, and educational institutions must safeguard student health records per applicable laws. Understanding these distinctions is crucial for compliance and the proper handling of sensitive information.

Also read: HIPAA Compliance Checklist: Safeguarding Data Privacy Made Easy

Importance of training, policies, and procedures

Training employees on HIPAA regulations is essential to ensure that everyone within the organization understands their responsibilities in safeguarding patient information.

Establishing clear policies and procedures helps to create a culture of compliance and facilitates the proper handling of PHI.

Regular training sessions and updates on HIPAA requirements can mitigate the risk of breaches and non-compliance.

Also read: HIPAA vs HITRUST: A practical comparison for making compliance decisions

Wrapping up

HIPAA provides a crucial framework for protecting patient privacy and ensuring responsible handling of health information. Healthcare professionals and organizations need to prioritize compliance to safeguard patient information and maintain trust within the healthcare system.

Regular training, robust policies, and ongoing risk assessments are key to fostering a culture of compliance. Staying informed about HIPAA regulations is vital for everyone in the healthcare sector.

To enhance your compliance efforts, leverage tools like Scrut, which can streamline your processes and ensure adherence to necessary standards. Get in touch with Scrut today to take proactive steps to prioritize patient privacy, creating a safer and more secure healthcare environment for all.

Frequently Asked Questions

1. What types of entities are considered covered under HIPAA?

Covered entities under HIPAA include health care providers who transmit health information electronically, health plans (such as insurance companies), and health care clearinghouses that process health information.

2. How do business associates relate to HIPAA compliance?

Business associates are individuals or entities that perform functions on behalf of a covered entity that involves the use or disclosure of protected health information (PHI). They are required to comply with HIPAA regulations and have contracts in place with covered entities to ensure PHI protection.

3. Are employers subject to HIPAA regulations?

Employers are generally not considered covered entities under HIPAA unless they provide health plans. However, they must still comply with other privacy laws that protect employee health information.

4. What are the consequences of non-compliance with HIPAA?

Non-compliance with HIPAA can lead to significant penalties, including fines ranging from hundreds to millions of dollars, depending on the severity of the violation, as well as potential civil or criminal charges.

5. How does HIPAA protect patient privacy?

HIPAA establishes national standards for the protection of health information, ensuring that patients' personal and medical information is kept confidential. It grants patients rights over their health information, including the right to access and request corrections to their records.

‍

Liked the post? Share on:
Table of contents
Join our community
Join our community and be the first to know about updates!
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join our community and be the first to know about updates!

Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

GRD Trends
Risk Management
Cloud Security
CISOs share top security predictions for 2023
Product Updates
Asset Management
Compliance Essentials
Risk Management
Access Reviews
Scrut innovations: February 2025 snapshot
Scrut Milestones
Scrut shines once again with 6 Momentum Leader Awards and 179 Badges in G2's Summer 2024 Report

Ready to see what security-first GRC really looks like?

Ready to see what security-first GRC really looks like?

Ready to see what security-first GRC really looks like?

See what a real security- first GRC platform looks like

Ready to see what security-first GRC really looks like?

Focus on the traveler experience. We’ll handle the regulations.

Get Scrut. Achieve and maintain compliance without the busywork.

Choose risk-first compliance that’s always on, built for you, and never in your way.

Ready to see what security-first GRC
One platform, every framework. No more duplicate work.
You can’t manage user access if you’re always playing catch-up.
Explore the future of enterprise GRC
Tired of chasing vendors for risk assessments?

Join the thousands of companies automating their compliance with Scrut.

The right partner makes all the difference. Let’s grow together.

Make your business easy to trust, put security transparency front and center.

Risk-first security starts with risk-first visibility.
Secure your team from the inside out.
Don't settle for slow, expensive compliance. Get Scrut instead.
Risk-first compliance for forward-thinking teams.
Audits without the back-and-forth. Just seamless collaboration.
Scale fast. Stay compliant. Automate the rest.
Compliance? Done and dusted, in half the time.
Get ahead of GDPR compliance before it becomes a problem.
Outgrowing table-stakes compliance? Create custom frameworks with ease.
Navigate SOC 2 compliance, minus the stress.
PCI DSS compliance, minus the panic.
Take the wheel of your HIPAA certification journey today.
We’ve got what you need to fast-track your ISO 27001 certification.
Make your NIST AI RMF journey as smooth as possible.

Your GRC team, multiplied and AI-backed.

Modern compliance for the evolving education landscape.

Ready to simplify healthcare compliance?

Don’t let compliance turn into a bottleneck in your SaaS growth.

Find the right compliance frameworks for your business in minutes

Ready to see what security-first GRC really looks like?

Real-time visibility into every asset

Ready to simplify fintech compliance?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Scrut helps you set up a security program that scales with your business and stands up to audits. Without last-minute chaos.

Scrut helps you streamline audits, close deals faster, and stay ahead of risk without slowing down your team. Because trust shouldn’t take months to earn.

Scrut helps you set up a security program that scales with your business and stands up to audits. Without last-minute chaos.

Tag, classify, and monitor assets in real time—without the manual overhead.

Whether you're entering new markets or launching new products, Scrut helps you stay compliant without slowing down.

Scrut pulls compliance data straight from the tools you already use—so you don’t have to dig for evidence, chase approvals, or manually track controls.

Less manual work, more customizability. The Scrut Platform gives you everything you need to align your compliance to your business’s priorities.

With Scrut, you’re not just adding a tool to your offering—you’re adding a competitive edge. Join our Partner Network and help your clients streamline their GRC program.

Gaining trust is your first step to growing and cracking better deals. The Scrut Platform comes pre-built with all the tools you need to showcase a firm security posture and build confidence.

Don’t settle for rigid systems—Scrut ensures your risk management strategy is as flexible as your business needs.

Start building a security-first culture. Save your operations from improper training and a lack of compliance awareness.

Scrut fast-tracks compliance so you can focus on scaling, not scrambling. Automate compliance tasks and accelerate enterprise deals—without the grind.

Automate assessments, track compliance, and get full visibility into third-party risk—all in one place.

Scrut automates compliance tasks, supports proactive risk management, and saves you time, so you can focus on growing your business. Start building trust with customers and scaling confidently.

Leave legacy GRC behind. Meet the AI-powered platform built for teams managing risk and compliance in real time.

Give auditors direct access, keep track of every request, and manage audits effortlessly—all in one place.

Scrut ensures access permissions are correct, up-to-date, and fully compliant.

Whether you need fast results or a fully tailored program mapped to your risks and needs, Scrut delivers exactly what you need, when you need it. Ready to start?

Scrut unifies compliance across all your frameworks, so you can stop juggling systems and start scaling securely.

Manually managing your compliance processes and audits can get inefficient and overwhelming. Scrut automates these outdated, manual processes and eliminates your last-minute worries.

Access automated compliance, real-time risk tracking, and expert-backed support—all in one platform. Get started with Scrut!

Less manual work, more customizability. The Scrut Platform gives you everything you need to align your compliance to your business’s priorities.

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Earn trust and back it up with solid evidence. Scrut takes you through the SOC 2 compliance journey step-by-step, navigating every complexity you face.

Manage your PCI DSS compliance with real-time monitoring and effortless automation. Get started with Scrut today!

Securing your PHI shouldn’t be a constant hassle. Scrut automates your workflows—from risk assessments to monitoring—so you can put your compliance worries on the back burner.

Automate security controls, simplify audits, and keep your ISMS aligned with the latest standards. Get started with Scrut!

Tackle potential AI risks with NIST AI RMF-compliant controls and get expert support every step of the way.

Offload the grunt compliance work to us. Execute manual, draining GRC tasks with the reliable AI-powered Scrut Teammates without switching contexts or bottlenecks.

Whether you're managing student data, partnering with educational institute, or expanding to new geographies—Scrut gives you the tools to stay compliant, manage risk, and build trust at every step.

Scaling healthcare doesn’t have to come at the cost of security. Scrut keeps your organization compliant, audit-ready, and protected—no matter how fast you grow.

Scrut automates the hard parts of compliance and security so you can move fast and stay ahead of risks from day one.

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Growth in fintech comes with heavy scrutiny. Scrut helps you stay compliant, audit-ready, and secure—without slowing down your momentum.

Book a Demo
Book a Demo
Join the Scrut Partner Network
Join the Scrut Partner Network
Compliance Essentials
HIPAA