HIPAA covered entities

Which entities are covered under HIPAA?

In the complex world of healthcare, the Health Insurance Portability and Accountability Act, more commonly known as HIPAA, stands as a crucial pillar for safeguarding patient information and ensuring the integrity of the healthcare system. 

HIPAA was enacted in 1996, and since then, it has played a pivotal role in regulating the healthcare industry. In this blog, we will explore the key aspects of HIPAA, why compliance is essential, and the scope of the regulations, particularly focusing on identifying which entities fall under its purview.

The importance of compliance with HIPAA regulations

HIPAA was introduced with the primary goal of improving the efficiency and effectiveness of healthcare delivery while protecting the privacy and security of patient information. 

Compliance with HIPAA regulations is of paramount importance for several reasons:

  • Patient privacy: HIPAA establishes strict rules to protect the confidentiality of patients’ health information. Compliance ensures that patients can trust healthcare providers to keep their sensitive data secure.
  • Data security: In the digital age, healthcare data is vulnerable to breaches. HIPAA mandates security measures to safeguard electronic protected health information (ePHI) from unauthorized access or breaches.
  • Interoperability: HIPAA encourages the standardized exchange of healthcare information, making it easier for different entities within the healthcare system to communicate and collaborate effectively.
  • Avoid penalties: Non-compliance with HIPAA can result in hefty HIPAA violation fines and legal consequences for healthcare organizations, potentially damaging their reputation and financial stability.

Who enforces HIPAA?

HIPAA is enforced by several government agencies in the United States, each with its own specific responsibilities related to HIPAA compliance. 

The main entities responsible for enforcing different aspects of HIPAA are:

A. Office for Civil Rights (OCR)

The OCR, a part of the U.S. Department of Health and Human Services (HHS), is the primary enforcer of HIPAA. Its main role is to oversee and enforce the Privacy Rule and the Security Rule, which pertain to the privacy and security of protected health information (PHI). The OCR investigates complaints, conducts audits, and provides guidance to covered entities and business associates to ensure compliance with these rules.

B. Centers for Medicare & Medicaid Services (CMS)

CMS is responsible for enforcing the Administrative Simplification provisions of HIPAA, which include the transaction standards, code sets, and unique identifiers. CMS ensures that covered entities use standardized electronic transactions when dealing with healthcare information for billing and other purposes.

C. Department of Justice (DOJ)

The DOJ may become involved in HIPAA enforcement in cases where willful criminal violations of HIPAA occur, such as healthcare fraud, identity theft, or intentional unauthorized disclosure of PHI. The DOJ can prosecute individuals and entities for criminal violations of HIPAA.

D. State Attorneys General

State Attorneys General also have a role in enforcing HIPAA, particularly with regard to state laws that are more stringent than federal HIPAA regulations. They can investigate and take legal action against entities for HIPAA violations that affect residents in their respective states.

E. HHS Office of Inspector General (OIG)

The OIG investigates cases of healthcare fraud and abuse, which may include violations of HIPAA. While the OIG primarily focuses on financial misconduct, it may collaborate with other agencies, such as the OCR or DOJ, when investigating HIPAA-related matters.

It’s important to note that HIPAA enforcement can result in civil and criminal penalties, including HIPAA violation fines, legal actions, and even imprisonment, depending on the severity of the violation. Covered entities and business associates are expected to take HIPAA compliance seriously to avoid such consequences and to protect the privacy and security of patient information.

Which are HIPAA covered entities?

HIPAA covered entities are organizations or individuals involved in the healthcare industry who are subject to HIPAA regulations. These regulations are designed to protect the privacy and security of individuals’ PHI while also ensuring the smooth flow of health information for patient care and administrative purposes. Covered entities play a central role in complying with HIPAA standards, and they are directly responsible for safeguarding PHI.

Which are the primary categories of HIPAA covered entities?

There are three primary categories of HIPAA covered entities:

  • Healthcare providers: Healthcare providers are organizations or individuals that deliver medical, dental, or other health-related services. They encompass a wide range of medical professionals and facilities.
  • Health plans: Health plans include insurance companies, government programs like Medicare and Medicaid, and employer-sponsored health plans. They are responsible for processing and paying insurance claims and often have access to PHI.
  • Healthcare clearinghouses: Healthcare clearinghouses are entities that process non-standard health information into a standardized format. They act as intermediaries between healthcare providers and health plans, facilitating the electronic exchange of health information.

Clarification on what constitutes a healthcare provider, health plan, and clearinghouse

  • Healthcare provider: Healthcare providers include hospitals, physicians, nurses, dentists, chiropractors, psychologists, pharmacists, and any other individual or organization that provides medical or healthcare services. This category also extends to healthcare facilities such as clinics, nursing homes, and pharmacies.

Examples of healthcare providers include family doctors, hospitals, dentists, surgeons, mental health clinics, physical therapists, and nursing homes.

  • Health plan: Health plans encompass a wide range of entities that provide or pay for healthcare services. This includes private health insurance companies, government programs like Medicaid and Medicare, employer-sponsored health plans, and even health maintenance organizations (HMOs) or preferred provider organizations (PPOs).

Examples of health plans include private health insurance companies like Blue Cross Blue Shield, government programs like Medicaid and Medicare, employer-provided health plans, and managed care organizations like Aetna.

  • Healthcare clearinghouse: A healthcare clearinghouse acts as an intermediary in the healthcare data exchange process. These entities typically translate non-standard healthcare information formats into standardized formats that can be used by both healthcare providers and health plans for billing and administrative purposes.

Some examples of healthcare clearinghouses include Emdeon (now Change Healthcare), Availity, and RelayHealth.

HIPAA covered entities have a critical responsibility for HIPAA compliance because they directly handle PHI in their daily operations. This includes implementing administrative, physical, and technical safeguards to protect PHI, training their employees on HIPAA regulations, and maintaining policies and procedures to ensure compliance. Non-compliance can lead to significant penalties and legal consequences, making it imperative for these entities to prioritize HIPAA compliance to protect patient privacy and maintain the trust of their patients and partners.

Who is a HIPAA business associate? What role do they play?

Business associates are individuals or entities that provide services or perform functions on behalf of HIPAA covered entities in the healthcare industry and, in the process, have access to PHI. These entities play a crucial role in supporting the operations of HIPAA covered entities but are not directly involved in patient care. Under HIPAA, business associates are legally obligated to safeguard PHI and comply with HIPAA regulations to protect patient privacy and security.

The critical role business associates play in the healthcare industry

HIPAA business associates play several critical roles in the healthcare industry:

  • Support services: They provide essential support services that help HIPAA covered entities operate efficiently. These services can range from IT support and billing to legal and consulting services.
  • Data management: Business associates often handle and process large volumes of PHI, making them instrumental in managing electronic health records, insurance claims, and other healthcare data.
  • Interoperability: They help facilitate the exchange of healthcare information between different entities within the healthcare ecosystem, improving communication and coordination of care.
  • Specialized expertise: Many business associates offer specialized expertise that allows healthcare providers to focus on patient care while outsourcing specific administrative functions.

Examples of HIPAA business associates

  • IT service providers: IT companies that provide services such as electronic health record (EHR) management, data storage, and network security fall into this category. They often have access to PHI to ensure the integrity and security of healthcare systems.
  • Medical billing companies: These entities handle the processing and submission of insurance claims, patient billing, and revenue cycle management for healthcare providers. They may access PHI for billing purposes.
  • Legal counsel: Law firms and legal professionals who advise healthcare providers on compliance issues, contract negotiations, and regulatory matters may have access to PHI when providing legal services.

Responsibilities and obligations of HIPAA business associates regarding HIPAA compliance

HIPAA business associates have specific responsibilities and obligations under HIPAA:

  • Business associate agreements (BAAs): They must enter into BAAs with HIPAA covered entities before handling PHI. These agreements outline the terms and conditions for safeguarding PHI and complying with HIPAA regulations.
  • Security safeguards: HIPAA business associates are required to implement appropriate administrative, physical, and technical safeguards to protect PHI. This includes measures to prevent unauthorized access, disclosure, and breaches.
  • HIPAA training: Employees of HIPAA business associates should receive training on HIPAA regulations to ensure they understand their responsibilities and the importance of PHI protection.
  • Incident reporting: HIPAA business associates must report any breaches or security incidents involving PHI to the covered entity promptly.
  • Subcontractor compliance: If HIPAA business associates use subcontractors (sub-business associates) who will have access to PHI, they must ensure that these subcontractors also comply with HIPAA regulations.

Failure to comply with HIPAA obligations can lead to legal consequences, including HIPAA violation fines and penalties. Therefore, business associates must take their HIPAA responsibilities seriously to maintain the trust of HIPAA covered entities and protect patient information.

Definition and explanation of HIPAA subcontractors

Subcontractors, in the context of HIPAA, are third-party entities or individuals hired by HIPAA business associates (BAs) to perform specific tasks or services that involve access to PHI. These subcontractors are not directly engaged by covered entities (CEs) but work on behalf of BAs. HIPAA subcontractors play a critical role in supporting BAs in fulfilling their obligations under HIPAA and ensuring the protection of PHI.

The relationship between HIPAA business associates and subcontractors

The relationship between HIPAA business associates and subcontractors is hierarchical. HIPAA business associates are entities that have a direct contractual relationship with HIPAA covered entities and handle PHI on behalf of those CEs. When HIPAA business associates engage subcontractors to perform certain functions or services that involve PHI, they extend their responsibility for PHI protection to these subcontractors.

HIPAA business associates are required to have written agreements, often referred to as business associate subcontractor agreements (BASA), with subcontractors. These agreements outline the responsibilities and obligations of subcontractors concerning the safeguarding of PHI and compliance with HIPAA regulations. Subcontractors, in turn, must ensure that they comply with the terms of the BASA and HIPAA requirements.

Examples of HIPAA subcontractors

Following are some examples of HIPAA subcontractors:

  • Data storage companies: Businesses that provide data storage services, whether physical or cloud-based, may be subcontractors. They are responsible for securely storing electronic health records (EHRs) and other PHI on behalf of BAs and CEs.
  • Document shredding services: Companies that handle the secure destruction and disposal of physical documents containing PHI fall into this category. They ensure that paper records are properly destroyed to prevent unauthorized access.
  • Cloud service providers: Providers of cloud computing services, which store and manage digital data, can be subcontractors when they host PHI for BAs or CEs. Examples include Amazon Web Services (AWS) and Microsoft Azure.

How subcontractors’ obligations are intertwined with HIPAA business associates and HIPAA covered entities

The obligations of subcontractors are closely intertwined with those of business associates and HIPAA covered entities:

  • Business Associate Subcontractor Agreements (BASA): Subcontractors must enter into BASAs with the business associates that engage them. These agreements stipulate the subcontractors’ responsibilities for PHI protection and HIPAA compliance.
  • Compliance chain: The subcontractor’s obligations flow down from the business associate, which, in turn, derives its responsibilities from the covered entity. This creates a chain of compliance where all entities involved in handling PHI must adhere to HIPAA regulations.
  • Enforcement and liability: Business associates remain ultimately responsible for ensuring that subcontractors comply with HIPAA. If a subcontractor violates HIPAA regulations, the business associate could be held liable for those violations. Similarly, HIPAA covered entities may hold business associates accountable for any breaches or non-compliance by subcontractors.

Subcontractors are expected to understand and adhere to the terms of the BASA, maintain the security and privacy of PHI, and cooperate with business associates and HIPAA covered entities to ensure full HIPAA compliance. This interconnected approach helps protect the confidentiality and integrity of patient information throughout the healthcare ecosystem.


In the complex world of healthcare, HIPAA is a vital safeguard for patient information and the integrity of the healthcare system. Compliance with HIPAA regulations is crucial for patient privacy, data security, interoperability, and avoiding penalties.

HIPAA is enforced by various government agencies, and it applies to healthcare providers, health plans, and healthcare clearinghouses. These entities must take HIPAA compliance seriously to protect patient information.

Business associates support HIPAA covered entities but must also comply with HIPAA. They handle various healthcare functions and play a vital role in PHI protection.

Subcontractors assist business associates and are bound by HIPAA through business associate subcontractor agreements, ensuring the protection of patient information.

In essence, HIPAA is the linchpin that secures patient trust, data, and the integrity of the healthcare system. Compliance is not an option but a fundamental requirement for the healthcare industry.

Don’t risk costly violations and data breaches. Scrut is your trusted partner for maintaining HIPAA compliance. Get started today to safeguard your patients’ privacy and your organization’s reputation. Request a demo now!


1. What is HIPAA, and why is it important for healthcare organizations?

HIPAA, the Health Insurance Portability and Accountability Act, is crucial for healthcare organizations because it establishes rules to protect patient privacy and secure sensitive health information. Compliance ensures patients’ trust and data security while promoting efficient healthcare operations.

2. Who enforces HIPAA regulations, and what are their roles?

HIPAA regulations are enforced by various government agencies, including:
– the Office for Civil Rights (OCR), 
– Centers for Medicare & Medicaid Services (CMS), 
– Department of Justice (DOJ), State Attorneys General, and 
– HHS Office of Inspector General (OIG). 
They oversee different aspects of HIPAA compliance, investigating complaints, conducting audits, and prosecuting violations.

3. What are HIPAA covered entities, and why are they essential to compliance?

HIPAA covered entities encompass healthcare providers, health plans, and healthcare clearinghouses. They are crucial to compliance because they directly handle protected health information (PHI) and are responsible for implementing safeguards, training employees, and maintaining policies to protect patient data.

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Related Posts

We are entering the Spring of 2024 with fresh new capital – […]

In the rapidly evolving landscape of business, where digital connections and partnerships […]

An organization that engages multiple vendors has to have a solid vendor […]

The SOC 2 audit process can be intimidating. It is definitely time-consuming, […]

In the complex world of healthcare, the Health Insurance Portability and Accountability[...]

In the complex world of healthcare, the Health Insurance Portability and Accountability[...]

In the complex world of healthcare, the Health Insurance Portability and Accountability[...]

See Scrut in action!