Patient’s Guide to HIPAA – Learning About HIPAA: Which Health Care Entities Must Comply With HIPAA?





You are reading the Patient’s Guide to HIPAA, FAQ 9

HIPAA Guide Quick Links:


FAQ 9: Which Health Care Entities Must Comply With HIPAA?

HIPAA doesn’t apply to every health record keeper or to every health record. Only covered entities must comply with HIPAA. Get used to the term covered entity because it comes up a lot. HIPAA recognizes and regulates three types of covered entities.

This is a complicated area, and this is one of the longest FAQs in this guide. There are lots of types of entities, some covered by HIPAA, some partly covered, and some not at all.

HIPAA generally covers medical information maintained by or for a covered entity. HIPAA generally does NOT cover medical information held by those who are not covered entities. This is an especially important point that many people in the health care world do not understand clearly. Health information that is protected when held by a covered entity (like a medical record held by a hospital) may have no privacy protections when the information is held by a someone who is not a covered entity. In other words, health privacy protections depend on who has the information and not on the nature of the information.

The covered entity concept is complicated. We will explain related terms – business associates and hybrid entities – later in this FAQ.

Covered entities under HIPAA are:

1) Health care clearinghouses

Health care clearinghouses transmit information (typically claims and billing information) between other players in the health care system. For example, a hospital may send the bill for your treatment to a health care clearinghouse that will reformat and submit the information to your insurance company. Clearinghouses are of no interest to the average patient because their function is usually invisible. Patients rarely, if ever, come into contact with them. But clearinghouses have the same obligations as other covered entities, and that is important if you do have an issue with a clearinghouse. Otherwise, don’t worry about clearinghouses. We won’t mention them again.

2) Health plans

Health plans are covered entities. Health insurers, health maintenance organizations (HMOs), and Medicare are examples of health plans subject to HIPAA. So are plans for uniformed service members. Nearly all health plans are covered entities, but some small group health plans (fewer than 50 participants) may not be covered entities. We use health plan and insurer interchangeably here.

3) Health care providers

Health care providers are covered entities, at least most are. Generally, a health care provider is a doctor, hospital, dentist, podiatrist, pharmacist, laboratory, optometrist, and just about anyone else licensed to provide health care. The formal legal definition of health care provider is so complex that it makes lawyers wince.

It is important to understand that HIPAA does not automatically cover all health care providers. It generally depends on whether a provider bills (directly or indirectly) for services electronically. The reason for this odd, even silly, standard has to do with the structure of the health care system and the Department of Health and Human Service’s authority to regulate. Unless you are a policy wonk, you probably don’t want to know more.

Rule of Thumb

A simple rule of thumb is that any provider who bills an insurance company or health plan is a covered entity under HIPAA. If your doctor accepts Medicare, for example, the doctor is a covered entity. A free health clinic may not be subject to HIPAA because it doesn’t bill anyone. A doctor who charges every patient $25 cash and does not submit a bill to any insurance company may not be covered by HIPAA. A first aid room at your workplace may or may not be covered by HIPAA. If you want to know if the organization you are dealing with is a HIPAA covered entity, ask. If you don’t get a straight answer, ask for a copy of its privacy policy. If it has a privacy policy, the policy will explain about HIPAA’s application. If it doesn’t have a written privacy policy, then it is either not covered by HIPAA or it is violating the rule.

School health records

Most school health records are not subject to HIPAA. Instead, school records (private schools are a major exception) are usually covered by another federal privacy law, the Family Educational Rights and Privacy Act (FERPA). The federal Department of Education administers FERPA. A school nurse is likely to be subject only to FERPA. A university hospital that runs a student clinic on behalf of the university is also subject to FERPA. However, other university hospital records about students could also be subject to HIPAA, depending on the circumstances. The relationship between HIPAA and FERPA is very complicated. For more, see Which law is better for privacy? The short answer is that privacy rights under FERPA can be better in some ways than under HIPAA and worse in other ways.

Also, please note that some states or even counties may have specific laws or guidelines regarding making school vaccination records publicly available. See, for example the Texas Immunization Registry:

Business associates and subcontractors

If a covered entity hires another organization to perform a function that requires access to health information, that other company may be a business associate of the covered entity. This happens routinely, for example, when a hospital hires an accounting firm to audit its records. Many covered entities have dozens of business associates. Under a recent change, a business associate of a covered entity is now directly covered by HIPAA. That means that a business associate of a covered entity can be penalized for violations in the same way as a covered entity. This is a good thing, as the possibility of penalties may result in better compliance with the law.

A covered entity must have a contract with each business associate. The contract must require the business associate to comply with all relevant HIPAA provisions. The basic idea is that a covered entity cannot avoid the privacy rule by hiring someone else to process health records.

If a business associate hires another entity to help process PHI, then that entity (called a “subcontractor”) is also subject to HIPAA. If a subcontractor hires another subcontractor, all are covered by HIPAA. Covered entities, business associates, and subcontractors must all process your health records according to HIPAA rules. There’s a lot of complexity here, but it is not the patient’s problem.

Other health record holders

Who else has health records but isn’t subject to HIPAA? Many organizations have health information about you but are neither the organizations nor the records are subject to HIPAA. The list of unregulated health record keepers is shockingly long. These include gyms, medical and fitness apps and devices not offered by covered entities, health websites not offered by covered entities, Internet search engines, life and casualty insurers, Medical Information Bureau, employers (but this one is complicated), worker’s compensation insurers, banks, credit bureaus, credit card companies. many health researchers, National Institutes of Health, cosmetic medicine services, transit companies, hunting and fishing license agencies, occupational health clinics, fitness clubs, home testing laboratories, massage therapists, nutritional counselors, alternative medicine practitioners, disease advocacy groups, marketers of non-prescription health products and foods, and some urgent care facilities. Commercial providers of Personal Health Records have health records but are not covered entities. However, PHRs maintained by or on behalf of your health care provider or insurer are covered by HIPAA.

A health record covered by HIPAA can lose its privacy protection if transferred to a third person who is not a HIPAA covered entity. This is a very important aspect of HIPAA. Some would call it a loophole. We offer four examples of how you may see it in daily life. However, each of our examples has a weasel word (“probably”) because the rule is complicated. If we stopped to explain this kind of thing further, this document would quadruple in size.

• You tell your doctor to give part of your health records to your employer to explain your absence from work. The record will probably not be subject to HIPAA in the hands of your employer.

• A health researcher obtains your health records for use in a properly authorized research project. The records probably have no HIPAA protection in the hands of the researcher. However, if the researcher is treating you as part of the research (as in a clinical trial), then HIPAA may apply.

• You apply for life insurance, and the insurance company obtains your health records with your consent. The records are not subject to HIPAA in the hands of the insurance company, but they may be subject to a state insurance privacy law. Some of the information you authorize the insurer to have may also end up at the Medical Information Bureau (MIB), another organization not subject to HIPAA. If you read the fine print in your application/authorization, you will learn that you authorized disclosure to MIB as well. MIB is subject to the Fair Credit Reporting Act, a different privacy law that provides you with some rights and some protections. (To assert your Fair Credit Reporting Act rights, you would, for example, request a copy of your consumer file from MIB. See

• Your doctor tells you that you have a communicable disease (e.g., tuberculosis). The doctor must report your illness to the state public health department. The part of the health department that received your record is probably not subject to HIPAA.

We could list additional examples, but we offer a rule of thumb instead.

Rule of Thumb

If a covered entity discloses a health record to anyone who isn’t a covered entity, the record is generally outside the scope of HIPAA in the hands of the recipient. This is a major way that health records escape from privacy protections. This is true online and offline.

If you share health information with your family, a neighbor, or co-worker, the information that you share is not protected under HIPAA in the hands of the recipient. If you share your health information with a website that isn’t a covered entity under HIPAA, then the information you disclose is not protected under HIPAA in the hands of the website. This is a complex area that has created a lot of confusion among some consumers. Web sites that are medical web sites may very well not be covered under HIPAA, even if they say they are “HIPAA-compliant.” See Rule of Thumb, HIPAA Compliant, or HIPAA Covered?

Rule of Thumb


HIPAA Compliant, or HIPAA Covered?

If a company is not covered by HIPAA, it may still say that it is “HIPAA compliant.” HIPAA compliant does not mean the same thing as being a HIPAA covered entity. If you see the words HIPAA compliant, find out if the company is a HIPAA covered entity. This is a yes or no question; there is no “maybe” answer here. If a company is HIPAA compliant but not a HIPAA covered entity, we urge caution. The use of the term HIPAA compliant can be deceptive in that circumstance.


Roadmap: Patient’s Guide to HIPAA – Part 1: Learning About HIPAA (FAQ 9 of 65)

Jump to list of FAQs 1-65 | See all of Part 1