who does hipaa apply to nurses doctors

Who Does HIPAA Apply To? 5 Key Points to Remember

Does HIPAA apply to everyone? Who is not required to follow its rules and guidelines? The HIPAA Privacy Rule states that it applies to all covered entities, but who exactly are these entities?

Many individuals and businesses are left wondering whether they need to follow HIPAA rules. After all, dealing with private health information can get tricky. You have to know exactly where you stand.

Knowing whether you are subject to HIPAA rules is of utmost importance for healthcare organizations, medical practitioners, and their business partners. Otherwise, you could face penalties and even criminal charges.


What is a HIPAA covered entity?

HIPAA-covered entities include healthcare institution, health plan providers, or healthcare clearinghouses that are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA).

Table of Contents


Who Does HIPAA Apply To? 5 Key Points to Remember

5 Key Points About HIPAA Compliance

1. HIPAA is not limited to doctors and healthcare professionals.

Who does HIPAA apply to, and is it only for medical providers?

The HIPAA Privacy Rule is not just for doctors and medical professionals. As long as you’re considered a covered entity or a business associate of a covered entity, you are bound to abide by the HIPAA rules.

2. HIPAA applies to all covered entities and their business associates.

Who does HIPAA apply to, and who are the exact entities covered?

The entities that must follow and abide by the HIPAA rules are called “covered entities.” Under HIPAA, covered entities include most healthcare providers, health plans, and healthcare clearinghouses.

What falls under healthcare providers are doctors, hospitals, clinics, chiropractors, nursing homes, dentists, and everyone else who works under these sectors, provided that they have access to PHI (protected health information).

Business associates, on the other hand, are those who provide services to covered entities. Business associates are not direct employees of covered entities. However, they still have access to PHI under a signed agreement with a covered entity.

For example, an online fax service that has signed a BAA for a covered entity is subject to abide by the HIPAA rules. Under such cases, the fax service must also seek full HIPAA compliance.

Business associates of covered entities are bound to abide by HIPAA Privacy Rules in ways that safeguard and protect PHI. What usually falls under business associates are as follows:

  • companies that provide systems for healthcare sectors to get paid (ex. medical billing companies)
  • professionals that provide legal, accounting, and IT services
  • companies that provide services involving the storage and destruction of PHI (protected health information)
  • third-party administrators that help assist with health plan claims

On the other hand, subcontractors of business associates are also bound to abide by HIPAA rules.

Who Does HIPAA Apply To? 5 Key Points to Remember


3. Individuals and non-healthcare persons may still be penalized for HIPAA violations.

Individuals and non-medical practitioners are still bound to abide by HIPAA rules, especially if they work under companies that are business associates of a covered entity.

The key question is whether the individual has access to PHI. For example, a data entry specialist of a company that provides IT services to a hospital must also abide by HIPAA rules.

4. Family members can violate HIPAA rules.

Under certain circumstances, family members can still violate HIPAA rules. Usually, this applies to family members who work in the healthcare sector. A good example of this would be snooping into a family member’s medical records when you don’t have the authority or consent to access that information.

Meanwhile, personal representatives and caregivers are allowed to access or request access to PHI provided that the patient has given consent or if they are directly involved in the patient’s therapy or treatment.

5. Some organizations are not required to follow HIPAA’s Privacy and Security Rules.

Not all companies or organizations that have access to PHI are bound to follow HIPAA rules. Therefore, it is necessary to understand that HIPAA does not cover the protection of all health information. There are sectors and people who are not required to abide by the rules.

Does HIPAA Apply to All Businesses?

Given the rules for business associates above, the answer would be no. Not all businesses are required to follow HIPAA rules. However, business owners should always check first whether they need to comply with HIPAA guidelines.

Does HIPAA Apply to Everyone?

HIPAA does not apply to everyone, even if that person has access to your health information. The HIPAA law is only applicable when a covered entity or a business associate is involved. Even so, this does not mean that there will be no possible violations.

Who Does HIPAA Apply To? 5 Key Points to Remember

Who Is Not Required to Follow HIPAA? 

Speaking of which, here are some examples of those who are not required to follow HIPAA rules:

  • gyms and fitness clubs
  • most schools and school districts
  • many (with the exemption of some) mobile apps used for health and fitness
  • most law enforcement agencies
  • employers and life insurance companies
  • many municipal offices and state agencies, including child protective services
  • websites that provide health information that is not operating under any covered entity or its business associate
  • people who conduct screenings at pharmacies and shopping centers, such as those who check for blood pressure and cholesterol levels (unless results are documented with personal information that can identify the person).

Final Thoughts

For both medical practitioners and patients, it’s vital to know who must follow HIPAA guidelines. By being aware of the rules, you can do your best to follow them. At the same time, you need to be extra careful about how you handle PHI. It’s important to be aware of the consequences that you could face if you disclose or use PHI without consent.

For businesses and covered entities, this means doing whatever is necessary to keep PHI safe. At the same time, this helps protect your company or business from committing violations and paying hefty fines.

Following HIPAA rules may not be as simple as it sounds. However, if there is one thing that you should never forget, it is to keep your patient’s best interest in mind.

Do you need a reliable and secure business fax service?

Secure your health documents by sending HIPAA-compliant faxes with iFax! Experience high volume premium business faxing for only $0.03 per page.

Sign up for an account today and get a 7-day free trial of our Professional plan.

More great articles
hipaa rules for dentists
What Are the HIPAA Rules for Dentists?

Did you know that dentists are subject to the same HIPAA regulations as other medical and healthcare professionals? f you’re…

Read Story
hipaa violation in divorce
HIPAA Violation in Divorce: PHI Protection Amid Legal Proceedings

A HIPAA violation in divorce cases can have serious consequences. Find out how HIPAA applies to divorce proceedings, its potential…

Read Story
What Is the HIPAA Minimum Necessary Standard?
What Is the HIPAA Minimum Necessary Standard?

Here's an overview of the HIPAA Minimum Necessary Standard and the best practices for compliance.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.