Does my organization fall under HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed to help improve the efficiency and effectiveness of the U.S. healthcare system. This act required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. The law has had many additions and addendums over the years and failure to comply can be swift and expensive leading many businesses to wonder, “Does my organization fall under HIPPA?” 

The history of HIPAA 

While the initial act was created to help simplify and improve healthcare systems, lawmakers quickly realized that advances in technology in healthcare could reduce the privacy of health information. As a result, Congress included provisions into HIPAA to mandate privacy protections for individually identifiable health information. As technology and need has changed, Congress continues to propose, discuss, and pass amendments to HIPAA allowing the law to change with the times.  

November 1999: HHS proposes HIPAA Privacy Rule 

December 2000: HHS published a final Privacy Rule  

August 2002: Modifications to the HIPAA Privacy Rule are passed 

January 2013: Modifications are made to the HIPAA Privacy Rule regarding HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act, along with other modifications. This is known as the “Omnibus HIPAA Final Rule.” 

January 2016: HIPAA Privacy Rule amended to allow some health information sharing to the National Criminal Background Check System.

Who must comply with HIPAA? 

There is a common public misconception about which businesses and organizations must comply with HIPAA. Oftentimes people will assume that any and all health information in any context is covered by HIPPA, but that is simply not true.  

HIPAA only applies to what are called Covered Entities (CEs) or Business Associates (BAs) of CEs.  

There are many types of transactions that are covered by HHS standards. These transactions include: 

  • Payment and remittance advice 
  • Claims status 
  • Eligibility 
  • Coordination of benefits 
  • Claims and encounter information 
  • Enrollment and disenrollment 
  • Referrals and authorizations  
  • Premium payment 


What makes an organization a covered entity?

 A covered entity must be a health care provider, a health plan, or a healthcare clearing house that transmits information in electronic form. 

A health care provider 

This includes providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, and others. A health care provider is only considered a CE if they transmit any information in electronic form in connection with a transaction for which HHS has adopted a standard.  


A health plan 

This includes health insurance companies, HMOs, company health plans, and government programs that pay for health care such as Medicare, Medicaid, and the military and veterans health care programs.  


A healthcare clearinghouse 

Businesses that are considered a CE as a healthcare clearinghouse include entities that process non-standard health information they receive from another entity into a standard (for example, organizing health information into standardized electronic formats) or vice versa.  

What makes an organization a business associate? 

A HIPAA business associate is any entity, be that an individual or a company, that is provided with access to protected health information to perform services for a HIPAA covered entity. 

Business associates are necessary to help covered entities accomplish their work. For example, a CE likely needs software, technology, and support to perform some of their most basic and critical functions.  

Examples of HIPAA Business Associates: 

  • Software companies like those that provide charting, emailing, or other computer-based products 
  • Cloud service provides like those that offer products and information storage 
  • Third-party administrators that assist health plans with claims processing 
  • Medical billing and transcription services 
  • Accounts, attorneys, and consultants 
  • Medical device manufacturers 
  • Billing, benefits, and claims management services 

How Covered Entities work with Business Associates 

A HIPPA covered entity must have a business associate sign a contract, termed a business associate agreement (BAA), that outlines the responsibilities of the BA and explains that the BA is required to comply with HIPAA Rules. It is the responsibility of a BA to ensure that if any subcontractors are used, they too agree to comply with HIPAA Rules and sign a BAA. The Department of Health and Human Services has provided a sample BAA to help organizations navigate this process.  

Common misconceptions businesses have about HIPAA 

1. All employers are subject to HIPAA 

While employers should take care with sensitive employee information, they are not subject to HIPAA unless they are a covered entity or business associate. 


2. Any health information received by an employer is covered by HIPAA 

If the information was created, maintained, or received in connection with an employer’s group health plan, then it may be covered by HIPAA, but in general, information received only in the role of “employer” is not covered. For example, health information received by a manager related to sick leave, FMLA, or short-term disability leave is likely not covered by HIPAA. 

3. Health information received from an employee’s health care provider is covered by HIPAA

Employees may share information from a health care provider with their employer for a variety of purposes including ADA accommodation requests. The privacy rule does prohibit providers from sharing this information unless it is properly requested and authorized by the patient (employee), however, once this has been released to the employer, it no longer qualifies as HIPAA protected information. 

Achieving and maintaining HIPAA compliance 

If your business is considered a CE or a BA, you must comply with HIPAA regulations. Achieving and maintaining HIPAA compliance is the responsibility of everyone in a CE and it all starts with having strong policies and policy compliance.  Foresite Cybersecurity often works with CE and BA organizations in the healthcare industry to achieve and maintain compliance and bolster their cybersecurity. 

Looking for help gaining or maintaining HIPAA compliance in your covered entity or business associate organization? We can help! Foresite Cybersecurity has made understanding HIPAA compliance easier than ever with Foresite Integrate Risk Management. Simply answer a few questions about your organization’s technology, policy, and practices and the platform can show you your current risk score along with automated updates and guidance on how to improve your compliance. Contact us today to request a demo or get trial access to the platform. 

Tristin Zeman

Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.