A $5.1 Million Penalty That Started with a Simple Question

In 2017, Memorial Healthcare System in Florida agreed to pay $5.1 million to settle HIPAA violations after employees accessed patient records without authorization for over a year. The root cause wasn't a sophisticated cyberattack. It was a fundamental breakdown in understanding who was responsible for protecting PHI — and who had access they should never have had.

When I talk to practice managers and small business owners, the question I hear most often isn't about encryption or breach notification. It's simpler: "Does HIPAA even apply to us?" That's a question about HIPAA eligibility, and getting it wrong can cost you millions or — just as dangerously — leave your patients' protected health information completely exposed.

This post breaks down exactly who qualifies under HIPAA, what triggers compliance obligations, and the gray areas that trip up organizations every single day.

What HIPAA Eligibility Actually Means

HIPAA eligibility refers to whether your organization falls under the jurisdiction of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. If you're eligible — meaning you're a covered entity or a business associate — you have legally binding obligations to protect protected health information (PHI).

The Department of Health and Human Services (HHS) defines three categories of covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically in connection with a HIPAA-covered transaction. That last clause is the one that catches people off guard.

You can review the full statutory definitions on the HHS covered entity guidance page.

The Three Categories of Covered Entities

  • Health Plans: Health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and even some government programs. If you pay for or arrange healthcare coverage, you're likely a covered entity.
  • Healthcare Clearinghouses: Organizations that process nonstandard health information into standard formats (or vice versa). Think billing services that convert claims data into HIPAA-compliant electronic formats.
  • Healthcare Providers: Any provider — physician, dentist, chiropractor, pharmacy, hospital — that transmits health information electronically for transactions like claims, benefit eligibility inquiries, or referral authorizations.

Notice that last bullet. It's not enough to simply be a healthcare provider. The trigger is electronic transmission of health information for a covered transaction. A therapist who only accepts cash and never submits electronic claims might not meet the threshold. The moment that therapist submits a single electronic claim, HIPAA eligibility kicks in.

Business Associates: The Eligibility Category Everyone Forgets

Here's where I see the most confusion. Your HIPAA eligibility isn't limited to covered entities. If you're a business associate — meaning you create, receive, maintain, or transmit PHI on behalf of a covered entity — you're squarely within HIPAA's reach.

IT vendors, cloud hosting providers, billing companies, shredding services, law firms reviewing medical records, even email encryption providers. All potentially business associates. All subject to HIPAA enforcement.

The 2013 Omnibus Rule made this crystal clear. Business associates are directly liable for HIPAA violations, not just contractually liable through their business associate agreements (BAAs). The Office for Civil Rights (OCR) has enforced this aggressively.

Real Enforcement Against a Business Associate

In 2020, CHSPSC LLC — a business associate providing IT services to Community Health Systems hospitals — paid $2.3 million to settle HIPAA violations after hackers stole ePHI affecting 6.1 million individuals. OCR found that CHSPSC failed to conduct an adequate risk analysis and implement proper security measures. Being a business associate didn't provide a shield. It made them a target.

You can find details on OCR's enforcement actions on the HHS enforcement outcomes page.

The Gray Areas That Trip Up Real Organizations

I've consulted with organizations that genuinely didn't know whether they were HIPAA-eligible. They weren't being negligent — the rules can be ambiguous at the margins. Here are the scenarios I encounter most frequently.

Employers with Group Health Plans

Many employers assume their group health plan obligations are handled entirely by the insurance carrier. That's partially true — the carrier is a covered entity and manages most compliance. But if the employer receives PHI from the plan (enrollment data, claims information, disability determinations), the employer itself has HIPAA obligations regarding that information.

I've walked into HR departments that store spreadsheets full of employee diagnoses on shared network drives. They had no idea HIPAA applied to them.

Mobile App Developers and Health Tech Startups

A fitness app that tracks heart rate data isn't automatically HIPAA-eligible. But the moment that app integrates with a covered entity — say, a hospital patient portal — and handles PHI on the provider's behalf, it becomes a business associate. HIPAA eligibility can shift overnight based on a single partnership deal.

Researchers at Universities

Academic medical centers are covered entities. But a psychology researcher at a university who collects health data through a study may or may not be subject to HIPAA depending on the data source and the university's institutional structure. These distinctions matter enormously, and they require careful analysis — not assumptions.

How Do You Determine Your HIPAA Eligibility?

This is the question most people are actually searching for, so here's a direct answer.

Step 1: Determine whether your organization is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically for covered transactions.

Step 2: If you're not a covered entity, determine whether you handle PHI on behalf of one. If you create, receive, maintain, or transmit PHI for a covered entity, you're a business associate.

Step 3: If neither applies, HIPAA likely doesn't govern your organization — though state privacy laws and other regulations (like the FTC Act) may still apply.

HHS offers a covered entity decision tool through CMS that walks you through a series of questions to assess your status. I recommend every uncertain organization start there.

The $1.9 Million Lesson from Skipping Workforce Training

Once you establish HIPAA eligibility, your compliance clock starts ticking. And the single most common failure I see — across practices of every size — is neglecting workforce training.

In my experience, most breaches don't start with hackers. They start with an employee who doesn't understand the rules. Someone forwards a patient record to a personal email account. A front desk worker hands a sign-in sheet to a waiting room full of patients. A billing clerk shares login credentials.

OCR doesn't accept "we didn't know" as a defense. Under 45 CFR § 164.530(b), covered entities must train all workforce members on HIPAA policies and procedures. The Security Rule adds specific requirements for security awareness training under 45 CFR § 164.308(a)(5).

If your team hasn't completed HIPAA Introduction Training for 2026, you're operating with a gap that regulators will identify during any investigation.

Subcontractors of Business Associates: The Chain Goes Deeper

One layer most organizations miss: if you're a business associate and you hire a subcontractor who also handles PHI, that subcontractor is also a business associate under HIPAA. You need a BAA with them. They need their own compliance program. The chain of HIPAA eligibility extends as far as PHI travels.

I worked with a mid-size hospital that discovered — during a breach investigation — that their transcription vendor had outsourced work to a company overseas, with no BAA in place. The hospital bore the consequences.

What Happens When You Get Eligibility Wrong

If you incorrectly conclude HIPAA doesn't apply to you, here's what's at stake:

  • Civil monetary penalties from OCR ranging from $137 to over $2 million per violation category per year, with an annual maximum of approximately $2.1 million per identical provision.
  • Criminal penalties enforced by the Department of Justice, including fines up to $250,000 and imprisonment for knowing misuse of health information.
  • Reputational destruction. Breaches affecting 500+ individuals get posted on HHS's public breach portal — what the industry calls the "Wall of Shame."
  • Loss of business partnerships. Covered entities increasingly require proof of HIPAA compliance before signing contracts with vendors.

On the flip side, if HIPAA doesn't actually apply to you and you've been spending resources on unnecessary compliance, that's a different kind of waste. Accurate eligibility determination saves money and focuses your security efforts where they legally matter.

Start with the Foundation

Whether you just discovered your organization qualifies as a business associate or you've been a covered entity for years, the compliance fundamentals don't change. You need a current risk analysis, updated policies and procedures, proper BAAs with every vendor that touches PHI, and — above all — trained people.

Your workforce is your largest attack surface and your strongest defense. Enroll your team in structured HIPAA training through the HIPAACertify course catalog and document every completion. When OCR comes knocking — and in 2026, enforcement is only accelerating — that documentation is what separates a corrective action plan from a seven-figure settlement.

HIPAA eligibility isn't a technicality. It's the threshold question that determines whether your organization faces federal enforcement or not. Answer it correctly, act on it immediately, and build your compliance program from there.