A Question That Gets People Fired

Last year, I consulted with a medical billing company whose CEO genuinely believed HIPAA didn't apply to his organization. "We're not a hospital," he told me. "We just process claims." Three months later, his company was under OCR investigation after an employee emailed a spreadsheet containing 4,200 patients' protected health information to a personal Gmail account.

If you've ever searched "the HIPAA Privacy Rule applies to which of the following," you're probably staring at a compliance quiz or trying to figure out whether your organization actually falls under HIPAA's jurisdiction. Either way, the answer matters more than you think — because getting it wrong doesn't just cost you a test score. It costs real money and real careers.

Here's the definitive breakdown.

The HIPAA Privacy Rule Applies to Which of the Following? The Direct Answer

The HIPAA Privacy Rule applies to three categories of organizations: health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with certain transactions. These three groups are collectively known as covered entities.

But it doesn't stop there. The Rule also applies to business associates — any person or organization that performs functions or activities on behalf of a covered entity that involve access to protected health information (PHI).

That's it. Those are the categories. If your organization falls into any of them, the Privacy Rule governs how you handle, store, disclose, and protect PHI. HHS spells this out clearly on their covered entity guidance page.

Covered Entities: The Three You Need to Know Cold

1. Health Plans

Health plans include health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid, and military and veterans' health programs. If an organization pays the cost of medical care, it's almost certainly a health plan under HIPAA.

I've seen mid-size employers assume their self-funded health plan was somehow exempt. It's not. If your organization administers a group health plan with 50 or more participants, you're a covered entity and the Privacy Rule applies to your handling of employees' PHI.

2. Health Care Clearinghouses

This is the category that CEO I mentioned didn't understand. A health care clearinghouse is any entity that processes nonstandard health information into standard formats — or vice versa. Billing services, repricing companies, and community health management information systems often fall here.

If your organization sits between providers and payers, translating or reformatting claims data, you are a clearinghouse. Full stop.

3. Health Care Providers Who Transmit Electronically

Every health care provider — regardless of size — who electronically transmits health information in connection with transactions like claims, benefit eligibility inquiries, or referral authorizations is a covered entity. This includes hospitals, physicians, dentists, psychologists, chiropractors, nursing homes, and pharmacies.

The key phrase is "electronically transmits." A therapist who only accepts cash and never files electronic claims might technically fall outside the Privacy Rule. But the moment that therapist submits a single electronic claim, they're in. And in 2026, finding a provider who never transacts electronically is like finding a payphone that works.

Business Associates: The Category Everyone Forgets

The HITECH Act expanded the Privacy Rule's reach to business associates in ways that still catch organizations off guard. A business associate is any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity.

Think: IT service providers, cloud storage companies, shredding services, billing firms, consultants, law firms, and even answering services. If they touch PHI, they're a business associate.

Here's what makes this real. In 2018, OCR settled with Advanced Care Hospitalists (ACH) for $500,000 after a business associate — a billing company — accessed patient records for over 400 individuals without proper authorization. ACH failed to have a business associate agreement (BAA) in place.

No BAA means no contractual safeguard. And OCR treats that gap as a violation in its own right.

Who the Privacy Rule Does NOT Apply To

This is where I see the most confusion during workforce training sessions. The Privacy Rule does not apply to:

  • Employers acting as employers — your HR department handling employment records (not health plan records) isn't covered.
  • Life insurers — unless they also function as health plans.
  • Workers' compensation carriers — though they may receive PHI from covered entities under specific disclosure rules.
  • Most schools and school districts — student health records typically fall under FERPA, not HIPAA.
  • Law enforcement agencies — though covered entities must follow specific rules when disclosing PHI to them.
  • Gym and fitness apps — consumer health apps that don't work on behalf of a covered entity generally fall outside HIPAA's reach.

That last one generates a lot of questions in 2026 as telehealth and health-tracking apps proliferate. The FTC, not HHS, tends to police health data in those consumer-facing apps.

The $5.55 Million Reminder From Memorial Healthcare

If you're wondering whether OCR actually enforces the Privacy Rule against covered entities, consider Memorial Healthcare System's $5.55 million settlement in 2017. Employees at the health system accessed PHI of 115,143 individuals without authorization, and the organization failed to implement adequate access controls or conduct regular audits.

Memorial is a covered entity — a health care provider. The Privacy Rule applied, and OCR enforced it. The lesson: being a covered entity means you own the responsibility for every workforce member who touches PHI, from front-desk staff to C-suite executives.

Why Your Staff Needs to Know This — Not Just Your Compliance Officer

I've sat in too many breach debriefs where the root cause was a single employee who didn't understand that the Privacy Rule applied to them personally. A nurse who texted a patient's lab results to a colleague's personal phone. A billing clerk who took a screenshot of a claim and posted it to a group chat. A receptionist who confirmed a patient's appointment to a caller without verifying identity.

Every one of these situations is preventable with targeted workforce training. If your clinical staff handles ePHI at the bedside, they need training built for their workflow — like our HIPAA training designed specifically for nurses and clinical staff.

If your team works in mental or behavioral health — where the Privacy Rule intersects with 42 CFR Part 2 and state confidentiality laws — generic training won't cut it. Our HIPAA course for mental and behavioral health professionals addresses those layered requirements head-on.

And for anyone in your organization who interacts with patients verbally — front desk, intake coordinators, nursing staff — hallway conversations and phone calls are disclosure vectors that rarely get the training attention they deserve. Our Verbal Disclosures: Watch What You Say module tackles exactly that.

The "Applies to Which of the Following" Cheat Sheet

If you need a quick reference — pin this to your compliance board:

  • Health plans — Yes, the Privacy Rule applies.
  • Health care clearinghouses — Yes.
  • Health care providers who transmit electronically — Yes.
  • Business associates of any of the above — Yes.
  • Your neighbor who happens to be a nurse but is off the clock — No (though they still have professional ethics obligations).
  • A fitness app with no ties to a covered entity — No.
  • An employer's general employment records — No.

Stop Guessing. Start Knowing.

Whether you're answering a compliance exam question or conducting a gap assessment for your organization, understanding exactly who the HIPAA Privacy Rule applies to is foundational. It shapes your risk analysis, your breach notification obligations, your BAA requirements, and your workforce training strategy.

I've watched organizations spend six figures on security tools while ignoring the basic question of whether their vendors even qualify as business associates. I've seen covered entities assume the Privacy Rule only applies to doctors and hospitals while their billing department operates without safeguards.

The Privacy Rule's scope isn't ambiguous. HHS defined it clearly. Your job is to make sure every person in your organization who touches PHI knows they're in scope — and knows what that means for every email, every phone call, and every conversation in a hallway.