A mental health counselor in private practice once told me she didn't need to worry about HIPAA because she wasn't a hospital. Six months later, HHS came knocking after a patient complaint about unsecured therapy notes stored in a shared Google Drive. She learned the hard way that the question of who must comply to HIPAA has a much wider answer than most people realize.

If you handle protected health information — PHI — in almost any capacity tied to healthcare, HIPAA likely applies to you. This post breaks down every category of organization and individual that falls under the law, explains the gray areas that trip people up, and gives you a practical framework to figure out exactly where your organization stands.

Who Must Comply to HIPAA: The Two Core Categories

HIPAA compliance obligations fall on two primary groups: covered entities and business associates. If your organization fits into either bucket, the Privacy Rule, Security Rule, and Breach Notification Rule all apply to you.

Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically in connection with a HIPAA-covered transaction. Business associates are individuals or organizations that perform services for — or on behalf of — a covered entity and access PHI in the process.

That's the textbook answer. But in practice, figuring out which category you belong to — or whether you belong to one at all — gets complicated fast.

Covered Entities: It's Not Just Hospitals

I've consulted with organizations ranging from solo chiropractors to multi-state insurance carriers. The one thing they all have in common? They're covered entities under HIPAA. Here's the full breakdown.

Healthcare Providers

Any provider who electronically transmits health information in connection with transactions like claims, benefit eligibility inquiries, or referral authorizations is a covered entity. This includes doctors, dentists, psychologists, nursing homes, pharmacies, urgent care clinics, and yes — that solo mental health counselor I mentioned.

The key trigger is electronic transmission. A physician who only accepts cash and never submits electronic claims might technically fall outside the definition. But the moment that practice sends a single electronic claim to a payer, HIPAA applies.

Health Plans

Health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and military health programs like TRICARE are all covered entities. Even employer-sponsored wellness programs that collect health data can qualify if they meet certain thresholds.

Employer-sponsored plans with fewer than 50 participants that are self-administered may be exempt. But once a third-party administrator gets involved, that administrator becomes a business associate, and the compliance chain kicks in.

Healthcare Clearinghouses

These are the middlemen — organizations that process nonstandard health information into standard formats (or vice versa). Billing services and repricing companies often fall into this category. If your organization converts data between providers and payers, you're almost certainly a covered entity.

Business Associates: The Compliance Net Widens

Before the HITECH Act of 2009, business associates operated in a gray zone. Not anymore. The Omnibus Rule of 2013 made business associates directly liable for HIPAA violations, subject to the same civil and criminal penalties as covered entities.

A business associate is any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Think IT vendors managing ePHI on servers, shredding companies destroying paper records, billing companies processing claims, cloud storage providers hosting electronic health records, and attorneys reviewing medical cases.

Subcontractors Count Too

Here's where organizations consistently get caught off guard. If a business associate hires a subcontractor who also handles PHI, that subcontractor is also considered a business associate under HIPAA. The compliance obligation cascades down every level of the chain.

I've seen this play out painfully. A hospital contracts with a billing company. The billing company outsources coding to a small offshore firm. That offshore firm experiences a breach. The hospital, the billing company, and the offshore firm can all face OCR scrutiny.

The $4.3 Million Question: What Happens When You Get It Wrong

In 2016, Advocate Health Care Network agreed to a $5.55 million settlement with the HHS Office for Civil Rights after multiple breaches affecting millions of individuals. A key finding? Advocate failed to obtain satisfactory business associate agreements from several entities handling ePHI on its behalf. They didn't properly identify who in their network needed to comply. You can review OCR's enforcement results on the HHS breach settlement page.

That single failure — not identifying and binding business associates — cost them millions and years of corrective action plan oversight.

Who Doesn't Have to Comply with HIPAA?

This is the question I get asked almost as often as who must comply to HIPAA. Not every organization that touches health-related data is covered.

  • Life insurers that don't provide health coverage
  • Employers in their role as employers (though their group health plans are covered)
  • Workers' compensation carriers (in most contexts)
  • Schools and school districts — student health records are typically covered by FERPA, not HIPAA
  • Law enforcement agencies (though they may receive PHI under specific HIPAA exceptions)
  • Most fitness apps and consumer wearables — unless they're integrated with a covered entity's system

The distinction matters. A gym that collects member health surveys is not a covered entity. But a gym that partners with a health plan to share member wellness data as part of a covered program could become a business associate. Context is everything.

Hybrid Entities: When Only Part of Your Organization Is Covered

Large organizations like universities or conglomerates often have components that perform covered functions alongside components that don't. HIPAA allows these organizations to designate themselves as hybrid entities.

A university, for example, might have a student health clinic (covered) and an engineering department (not covered). By properly designating which components handle PHI, the university limits its HIPAA compliance obligations to only those components.

But the designation must be formal and documented. I've worked with hybrid entities that assumed they'd made the designation simply by having separate departments. That's not how OCR sees it. You need written documentation that clearly identifies the healthcare component.

What About Workforce Members?

HIPAA doesn't just regulate organizations — it reaches every individual within a covered entity's or business associate's workforce. Under the Privacy Rule, "workforce" includes employees, volunteers, trainees, and any person whose conduct is under the direct control of the entity, whether or not they're paid.

This is why workforce training is a regulatory requirement, not a nice-to-have. Every person in your organization who can access PHI must be trained on HIPAA policies and procedures. The HIPAA training catalog at HIPAACertify covers the exact content your staff needs — from privacy basics to security awareness — built specifically for covered entities and business associates.

Does HIPAA Apply to State-Licensed Providers Who Don't Bill Electronically?

This is one of the most frequently misunderstood gray areas. A licensed provider who never conducts a single electronic transaction covered under HIPAA is technically not a covered entity. But here's the practical reality: nearly every provider in 2026 submits at least one electronic claim, eligibility check, or referral. The threshold is one transaction.

Even if you currently operate entirely on paper, the moment you adopt an EHR system, submit an electronic claim, or use an e-prescribing platform, you become a covered entity. My advice? If you're a licensed healthcare provider, assume HIPAA applies to you and build your compliance program accordingly.

Three Steps to Determine Your Compliance Obligations

If you're still unsure where your organization falls, use this framework:

  • Step 1: Identify whether you're a covered entity. Do you provide healthcare, operate a health plan, or function as a clearinghouse? Do you transmit health information electronically in connection with a covered transaction?
  • Step 2: Map your business associate relationships. Who accesses, stores, transmits, or processes PHI on your behalf? Every one of those vendors needs a business associate agreement.
  • Step 3: Train your entire workforce. Compliance doesn't stop at contracts. Your people are your biggest vulnerability and your strongest defense. Structured HIPAA compliance training is the fastest way to close the gap.

The Bottom Line on Who HIPAA Covers

The reach of HIPAA is broader than most organizations expect. Covered entities, business associates, subcontractors, and every workforce member within those organizations bear compliance obligations. Misidentifying your status — or failing to identify the status of your vendors — doesn't create an exemption. It creates liability.

If your organization handles PHI in any form, the question isn't really whether HIPAA applies to you. It's whether you've built the systems, agreements, and training programs to prove it. The HHS covered entity guidance page is the best starting point for confirming your regulatory status. And once you know where you stand, make sure your entire team does too.