In 2023, OCR settled with a dental practice in New England for $50,000 after finding it had no policies implementing the Privacy Rule — despite having operated for over a decade. The practice's defense? They believed HIPAA only applied to hospitals and insurance companies. Understanding who is required to comply with the HIPAA Privacy Rule is not optional knowledge — it is the foundation of every compliance program, and getting it wrong exposes your organization to enforcement actions, civil penalties, and reputational damage.

Who Is Required to Comply with the HIPAA Privacy Rule: The Two Categories

The HIPAA Privacy Rule, codified at 45 CFR Part 164 Subpart E, applies to two distinct categories of organizations: covered entities and business associates. If your organization falls into either category, every provision of the Privacy Rule applies to you — from the minimum necessary standard to the requirement to provide a Notice of Privacy Practices.

There is no size exemption. A solo-practitioner therapist and a 5,000-bed hospital system carry the same core obligations under the rule. OCR has made this abundantly clear through enforcement actions targeting organizations of every scale.

Covered Entities: The Three Types You Need to Know

The Privacy Rule defines three types of covered entities under 45 CFR §160.103:

  • Health care providers — Any provider who transmits health information electronically in connection with a HIPAA-covered transaction. This includes physicians, dentists, chiropractors, pharmacies, nursing homes, and clinics. The key trigger is electronic transmission of transactions like claims, eligibility inquiries, or referral authorizations.
  • Health plans — Health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and military/veterans' health programs. If your entity pays for or arranges medical care, you are almost certainly a health plan under HIPAA.
  • Health care clearinghouses — Organizations that process nonstandard health information into standard formats (or vice versa). Billing services and repricing companies often fall into this category.

In my work with covered entities, the most common blind spot is among smaller health care providers who assume that because they do not file claims electronically themselves, they are not covered. If a billing company files electronic claims on your behalf, you are still a covered entity.

Business Associates: The Obligation Most Organizations Overlook

Before the Omnibus Rule of 2013, business associates had limited direct liability under HIPAA. That changed dramatically. Today, any person or organization that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity is a business associate — and is directly subject to the Privacy Rule's use and disclosure provisions, the Security Rule, and the Breach Notification Rule.

Common examples of business associates include:

  • IT service providers with access to systems containing PHI
  • Cloud storage vendors hosting electronic health records
  • Attorneys and accountants who receive PHI to perform services
  • Medical transcription companies
  • Shredding and document destruction companies that handle PHI

Every relationship between a covered entity and a business associate must be governed by a written business associate agreement (BAA) under 45 CFR §164.502(e). Operating without a BAA is itself a HIPAA violation — one that OCR has penalized repeatedly.

Subcontractors of Business Associates Are Also Covered

The Omnibus Rule extended compliance obligations downstream. If your business associate hires a subcontractor who will handle PHI, that subcontractor is also considered a business associate and must sign a BAA. This chain of accountability is one of the most underestimated aspects of HIPAA compliance.

Healthcare organizations consistently struggle with tracking these downstream relationships. Your compliance program must include a business associate inventory — a living document that maps every entity touching PHI on your behalf.

Who Is NOT Required to Comply

Not every organization that handles health-related data falls under HIPAA's jurisdiction. The following are generally not required to comply with the HIPAA Privacy Rule:

  • Life insurers
  • Employers (in their role as employers, not as health plan sponsors)
  • Workers' compensation carriers
  • Most schools and school districts (governed by FERPA instead)
  • Law enforcement agencies
  • Consumer health apps that do not act on behalf of a covered entity

However, this is where nuance matters. An employer that sponsors a group health plan does have HIPAA obligations related to that plan. A health app that integrates with a covered entity's EHR through a BAA does become a business associate. Context determines coverage.

The Workforce Training Requirement Most Organizations Underestimate

Knowing who is required to comply with the HIPAA Privacy Rule is only the starting point. Under 45 CFR §164.530(b), every covered entity must train all members of its workforce on its Privacy Rule policies and procedures. This includes employees, volunteers, trainees, and any person under the organization's direct control — whether or not they are paid.

Training must occur within a reasonable period after a person joins the workforce, and again whenever material changes are made to policies. OCR does not accept "we planned to train them" as a defense during an investigation. Documentation of completed training is essential.

If your organization needs a structured approach to meeting this requirement, HIPAA training and certification programs provide role-specific education that satisfies the workforce training standard and generates the documentation OCR expects to see.

Risk Analysis: The Compliance Obligation That Ties Everything Together

Once you have established that your organization must comply, the next mandatory step is a thorough risk analysis under the Security Rule (45 CFR §164.308(a)(1)). OCR's enforcement data shows that failure to conduct a risk analysis is the single most cited deficiency in resolution agreements and corrective action plans.

A proper risk analysis identifies where PHI lives in your environment, how it flows between systems and personnel, and what vulnerabilities threaten its confidentiality, integrity, and availability. Without it, your Privacy Rule compliance is built on assumptions rather than evidence.

What Happens When Covered Organizations Fail to Comply

OCR enforces the Privacy Rule through investigations triggered by complaints, breach reports, and compliance reviews. Penalties under the HITECH Act's tiered structure range from $137 per violation (for unknowing violations) up to approximately $2.1 million per violation category per year — figures adjusted periodically for inflation.

Beyond financial penalties, OCR can impose corrective action plans lasting two or more years, requiring monitored remediation of every deficiency found. The reputational cost of appearing on OCR's public breach portal — commonly known as the "Wall of Shame" — can be even more damaging.

Take Action Before OCR Comes Knocking

If you are unsure whether your organization qualifies as a covered entity or business associate, the time to resolve that question is now — not during an OCR investigation. Map your data flows, identify every entity handling PHI, execute BAAs, and build a workforce training program that is documented and repeatable.

HIPAA Certify's workforce compliance platform helps organizations of every size implement the training, documentation, and policy infrastructure the Privacy Rule demands. Compliance is not a one-time project — it is an ongoing operational obligation, and the organizations that treat it that way are the ones OCR never needs to investigate.