What Is HIPAA and Who Must Comply?
HIPAA stands for the Health Insurance Portability and Accountability Act. It is a U.S. legal framework that sets rules for protecting certain health information. It applies primarily to:
- Covered entities, such as many healthcare providers, health plans, and healthcare clearinghouses
- Business associates that handle protected health information on behalf of covered entities
HIPAA is a U.S. healthcare privacy and security law that governs how certain organizations protect health information. In practice, HIPAA compliance mainly applies to covered entities and many business associates that create, receive, maintain, or transmit protected health information, also called PHI.
Detailed Explanation
HIPAA is best understood as a regulatory framework for protecting certain healthcare information in the United States. While the law covers more than one topic, the parts most relevant to security and compliance teams focus on:
- Privacy
- Security
- Breach notification
These rules affect how regulated organizations collect, use, store, share, and protect sensitive health information.
What HIPAA Protects
HIPAA focuses on protected health information, commonly called PHI. Broadly, PHI is individually identifiable health information related to a person’s:
- Health condition
- Healthcare treatment
- Payment for healthcare
Examples may include:
- Medical records
- Lab results
- Billing records
- Insurance details tied to a person
- Appointment information connected to an identifiable individual
- Other healthcare-related records linked to a specific person
Whether data qualifies as PHI depends on context, not just the type of data. Information becomes more likely to fall under HIPAA when it identifies a person and relates to healthcare or payment for healthcare.
Who Must Comply With HIPAA
HIPAA does not apply to every company that handles health-related information. It mainly applies to two categories.
Covered Entities
Covered entities generally include:
- Health plans
- Healthcare clearinghouses
- Healthcare providers that transmit certain health information electronically in connection with covered transactions
This last category matters because not every provider or health-related business automatically falls under HIPAA. The law uses specific definitions, so whether an organization is a covered entity depends on how it operates and what types of transactions it performs.
Business Associates
A business associate is generally a person or organization that creates, receives, maintains, or transmits PHI for a covered entity while providing services.
Examples may include certain:
- Cloud service providers
- Billing vendors
- Managed IT providers
- Data hosting providers
- Claims processors
- Document management vendors
- Security service providers with access to regulated systems or data
That means HIPAA can apply to more than hospitals and clinics. Vendors supporting regulated healthcare operations may also have direct responsibilities.
Why Scope Matters
A common mistake is assuming HIPAA only matters to doctors, hospitals, and insurers. In reality, many third parties become part of the compliance picture when they handle PHI in support of a covered entity.
For security and compliance teams, the first question is usually:
Are we a covered entity, a business associate, or outside HIPAA scope?
That scoping decision affects:
- Contracts and BAAs
- Risk assessments
- Access controls
- Logging and monitoring
- Vendor oversight
- Incident response
- Employee training
What HIPAA Requires at a High Level
HIPAA is not one short checklist. It includes multiple rules and implementation requirements. At a practical level, organizations in scope usually need to address the following areas.
Administrative Safeguards
These include management and governance controls such as:
- Risk analysis
- Security policies and procedures
- Workforce training
- Access management
- Sanction policies
- Ongoing risk management
Physical Safeguards
These focus on protecting facilities and devices, including:
- Facility access controls
- Workstation security
- Device and media handling
- Secure disposal practices
Technical Safeguards
These include security controls such as:
- Access controls
- Audit controls
- Integrity protections
- User authentication
- Transmission security
A password manager such as 1Password can support strong credential hygiene for staff, especially where unique passwords and secure access management are required across regulated systems.
Privacy Controls
HIPAA also governs how PHI may be used and disclosed, along with certain patient rights involving access to information and privacy practices.
Breach Response
Organizations in scope need processes for:
- Identifying potential breaches
- Investigating incidents
- Documenting findings
- Notifying affected parties and regulators when required
HIPAA Compliance Is Not Just Paperwork
Many organizations treat HIPAA as a documentation exercise. That is a mistake. If your organization is in scope, compliance requires operational controls that work in practice.
Examples include:
- Role-based access to PHI
- Multi-factor authentication where appropriate
- Logging and monitoring on regulated systems
- Secure vendor management
- Encryption strategies
- Workforce security awareness
- Incident response planning
- Periodic risk analysis and remediation
If endpoints are used to access or store regulated data, endpoint protection can also support broader HIPAA security efforts. A product like Malwarebytes may help smaller organizations strengthen endpoint defenses, though it should be part of a larger compliance and security program rather than a standalone solution.
Common Misconceptions
“HIPAA Applies to Any Company With Health-Related Data.”
No. HIPAA applies to specific regulated roles, mainly covered entities and business associates. A company may handle health-related information without automatically being subject to HIPAA.
“If We Encrypt Data, We Are HIPAA Compliant.”
False. Encryption is useful, but HIPAA compliance is broader than any single control. Governance, training, access reviews, monitoring, and breach response still matter.
“Only Healthcare Providers Have HIPAA Obligations.”
Incorrect. Many vendors and service providers can qualify as business associates if they handle PHI for covered entities.
“HIPAA Compliance Is a One-Time Certification.”
No. HIPAA compliance is ongoing. Systems change, staff changes, vendors change, and threats change. Controls need to be maintained over time.
“HIPAA Is Only About Privacy.”
Not true. HIPAA includes privacy requirements, but it also includes security and breach notification obligations. For security teams, that means both technical and administrative controls matter.
Related Reading
- What Is PHI?
- What Is the HIPAA Security Rule?
The practical takeaway is simple: HIPAA is a U.S. framework for protecting certain health information, and it mainly applies to covered entities and business associates. If your organization handles PHI in one of those roles, you need real privacy, security, and breach response controls, not just policy language.
Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.