eastbaycyber

What Is HIPAA and Who Must Comply?

FAQs 5 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Short answer

HIPAA stands for the Health Insurance Portability and Accountability Act. It is a U.S. legal framework that sets rules for protecting certain health information. It applies primarily to:

  • Covered entities, such as many healthcare providers, health plans, and healthcare clearinghouses
  • Business associates that handle protected health information on behalf of covered entities

HIPAA is a U.S. healthcare privacy and security law that governs how certain organizations protect health information. In practice, HIPAA compliance mainly applies to covered entities and many business associates that create, receive, maintain, or transmit protected health information, also called PHI.

Detailed Explanation

HIPAA is best understood as a regulatory framework for protecting certain healthcare information in the United States. While the law covers more than one topic, the parts most relevant to security and compliance teams focus on:

  • Privacy
  • Security
  • Breach notification

These rules affect how regulated organizations collect, use, store, share, and protect sensitive health information.

What HIPAA Protects

HIPAA focuses on protected health information, commonly called PHI. Broadly, PHI is individually identifiable health information related to a person’s:

  • Health condition
  • Healthcare treatment
  • Payment for healthcare

Examples may include:

  • Medical records
  • Lab results
  • Billing records
  • Insurance details tied to a person
  • Appointment information connected to an identifiable individual
  • Other healthcare-related records linked to a specific person

Whether data qualifies as PHI depends on context, not just the type of data. Information becomes more likely to fall under HIPAA when it identifies a person and relates to healthcare or payment for healthcare.

Who Must Comply With HIPAA

HIPAA does not apply to every company that handles health-related information. It mainly applies to two categories.

Covered Entities

Covered entities generally include:

  • Health plans
  • Healthcare clearinghouses
  • Healthcare providers that transmit certain health information electronically in connection with covered transactions

This last category matters because not every provider or health-related business automatically falls under HIPAA. The law uses specific definitions, so whether an organization is a covered entity depends on how it operates and what types of transactions it performs.

Business Associates

A business associate is generally a person or organization that creates, receives, maintains, or transmits PHI for a covered entity while providing services.

Examples may include certain:

  • Cloud service providers
  • Billing vendors
  • Managed IT providers
  • Data hosting providers
  • Claims processors
  • Document management vendors
  • Security service providers with access to regulated systems or data

That means HIPAA can apply to more than hospitals and clinics. Vendors supporting regulated healthcare operations may also have direct responsibilities.

Why Scope Matters

A common mistake is assuming HIPAA only matters to doctors, hospitals, and insurers. In reality, many third parties become part of the compliance picture when they handle PHI in support of a covered entity.

For security and compliance teams, the first question is usually:

Are we a covered entity, a business associate, or outside HIPAA scope?

That scoping decision affects:

  • Contracts and BAAs
  • Risk assessments
  • Access controls
  • Logging and monitoring
  • Vendor oversight
  • Incident response
  • Employee training

What HIPAA Requires at a High Level

HIPAA is not one short checklist. It includes multiple rules and implementation requirements. At a practical level, organizations in scope usually need to address the following areas.

Administrative Safeguards

These include management and governance controls such as:

  • Risk analysis
  • Security policies and procedures
  • Workforce training
  • Access management
  • Sanction policies
  • Ongoing risk management

Physical Safeguards

These focus on protecting facilities and devices, including:

  • Facility access controls
  • Workstation security
  • Device and media handling
  • Secure disposal practices

Technical Safeguards

These include security controls such as:

  • Access controls
  • Audit controls
  • Integrity protections
  • User authentication
  • Transmission security

A password manager such as 1Password can support strong credential hygiene for staff, especially where unique passwords and secure access management are required across regulated systems.

Privacy Controls

HIPAA also governs how PHI may be used and disclosed, along with certain patient rights involving access to information and privacy practices.

Breach Response

Organizations in scope need processes for:

  • Identifying potential breaches
  • Investigating incidents
  • Documenting findings
  • Notifying affected parties and regulators when required

HIPAA Compliance Is Not Just Paperwork

Many organizations treat HIPAA as a documentation exercise. That is a mistake. If your organization is in scope, compliance requires operational controls that work in practice.

Examples include:

  • Role-based access to PHI
  • Multi-factor authentication where appropriate
  • Logging and monitoring on regulated systems
  • Secure vendor management
  • Encryption strategies
  • Workforce security awareness
  • Incident response planning
  • Periodic risk analysis and remediation

If endpoints are used to access or store regulated data, endpoint protection can also support broader HIPAA security efforts. A product like Malwarebytes may help smaller organizations strengthen endpoint defenses, though it should be part of a larger compliance and security program rather than a standalone solution.

Common Misconceptions

No. HIPAA applies to specific regulated roles, mainly covered entities and business associates. A company may handle health-related information without automatically being subject to HIPAA.

“If We Encrypt Data, We Are HIPAA Compliant.”

False. Encryption is useful, but HIPAA compliance is broader than any single control. Governance, training, access reviews, monitoring, and breach response still matter.

“Only Healthcare Providers Have HIPAA Obligations.”

Incorrect. Many vendors and service providers can qualify as business associates if they handle PHI for covered entities.

“HIPAA Compliance Is a One-Time Certification.”

No. HIPAA compliance is ongoing. Systems change, staff changes, vendors change, and threats change. Controls need to be maintained over time.

“HIPAA Is Only About Privacy.”

Not true. HIPAA includes privacy requirements, but it also includes security and breach notification obligations. For security teams, that means both technical and administrative controls matter.

  • What Is PHI?
  • What Is the HIPAA Security Rule?

The practical takeaway is simple: HIPAA is a U.S. framework for protecting certain health information, and it mainly applies to covered entities and business associates. If your organization handles PHI in one of those roles, you need real privacy, security, and breach response controls, not just policy language.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.