HIPAA compliance regulations apply to a business only when the business is a HIPAA Covered Entity, a Business Associate, or a subcontractor of a Business Associate handling protected health information, and they require the business to follow the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule through policies, safeguards, contracting, workforce controls, documentation, and incident response that govern how protected health information is used, disclosed, protected, and reported.
A business becomes a HIPAA Covered Entity when it operates as a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information in electronic form in connection with covered transactions. A business becomes a Business Associate when it creates, receives, maintains, or transmits protected health information on behalf of a HIPAA Covered Entity or another Business Associate to perform functions or services such as claims processing, billing, data analysis, utilization review, quality assurance, legal services, accounting, IT support, cloud hosting, or software services that involve protected health information. Businesses outside these roles are not regulated by HIPAA for information held as non-covered data, including many consumer health data uses that are not part of a covered relationship.
The HIPAA Privacy Rule governs permitted uses and disclosures of protected health information and requires administrative controls that support patient rights where applicable, verification of identity and authority, minimum necessary practices for many non-treatment activities, and documentation of policies and procedures. The HIPAA Security Rule applies when the business creates, receives, maintains, or transmits electronic protected health information and requires administrative, physical, and technical safeguards supported by a documented risk analysis and risk management actions that address access control, audit controls, transmission security, device and media handling, contingency planning, and workforce security. Business Associate Agreements are required when protected health information is handled for a Covered Entity or Business Associate, and subcontractors that handle protected health information must be governed through written agreements that impose the same restrictions and conditions.
The HIPAA Breach Notification Rule requires procedures to identify and investigate impermissible uses or disclosures of unsecured protected health information, perform the required breach risk assessment, and provide notifications when a breach is determined, with responsibilities that differ based on whether the business is a Covered Entity or Business Associate. Compliance evidence is part of the regulatory obligation, including maintaining policies, procedures, training records, risk analysis documentation, risk management tracking, vendor agreements, access administration records, and incident documentation for audit and enforcement purposes.