Who Must Comply with HIPAA: A Decision Framework for Covered Entities and Business Associates

IBM’s 2023 Cost of a Data Breach Report found that healthcare organizations faced an average breach cost of $10.93 million, the highest of any industry. Regulatory penalties compound that exposure. HHS has assessed civil monetary penalties against organizations of every size, from solo practices to large hospital networks.

The question many SMB owners and IT managers cannot confidently answer is more basic: does HIPAA even apply to my organization?

This article walks through a practical decision framework to help you determine whether HIPAA applies to your organization, which regulatory category you fall under, and what that classification requires of you.

What HIPAA Is and Why Applicability Isn’t Automatic

Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) establishes federal standards governing how individually identifiable health information can be used, stored, and shared.

The Department of Health and Human Services (HHS) administers HIPAA through its Office for Civil Rights (OCR), the body responsible for investigations, compliance audits, and civil monetary penalties. HHS OCR does not limit enforcement to large institutions.

HIPAA applies only to specific categories of entities defined in the regulation itself, not to every organization that handles health-related data.

Whether HIPAA applies to your organization depends on what your organization does and how it relates to healthcare transactions, not on your industry label alone.

The Three Categories of Covered Entities Under HIPAA

HIPAA defines three types of covered entities, each carrying direct compliance obligations under the law:

• Health plans: Any organization that pays for or provides healthcare coverage, including private health insurers, employer-sponsored group health plans, Medicare, Medicaid programs, and HMOs. An employer that self-insures its group health plan qualifies as a covered entity with respect to that plan.
• Healthcare providers: Physicians, hospitals, pharmacies, clinics, therapists, and other providers that transmit health information electronically in connection with covered transactions, such as submitting claims, verifying patient eligibility, or requesting prior authorizations.
• Healthcare clearinghouses: Entities that translate nonstandard health data into standard HIPAA-compliant formats, or convert standard formats into nonstandard ones, typically on behalf of payers or providers.

One nuance applies specifically to providers: the electronic transaction requirement is a threshold condition. A provider who handles all billing on paper and never submits electronic claims may not meet the covered entity definition under the technical standard. That scenario is uncommon now, but the rule matters.

Most SMBs outside the healthcare industry are not covered entities. Many are still subject to HIPAA through a different classification entirely.

When Your Business Qualifies as a Business Associate

A business associate is any person or organization that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. Business associate status is determined by what you do, not by your industry sector or company label.

Common SMB categories that trigger business associate status:

• Managed IT providers supporting networks or systems where PHI is stored or transmitted
• Medical billing companies that process claims on behalf of providers
• Legal and accounting firms that access patient records or healthcare financials for covered-entity clients
• Cloud storage and SaaS vendors hosting platforms where patient data resides
• Document management and shredding companies that handle physical or digital patient records

Business associates are directly subject to HIPAA’s Security Rule and certain Privacy Rule provisions by statute. A vendor cannot opt out of those obligations by declining to sign a Business Associate Agreement (BAA).

The BAA is a required written contract. Both parties must execute it before the covered entity shares PHI with any vendor or service provider. Its absence creates liability for both parties without eliminating either party’s underlying compliance obligations.

Downstream subcontractors who receive PHI from a business associate require their own BAAs with the business associate above them in the chain.

If your organization qualifies as a business associate and lacks a formal compliance program, our HIPAA compliance services page outlines what a structured engagement looks like.

PHI: The Data Category That Activates Your Obligations

Protected health information (PHI) is any individually identifiable health information that connects a person’s identity to their health condition, treatment history, or payment history for care. The definition is intentionally broad, and its scope surprises many SMB operators.

HHS specifies 18 identifier types that, when linked to health information, constitute PHI. These include:

• Names
• Geographic data smaller than a state
• Dates beyond year
• Phone numbers and email addresses
• Social Security numbers
• Medical record numbers and account numbers

Electronic PHI (ePHI) is PHI created, stored, or transmitted in electronic form. The Security Rule targets ePHI specifically and requires administrative, physical, and technical safeguards. Health data fully de-identified per HHS standards, with all 18 identifiers removed, falls outside HIPAA’s scope entirely.

PHI surfaces in places organizations don’t always anticipate, including:

• Automated backup systems
• IT support tickets
• Email threads
• Shared file drives

A full data-flow mapping is a required first step, not an optional exercise.

The HIPAA Privacy Rule and Security Rule: What Each One Requires

Two primary rules define what compliance looks like in practice. A third addresses what happens when PHI is compromised.

1. The Privacy Rule sets standards for permissible uses and disclosures of PHI, establishes patient rights over their own health information, and requires covered entities to publish a Notice of Privacy Practices. It applies to PHI in any form: oral, written, or electronic.
2. The Security Rule applies to ePHI specifically. It requires three categories of safeguards:

• Administrative: risk analysis, workforce training, access management policies
• Physical: facility access controls, workstation policies, device and media disposal
• Technical: access controls, audit logging, encryption at rest and in transit Business associates must comply with the Security Rule in full.

1. The Breach Notification Rule requires covered entities and business associates to notify affected individuals, HHS, and in some cases media outlets when unsecured PHI is compromised. Many organizations learn this requirement exists only after they need to apply it.

Per HHS OCR, civil penalties range from $145 to $73,011 per violation, with an annual cap of $2,190,294 per violation category per year. Penalty amounts scale by culpability tier.

A Decision Framework: Does HIPAA Apply to Your Organization?

Work through these five questions in sequence. Your answers determine your HIPAA status and your highest-priority next steps.

1. Are you a health plan, a healthcare provider that submits electronic transactions, or a clearinghouse? If yes, you are a covered entity. Both the Privacy Rule and the Security Rule apply directly to your operations.
2. Do you provide services to a covered entity that involve creating, receiving, maintaining, or transmitting PHI on their behalf? If yes, you are a business associate regardless of your own industry, and HIPAA obligations follow.
3. Is a signed BAA in place with every covered-entity client that shares PHI with you? If not, executing those agreements is your highest-priority immediate action. Both parties carry exposure until proper contracts are in place.
4. Do any of your systems store or process ePHI? If yes, Security Rule requirements apply: access controls, audit logging, encryption at rest and in transit, and a documented incident response plan.
5. Is your compliance position documented? HHS expects organizations to perform and record a formal risk analysis. An undocumented assumption that HIPAA does not apply provides no protection during an audit or investigation.

If your analysis determines HIPAA does not apply to your organization, document that conclusion formally. Other frameworks may still govern your data practices. Our FTC compliance services page explains how the FTC Safeguards Rule creates parallel obligations for many non-HIPAA businesses that handle sensitive consumer financial information.

HIPAA compliance is not a one-time project. It requires ongoing risk analysis, documented policies, trained staff, and technical controls that evolve as your organization changes.

For SMBs that discover they qualify as covered entities or business associates, the most common failure point is not deliberate violation. It is undocumented processes, unmapped data flows, and vendor relationships operating without proper agreements.

Organizations of any size can build a structured compliance program. Start by mapping where PHI exists in your systems, confirm every vendor BAA is current, and conduct the formal risk analysis HHS requires. If your internal team doesn’t have the bandwidth to manage that process, a compliance-focused IT partner provides the structure and accountability the work demands.

When HIPAA compliance becomes a managed risk rather than a recurring crisis, your team can focus on the work that actually moves the business forward.

LeadingIT provides managed IT and cybersecurity services to businesses with 25–250 employees across Chicagoland, including endpoint protection, 24/7 monitoring, incident response, vCIO guidance, and compliance support. We solve problems before they reach your inbox.

Contact our Chicagoland IT support team or call 815-788-6041 to schedule a free assessment.