What Businesses Must Be HIPAA Compliant?

What is HIPAA Compliance?

The term “HIPAA compliance” gets thrown around a lot, but few people actually know what it entails. In short, HIPAA compliance is the process by which organizations ensure that they are adhering to the strict privacy and security regulations set forth by the Health Insurance Portability and Accountability Act (HIPAA).

Organizations that are subject to HIPAA must take measures to protect the privacy of patients’ protected health information (PHI). They must also put in place physical, technical, and administrative safeguards to ensure the security of PHI.

What Businesses Must Be HIPAA Compliant?

While HIPAA applies to a wide range of organizations, there are three main types of entities that must be compliant:

  1. Covered entities
  2. Business associates
  3. Subcontractors

Let’s take a closer look at each of these:

Covered Entities

A covered entity is any organization that deals with PHI on a regular basis. This includes hospitals, clinics, physicians, dentists, and other health care providers. It also includes health plans, such as insurance companies and HMOs. In order to be considered a covered entity, an organization must engage in one of the following activities:

  • Transactions for which standards have been established by HHS (such as electronic claims submission)
  • The storage or maintenance of PHI in any form (including paper records)

Business Associates

A business associate is any organization that provides services to a covered entity that involve the use or disclosure of PHI. This includes third-party billing companies, transcription services, and even IT providers. Business associates must sign a HIPAA Business Associate Agreement (BAA) with the covered entity, specifying that they will adhere to the same privacy and security standards as the covered entity.


A subcontractor is a business associate of a business associate. In other words, it’s an organization that provides services to a business associate that involve the use or disclosure of PHI. Subcontractors must also sign a BAA with the business associate specifying their commitment to HIPAA compliance.

What Are the Consequences of Non-Compliance?

The consequences of non-compliance with HIPAA can be severe. Organizations that are found to have violated HIPAA regulations can be subject to civil penalties of up to $50,000 per violation. They can also be subject to criminal penalties of up to $250,000 and 10 years in prison.

In addition to financial penalties, HIPAA violations can also damage an organization’s reputation. Patients are increasingly concerned about the privacy of their health information, and they may be hesitant to do business with an organization that cannot protect their PHI. Also, the media often covers HIPAA violations, which can further tarnish an organization’s reputation.

So, it’s important for organizations to take HIPAA compliance seriously. They should make sure that they have policies and procedures in place to protect the privacy and security of PHI. And, they should train their employees on these policies and procedures to ensure that they are followed.

If you need help getting started with HIPAA compliance, contact a managed service provider. They can help you assess your risks and put in place the necessary safeguards to protect your PHI.