The following entities must follow The Health Insurance Portability and Accountability Act (HIPAA) regulations. The law refers to these as “covered entities”:

  • Health plans
  • Most health care providers, including doctors, clinics, hospitals, nursing homes, and pharmacies
  • Health care clearinghouses

HIPAA also applies to covered entities’ business associates (i.e., third parties that perform certain functions or activities that require the use of personal health information (PHI) including, for example, claims processing or administration). Entities that provide data transmission of PHI on behalf of a covered entity (or its business associate) and that require access on a routine basis to that PHI (such as regional Health Information Organizations (HIOs)) are considered to be business associates under HIPAA. Health information organizations that facilitate the exchange of electronic PHI primarily for treatment purposes between and among several health care providers.

For more information on covered entities or business associates, visit the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.