Who must comply with HIPAA privacy standards?
As required by Congress in HIPAA, the Privacy Rule covers: • Health plans • Health care clearinghouses • Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. These entities (collectively called “covered entities”) are bound by the privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. See the fact sheet and frequently asked questions about the standards on Business Associates for a
• Health plans, • Health care clearinghouses, and • Health care providers who transmit health information electronically. These entities are bound by the privacy standards even if they contract with others (business associates) to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies (such as employers, life insurance companies, or public agencies that deliver social security or welfare benefits). See the fact sheet and frequently asked questions on the HHS/OCR web site about the standards on Business Associates for a more detailed discussion of covered entities’ responsibilities when they engage others to perform essential functions or services for them.
