By the numbers: How many US healthcare organizations must abide by HIPAA?

The FAQs provided by the Office of the National Coordinator for Health IT explain that, “The following entities must follow The Health Insurance Portability and Accountability Act (HIPAA) regulations. The law refers to these as “covered entities”:

• Health plans
• Most health care providers, including doctors, clinics, hospitals, nursing homes, and pharmacies
• Health care clearinghouses

HIPAA also applies to covered entities’ business associates (i.e., third parties that perform certain functions or activities that require the use of personal health information (PHI) including, for example, claims processing or administration). Entities that provide data transmission of PHI on behalf of a covered entity (or its business associate) and that require access on a routine basis to that PHI (such as regional Health Information Organizations (HIOs)) are considered to be business associates under HIPAA. Health information organizations that facilitate the exchange of electronic PHI primarily for treatment purposes between and among several health care providers.”

Defining HIPAA covered entities

A resource by the National Health Institute states that, “Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons”

Additionally, “Researchers are covered entities if they are also health care providers who electronically transmit health information in connection with any transaction for which HHS has adopted a standard. For example, physicians who conduct clinical studies or administer experimental therapeutics to participants during the course of a study must comply with the Privacy Rule if they meet the HIPAA definition of a covered entity.”

HIPAA covered entities fall into three main categories, each including specific types of organizations:

• Healthcare providers: Hospitals, doctors' offices, clinics, nursing homes, pharmacies, dentists, mental health professionals, chiropractors, and physical therapists.
• Health plans: Private health insurance companies, group health plans, health maintenance organizations (HMOs), Medicare, Medicaid, military and veterans' health care programs, and long-term care insurance providers.
• Healthcare clearinghouses: Organizations that process nonstandard information into standard formats, such as medical billing services, repricing companies, and community health management information systems.

Estimating the total number of HIPAA covered entities

Healthcare providers

Hospitals

The 2025 Edition of the AHA Hospital Statistics reports the following figures:

Approximately 6,093 total hospitals in the United States

• This includes 5,112 community hospitals
  • 2,978 nongovernment not-for-profit community hospitals
  • 1,214 investor-owned (for-profit) community hospitals
  • 920 state and local government community hospitals
• 207 federal government hospitals
• 654 non-federal psychiatric hospitals
• 120 other specialized hospitals

Physician practices

In its 2023 U.S. Physician Workforce Data Dashboard, the AAMC Research and Action Institute estimated a total of 1,010,892 active physicians. 70.2% of those physicians are  office based practices

Dental practices

According to the American Dental Association, “In 2020, there were 201,117 practicing dentists in the United States.”

To provide a rough breakdown of the 2020 figures, we refer to a 2009 survey by the American Dental Association—outlined in the Journal of Dental Education publication titled Estimating the Number of Dentists Needed in 2040. While the 2020 data does not include a detailed breakdown, we can infer distribution patterns based on the 2009 figures:

• 120,369 full time dental private practices
• 9,296 part time dental private practices

Pharmacies

According to Access to Community Pharmacies: A Nationwide Geographic Information Systems Cross-Sectional Analysis, published in the Journal of the American Pharmacists Association in 2022, there are approximately 61,715 total pharmacies in the United States.

• This includes 37,954 chain pharmacies (61.5%)
• 23,521 regional franchises or independently owned pharmacies (38.1%)
• 240 government pharmacies (0.4%)
• Distribution varies by location:
  • In large metropolitan areas, 62.8% are chain pharmacies
  • In rural areas, 76.5% are franchises or independent pharmacies

Nursing homes and long-term care facilities

According to an article in The Senior List, “In 2025 there are roughly 30,600 assisted living communities, with a total of 1.2 million licensed beds in the United States. There are approximately 15,600 nursing homes in the United States.” 

The National Center for Health Statistics states that in 2020 there were around 32,321 residential care communities.

Mental health facilities

The 2020 N-MHSS report by the Substance Abuse and Mental Health Services Administration (SAMHSA) identified 12,275 mental health treatment facilities, which provided services to approximately 3.7 million clients.

Health Plans

Private health insurance companies

The U.S. Health Insurance Industry Analysis Report by the National Association of Insurance Commissioners states that, “As of 2021, there were 967 health insurance companies operating in the United States”

Which include:

• Large national carriers like UnitedHealthcare, Anthem, Cigna
• Regional and state-specific insurers
• Self-insured employer plans

Medicare and medicaid

“Medicare provides coverage for items and services for over 55 million beneficiaries. The vast majority of coverage is provided on a local level and developed by clinicians at the contractors that pay Medicare claims.” states the Centers for Medicare and Medicaid Services

On the other hand, the KFF article 10 Things to Know About Medicaid states, “Medicaid is the primary program providing comprehensive coverage of health and long-term care to 83 million low-income people in the United States.”

Group health plans

The KFF conducts an annual survey of public and nob-federal public employers with three or more workers, the 2023 survey found that approximately 153 million nonelderly individuals were covered by employer-sponsored health insurance.

Healthcare clearinghouses

The absence of public data makes it challenging to provide an exact count of healthcare clearinghouses. The number likely fluctuates due to factors such as mergers, acquisitions, and the change of healthcare technology services.

Business associates

Besides covered entities, HIPAA also mandates compliance for business associates—organizations that handle protected health information (PHI) on behalf of covered entities:

• Medical billing companies: There are no precise figures for medical billing companies, however, Precedence Research states that, “The global medical billing outsourcing market size is calculated at USD 19.32 billion in 2025.”
• Cloud storage providers: Hundreds of healthcare-focused cloud services
• Electronic health record (EHR) vendors: According to Healthgrades as of 2019, the number of EHR vendors in the U.S. decreased from over 1,000 to approximately 400.
• Legal and consulting firms: Thousands of healthcare-focused professional services
• Data analytics companies: Hundreds of specialized firms.

Total estimated HIPAA covered entities and business associates

Combining these categories, we can estimate:

• Covered entities: Approximately 250,000 to 300,000 organizations
• Business associates: Estimated 50,000 to 75,000 additional organizations
• Total HIPAA compliant organizations: Roughly 300,000 to 375,000

These numbers are estimates, not exact counts of HIPAA covered entities and business associates. The figures come from different sources spanning several years (2019-2025) and may not show the complete picture today. Some healthcare areas like hospitals have clear numbers, while others like clearinghouses don't have good data. The healthcare industry is always changing through mergers and reorganizations, which affects the real count. These estimates are our best guess based on public information and industry reports. They help understand HIPAA's general reach rather than giving exact compliance numbers.

Challenges in precise enumeration

Several factors make getting an exact count challenging:

1. Constant market changes
2. New healthcare technologies emerging
3. Mergers and acquisitions
4. Varying state-level regulations
5. Evolving definitions of healthcare organizations
6. Outdated studies and surveys 
7. New entities
8. Data reporting challenges

The economic impact of HIPAA compliance

Estimated annual HIPAA compliance costs

 An article in Medical Economics explains that, “At the time of implementation, the Department of Human and Health Services (HHS) estimated that HIPAA would initially cost healthcare systems approximately $113 million with subsequent maintenance costs of $14.5 million per year. The actual costs of HIPAA compliance are estimated at closer to $8.3 billion a year, with each physician on average spending $35,000 annually for health information technology upkeep. The true costs, however, are unknown and buried under layers of purportedly necessary bureaucracy. These costs do not account for the added stress inflicted upon healthcare clinicians and patients struggling to allow each other access to important and necessary healthcare information.”

Potential penalties for non-compliance

“There are four tiered ranges of penalties for violating HIPAA. There are maximum penalty caps of up to $1.5 million for all violations of an identical provision during a calendar year,” explains the American Dental Association

Furthermore, “A HIPAA violation can also result in criminal penalties. According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.”

Read also: HIPAA compliant email: The definitive guide

FAQs

What is the purpose of HIPAA compliance?

HIPAA compliance ensures the protection of sensitive patient health information while allowing the efficient flow of data necessary for healthcare operations.

Who enforces HIPAA regulations?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA regulations.

Who enforces HIPAA compliance?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA regulations through investigations and audits.

What are the key rules under HIPAA?

HIPAA consists of the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule, each governing different aspects of protected health information (PHI).

What are common HIPAA violations?

Common violations include unauthorized access to PHI, failure to encrypt data, improper disposal of records, and lack of employee training.