HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

How to know if your services are covered by HIPAA

Written by Tshedimoso Makhene | Feb 17, 2025 5:27:29 PM

To determine if your services are covered by HIPAA, you need to identify if your organization falls under the category of a "covered entity" or if you handle protected health information (PHI) as part of your business operations.

 

Determining HIPAA coverage

To determine whether or not your services are covered by HIPAA, here are some questions to consider: 

 

Are you a covered entity or business associate?

HIPAA applies to two main categories: covered entities and business associates.

Covered entities

These include organizations that directly handle PHI, such as:

  • Healthcare providers: Doctors, hospitals, clinics, dentists, and other practitioners who conduct electronic transactions, such as billing or insurance claims.
  • Health plans: Insurance companies, HMOs, employer-sponsored health plans, Medicare, and Medicaid.
  • Healthcare clearinghouses: Organizations that process health information for other entities.

Business associates

A business associate is any entity or individual that performs functions or services on behalf of a covered entity and involves PHI. Common examples include:

  • Medical billing and coding companies
  • IT service providers handling electronic PHI (ePHI)
  • Cloud storage providers storing patient records
  • Law firms handling medical claims
  • Marketing firms managing patient outreach for healthcare providers

If your organization falls into one of these categories, HIPAA compliance is necessary.

 

Do you handle protected health information (PHI)?

PHI includes any information related to a patient’s health that can be used to identify them. Examples include:

  • Patient names, addresses, phone numbers
  • Social Security numbers and birthdates
  • Medical records, diagnoses, and treatment information
  • Billing and insurance details

If your business creates, receives, maintains, or transmits PHI, you must comply with HIPAA regulations.

 

Are your services healthcare-related?

Even if you do not directly provide medical care, your services might still fall under HIPAA if they involve supporting healthcare operations. Examples include:

  • Claims processing: Handling insurance reimbursements.
  • Data analytics: Analyzing patient data for research.
  • Patient scheduling: Managing appointments for a healthcare provider.

If your work involves handling PHI, you need to ensure HIPAA compliance.

 

Do you sign business associate agreements (BAAs)?

A business associate agreement (BAA) is a contract between a covered entity and a business associate. It outlines the responsibilities of the business associate in protecting PHI.

If a healthcare provider asks your business to sign a BAA, it means they believe your services involve PHI. Signing a BAA legally binds you to HIPAA compliance and requires you to follow security measures to protect patient data.

Read more: What types of organizations need BAAs?

 

What if your services are not directly covered?

If your business does not handle PHI, HIPAA may not apply to you. However, some organizations voluntarily follow HIPAA guidelines as a best practice, particularly if they work with healthcare clients. Implementing strong security and privacy policies can help establish trust and prevent data breaches. 

 

HIPAA compliance

According to the HHS, individuals, organizations, and agencies classified as covered entities under HIPAA are required to adhere to the HIPAA Privacy Rule's standards for safeguarding health information privacy and security. The standards state,If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.”

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQS

What happens if I accidentally receive PHI but don’t normally handle it?

If you unintentionally receive PHI but do not normally process or store it, you should securely delete or return the information and notify the sender. 

 

How can I ensure my employees follow HIPAA regulations?

You can ensure compliance by:

  • Providing HIPAA training to employees.
  • Implementing strong data security policies.
  • Signing BAAs when required.
  • Using encryption and access controls to protect PHI.
View full post