Who must comply with HIPAA privacy standards?

Answer:

As required by Congress in HIPAA, the Privacy Rule covers:

• Health plans
• Health care clearinghouses
• Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.

These entities (collectively called “covered entities”) are bound by the privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. See the fact sheet and frequently asked questions about the standards on Business Associates for a more detailed discussion of the covered entities’ responsibilities when they engage others to perform essential functions or services for them.

For more detailed information about health privacy, you may want to visit our  Medical Privacy: National Standards to Protect the Privacy of Personal Health Information site.

Date Created: 12/19/2002

Last Updated: 11/09/06