Security compliance Designing security programs Security compliance Designing security programs HIPAA

The HIPAA Privacy Rule: Is your organization a covered entity?

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

With the passage of HIPAA, the Department of Health and Human Services issued an important regulation to protect patients’ health and personal information: the Privacy Rule. Before we dig into the details of what the HIPAA Privacy Rule is and which types of information it protects, we’ll help you answer the most important question — is your organization required to follow the HIPAA Privacy Rule?

Who needs to comply with the HIPAA Privacy Rule?

  • Covered entities include health plans, healthcare clearinghouses, and healthcare providers.
  • Business associates of covered entities — companies that do business or interact with data on behalf of covered entities — also have obligations under the HIPAA Privacy Rule.
  • HIPAA does not regulate other types of private businesses or public agencies.

HIPAA defines organizations that have obligations under the Privacy Rule as either covered entities or business associates. Let’s look at covered entities first since they have the greatest requirements under the HIPAA Privacy Rule.

Covered entities

The HIPAA Privacy Rule applies to health plans, healthcare clearinghouses, and other healthcare providers that conduct certain financial and administrative transactions electronically. Collectively, these entities are called covered entities and are bound by the HIPAA privacy standards. Let’s take a closer look at each of these groups:

Health plans — According to the Centers for Medicare & Medicaid Services, health plans include health insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, and government programs that pay for healthcare (like Medicare, Medicaid, and military and veterans’ health programs).

Healthcare clearinghouses — The CMS states that clearinghouses include “organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.”

Healthcare providers — Healthcare providers that “conduct certain financial and administrative transactions electronically,” and thus are covered under the HIPAA Privacy Rule, can include but aren’t limited to:

  • Clinics
  • Pharmacies
  • Nursing homes
  • Doctors
  • Dentists
  • Psychologists
  • Chiropractors


No prior HIPAA knowledge? Learn how Strike Graph can simplify HIPAA compliance for your organization. Schedule a demo today.


Business associates

Business associates are organizations or individuals that contract with covered entities to perform some of their essential functions. Business associates can include the following groups:

  • Consultants that perform utilization reviews for a hospital
  • Third-party administrators that assist a health plan with claims processing
  • Independent medical transcriptionists that provides transcription services to a physician

In order to engage a business associate, a covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with HIPAA.

It’s important to note that a covered entity (health plan, healthcare clearinghouse, or healthcare provider) can also be a business associate of another covered entity.

Who isn’t regulated?

HIPAA does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS doesn’t have the authority to regulate life insurance companies, employers, or public agencies that deliver social security or welfare benefits.

My organization is subject to the HIPAA Privacy Rule. What is it exactly?

The HIPAA Privacy Rule protects all "individually identifiable health information" — known as protected health information (PHI) — held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral.

The rule not only sets national standards to protect patients' medical records and other PHI but also requires reliable measures to protect PHI privacy, gives individuals rights over their PHI, and establishes authorized actions and the required disclosures that apply to PHI.

How do I know which types of information are covered? 

Knowing that the HIPAA Privacy Rule covers all PHI is one thing. Knowing exactly what that means in real life is another. Broadly speaking, there are three types of information you’ll want to understand in the context of the HIPAA Privacy Rule: individually identifiable health information, summary health information, and de-identified health information.

Individually identifiable health information

Individually identifiable health information — which, as we mentioned above, is also known as protected health information (PHI) – is information, including demographic data, that relates to an individual’s past, present or future physical or mental health or condition, and the provision of healthcare to the individual. It also includes the past, present, or future payment for the provision of healthcare to the individual, including that which identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

Additionally, summary health information is information that may be individually identifiable health information. It also must meet the following criteria: 

  1. 1. Summarizes claims history, claims expenses, or types of claims experience of the individuals for whom the plan sponsor has provided health benefits through the group health plan
  2. 2. Is stripped of all individual identifiers other than five digit zip code

De-identified health information

De-identified health information neither identifies nor provides a reasonable basis to identify an individual, and there are no restrictions on the use or disclosure of de-identified health information. There are two ways to de-identify information:

  1. 1. A formal determination by a qualified statistician
  2. 2. The removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers

The second method is only adequate if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

How do I ensure I’m in compliance with the HIPAA Privacy Rule?

Having a system — like Strike Graph — that simplifies the complicated requirements of HIPAA compliance can make all the difference. Our platform is designed to reduce the stress, effort, and cost of HIPAA compliance. 

  • Our initial risk assessment identifies exactly which HIPAA regulations apply to your organization — and which don’t! 
  • Step-by-step instructions walk you through HIPAA’s complex rules.
  • HIPAA policy templates save you time and money. 

Most importantly, Strike Graph sets you up for future growth beyond HIPAA. Once you’ve set up your controls and evidence for HIPAA, you can easily apply them to any framework your organization needs to keep growing. Strike Graph supports ISO 27001, SOC 2, PCI DSS, GDPR, and CCPA.

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.