Many businesses and services outside traditional healthcare settings are now collecting, storing, or processing sensitive health information. Think of the numerous cloud platforms, remote diagnostics, telehealth products, and digital wellness applications integrated into everyday life. As a result, companies that never considered themselves part of the healthcare ecosystem are asking an important question:
Does my business need to be HIPAA compliant?
The answer depends not just on your industry, but on the nature of your interaction with Protected Health Information (PHI). HIPAA compliance is required for any organization that qualifies as a covered entity or business associate under the law.
What are Covered Entities?
According to the U.S. Department of Health and Human Services (HHS), a covered entity is any health care provider, health plan, or health care clearinghouse that electronically transmits health information in connection with standard transactions. These organizations are directly subject to all provisions of the HIPAA Privacy, Security, and Breach Notification Rules.
Covered entities are legally responsible for safeguarding PHI and providing individuals with certain rights regarding their health data, such as the right to access their records and request corrections.
What are Business Associates?
A business associate is any individual or company that performs functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Examples include software vendors, billing providers, cloud storage companies, and consultants with system access to PHI.
When a covered entity works with a business associate, HIPAA requires a written contract, a Business Associate Agreement (BAA). This contract outlines the business associate’s obligations to protect PHI and comply with applicable portions of the HIPAA Rules. In addition to contractual obligations, business associates are directly liable for compliance with many provisions of the HIPAA Security and Breach Notification Rules.
Who Is Exempt from HIPAA?
Entities not meeting the legal definition of a covered entity or business associate are not required to comply with HIPAA. However, adjacent organizations like wellness apps, benefits platforms, or law firms may unintentionally handle PHI and become subject to HIPAA compliance via contracts. HHS provides a simplified overview of common covered entities, including healthcare providers, insurance carriers, and clearinghouses transmitting health data electronically for standard administrative transactions.
To check if your business meets the criteria, review this resource from HHS, Fast Facts for Covered Entities:
What Is HIPAA, and What Does It Cover?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law establishing national standards for safeguarding PHI. It was created to modernize healthcare data flow, combat fraud, and ensure patient privacy in electronic systems.
HIPAA now primarily governs how health information is used, stored, accessed, and disclosed by covered entities and their business associates, who are legally obligated to protect patient data confidentiality, integrity, and availability.
HIPAA is enforced through four key rules:
1. What is the Privacy Rule?
The Privacy Rule sets the standards for when PHI may be used or disclosed, and establishes patient rights over their health information. It applies to both paper and digital records. Under this rule, individuals have the right to:
- Access and obtain copies of their medical records.
- Request corrections to their health data.
- Receive a list of disclosures upon request.
Covered entities must also limit data sharing to the minimum necessary to accomplish a specific task.
2. What is the Security Rule?
The Security Rule focuses specifically on electronic Protected Health Information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect data from unauthorized access, tampering, or loss.
This includes:
- Role-based access controls
- Multi-factor authentication
- Data encryption in transit and at rest
- Risk assessments and ongoing monitoring
3. What is the Breach Notification Rule?
This rule mandates that organizations notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media when unsecured PHI is breached. Notification must be made within 60 calendar days of discovery. Delays or non-disclosure can result in increased penalties.
4. What is the Enforcement Rule?
The Enforcement Rule outlines how HIPAA is enforced and what penalties apply for violations. The Office for Civil Rights (OCR) is responsible for investigating complaints and issuing penalties, which can include:
- Fines ranging from $100 to $50,000 per violation.
- Annual penalty caps of $1.5 million per violation category.
- Mandatory corrective action plans.
- In serious cases, referral for criminal prosecution.
Together, these four rules form the foundation of HIPAA compliance. Understanding them is critical if your business stores, processes, or transmits any form of PHI, whether directly or on behalf of a healthcare partner.
Want a practical breakdown of how to implement these requirements? Download our HIPAA Compliance Checklist.
What Qualifies as Protected Health Information (PHI)?
Protected Health Information (PHI) refers to any information that relates to a person’s physical or mental health, the provision of healthcare, or the payment for that care, and that can be used to identify the individual. HIPAA regulates how PHI is used, stored, and disclosed by covered entities and business associates.
PHI can exist in any format: electronic, paper-based, or spoken. It becomes subject to HIPAA protections when it is created or received by a covered entity or business associate and contains any identifiable health-related data.
Key Characteristics of PHI
According to both HHS and guidance from UC Berkeley, PHI includes two essential components:
- Health information related to:
- Past, present, or future physical or mental health or condition
- The provision of healthcare
- Payment for healthcare services
- One or more personal identifiers that can link the data to a specific individual
Examples of Personal Identifiers that Make Health Data PHI
HIPAA defines 18 specific identifiers that qualify it as PHI when associated with health information. These include:
- Names
- Dates directly related to an individual (e.g., birth date, admission/discharge dates)
- Addresses (street address, city, ZIP code)
- Phone numbers and email addresses
- Social Security numbers
- Medical record or insurance ID numbers
- Account numbers or license plate numbers
- Full-face photos or biometric identifiers (fingerprints, voiceprints)
- IP addresses or device identifiers if linked to health data
The HHS De-Identification Guide, which also outlines methods for removing PHI when necessary for research or analytics, provides a full list of these identifiers.
When Is Health Data Not Considered PHI?
Not all health-related data falls under HIPAA. For example:
- Health information that is fully de-identified (i.e., all 18 identifiers are removed) is no longer considered PHI.
- Data maintained by non-covered entities (such as certain fitness or wellness apps) may not be regulated under HIPAA unless they share or manage data on behalf of a covered entity.
- Health data used strictly for employment purposes (such as HR files) may be covered under different laws, such as the Americans with Disabilities Act (ADA).
Understanding what qualifies as PHI is essential for determining your HIPAA responsibilities. If your systems store, transmit, or analyze identifiable health information, even temporarily or indirectly, your organization may be required to comply with HIPAA regulations.
Business Types That Commonly Fall Under HIPAA
If you’re unsure whether your industry falls under HIPAA, consider these examples of business types that often need to comply:
- Digital health platforms and telemedicine services
- Managed Service Providers (MSPs) and IT consultancies
- Revenue cycle management (RCM) and medical billing services
- Software vendors serving healthcare clients (EHRs, CRMs, etc.)
- Law firms or auditors handling health-related legal matters
Companies you might not expect, like fitness apps or workplace wellness platforms, can fall under HIPAA if they integrate with healthcare providers or insurers and process protected health information (PHI). If you serve the healthcare market, there’s a strong chance you’re classified as a business associate. According to the HIPAA Journal, confusion around business associate status remains among the most common causes of unintentional noncompliance.
Carbide’s customers clearly exemplify the need for flexible compliance tools. WonderMD, a Canadian digital health company, used Carbide to meet Ontario’s health privacy requirements. Their success shows how our platform and services are built to adapt to both U.S. regulations like HIPAA and other international privacy laws.
What Happens If You’re Not HIPAA Compliant?
HIPAA violations can lead to significant consequences, even if they’re accidental. The Office for Civil Rights (OCR) enforces compliance through civil monetary penalties, corrective action plans, and, in some cases, criminal investigations.
Penalties vary depending on the level of negligence:
- $100 to $50,000 per violation
- Up to $1.5 million per year per violation type
- Potential criminal charges for willful neglect or data theft
OCR has issued fines to businesses of all sizes, including solo practitioners and small tech vendors. A common enforcement theme is failure to conduct risk assessments or execute BAAs with vendors.
How to Know If HIPAA Applies to You
Still unsure about HIPAA? Ask:
- Do you process identifiable health data, work with healthcare entities/patients, or does your product store/transmit medical data?
- Do you access systems storing PHI or use vendors to process health info?
A “yes” to either of these means you likely need to be HIPAA compliant.
What to Do If HIPAA Applies to Your Business
HIPAA compliance is a legal obligation for covered entities and business associates, and builds trust. Your organization should:
- Conduct a HIPAA risk assessment
- Implement safeguards
- Draft HIPAA-aligned policies
- Train your workforce on HIPAA compliance
Carbide’s platform simplifies HIPAA compliance with pre-built policies, HIPAA-mapped controls, automated evidence collection, expert services, and more.
Ready to simplify, speed up, and scale HIPAA compliance with Carbide? Schedule a free consultation with our security experts.
Share
