HIPAA is one of the most well-known privacy laws, but its actual scope is narrower — and its requirements more specific — than most people outside the healthcare industry realize.
Who HIPAA Actually Covers
HIPAA applies to "covered entities" — health plans, healthcare providers who transmit health information electronically, and healthcare clearinghouses — along with their "business associates," vendors who handle protected health information on their behalf.
This means many organizations that handle health-related information, such as a fitness app or a wellness program not connected to a covered healthcare provider, may not actually be subject to HIPAA at all, even though people commonly assume they are.
What HIPAA Protects and Requires
HIPAA's Privacy Rule governs how protected health information can be used and disclosed, while the Security Rule requires specific administrative, physical, and technical safeguards for electronic health information.
Covered entities must generally obtain patient authorization before using or disclosing health information beyond specific permitted purposes like treatment, payment, and healthcare operations.
Business Associate Agreements
Any vendor that handles protected health information on behalf of a covered entity — a billing company, a cloud storage provider, an IT support vendor — generally must sign a business associate agreement establishing their own HIPAA obligations.
Failing to have proper business associate agreements in place is a common compliance gap that can result in significant liability for both the covered entity and the vendor if a breach occurs.
Frequently Asked Questions
Does HIPAA apply to my health and fitness app?
Only if it's connected to a HIPAA-covered entity — many consumer health apps are not directly subject to HIPAA, though other privacy laws may still apply.
What are the penalties for a HIPAA violation?
Penalties vary based on the level of culpability, ranging from a few hundred dollars to over a million dollars per violation category per year for the most serious violations.
HIPAA's scope and requirements are more specific and technical than commonly assumed. A healthcare privacy attorney can help determine whether your organization is covered and what compliance requires.
Was this guide helpful?
Explore more topics or get in touch with a question.