Do you need to be HIPAA-compliant? A quick checklist

1. Introduction: Why you should ask, ‘Do we need HIPAA compliance?'

Compliance surprises can be costly—HIPAA compliance might apply even if you're not in healthcare.

Many CEOs and business leaders assume that HIPAA only pertains to hospitals, clinics, and doctors. However, the scope of the Health Insurance Portability and Accountability Act (HIPAA) extends far beyond traditional healthcare institutions.

Businesses in sectors such as software development, insurance, marketing, and IT may unexpectedly fall under HIPAA's jurisdiction if they handle sensitive health information (Protected Health Information, or PHI). Ignorance isn't an excuse, and non-compliance can lead to hefty fines, legal complications, and reputational damage.

The purpose of this article is to provide a concise and actionable checklist for CEOs, compliance managers, and business leaders to quickly assess if HIPAA compliance applies to their organization. By the end, you'll be better equipped to determine whether your operations fall under HIPAA's rules and, if so, how to take the first steps toward compliance.

2. What is HIPAA, and why should you care?

HIPAA, enacted in 1996, is a U.S. federal law designed to protect the privacy and security of sensitive health information, also known as Protected Health Information (PHI).

HIPAA establishes standards for the secure handling of PHI, ensuring that individuals' medical records and personal health data remain confidential while enabling efficient data exchange in the healthcare ecosystem.

Consequences of non-compliance:

Failing to comply with HIPAA can have severe repercussions, including:

• Financial penalties: Fines can range from $137 to $2,067,813 per violation, with an annual cap of $2.07 million for the most severe cases.
• Legal liability: Non-compliance can lead to lawsuits from individuals or class actions due to breaches of their health data.
• Loss of reputation: Data breaches or violations often make headlines, damaging customer trust and public perception, which can affect long-term business sustainability.

Read also: Guardians of healthcare data: Mastering HIPAA audit trail requirements

3. The HIPAA applicability checklist

HIPAA is often mistakenly perceived as only relevant to healthcare providers, such as hospitals and clinics. However, HIPAA is applicable to any organization that handles PHI. This includes, but is not limited to, business associates, health tech startups, insurance companies, and marketing firms.

Any business that touches or stores health-related data—even temporarily—could be subject to HIPAA regulations, making it critical for organizations outside traditional healthcare to assess their compliance needs.

An example of this is a cloud storage provider that offers data storage solutions to various industries, including healthcare. If a healthcare provider uses the cloud service to store patients' health information, the cloud provider is now considered a business associate under HIPAA. This means it must adhere to HIPAA regulations for data protection, access controls, and breach notifications—even though it is not a traditional healthcare organization.

3.1 Are you a covered entity?

What is a covered entity under HIPAA? HIPAA defines certain types of organizations as “HIPAA covered entities.” If your organization falls under this category, you must comply with HIPAA regulations. If your business fits any of these roles, you are a covered entity and must adhere to HIPAA's privacy, security, and breach notification rules.

What is a HIPAA covered entity? Under HIPAA, a covered entity is defined as any organization or individual that falls into one of the following three categories: healthcare providers, health insurance companies, and healthcare clearinghouses.

Let's explore who qualifies as a HIPAA covered entity with real-world examples.

Who is a covered entity under HIPAA

1. Healthcare providers:
   Any organization providing healthcare services and electronically transmitting health-related information, such as:
   • Hospitals
   • Clinics and private practices
   • Nursing homes and home health agencies
   • Pharmacies
2. Health insurance companies:
   Organizations involved in the payment or coverage of healthcare services, including:
   • Health insurance providers (e.g., Aetna, Blue Cross Blue Shield)
   • Health maintenance organizations (HMOs)
   • Government health programs like Medicare, Medicaid, and the Veterans Health Administration
3. Healthcare clearinghouses:
   These entities act as intermediaries, processing non-standard health information into a standardized format for electronic transactions. Examples include:
   • Third-party billing services
   • Health information exchanges (HIEs)
   • Claim processing and reconciliation platforms

3.2 Are you a business associate?

A business associate under HIPAA is any organization or individual that performs functions, activities, or services involving PHI on behalf of a HIPAA covered entity. While business associates aren't healthcare providers themselves, their access to or handling of PHI makes them subject to HIPAA's rules. This role carries significant compliance responsibilities, including security measures and breach reporting obligations.

Examples of business associates:

1. Cloud service providers hosting health data:
   • Cloud storage platforms (e.g., AWS, Microsoft Azure, Google Cloud) used by healthcare providers to store patient data.
2. IT companies providing software for healthcare systems:
   • Electronic health record (EHR) vendors
   • Telehealth platforms facilitating remote consultations
   • Data analytics providers that analyze PHI for healthcare improvement
3. Billing and medical transcription services:
   • Medical billing companies processing patient invoices and insurance claims.
   • Transcription services converting audio recordings of patient visits into written medical records.

If your organization falls into any of these categories, you are a business associate under HIPAA. This means you are responsible for implementing administrative, technical, and physical safeguards to protect PHI.

Additionally, you must establish business associate agreements (BAAs) with the covered entities you serve, ensuring compliance with HIPAA rules.

3.3 Do you handle PHI in any form?

Definition of PHI (Protected Health Information):

PHI refers to individually identifiable health information related to a person's health status, healthcare services, or payment for healthcare, which is protected under HIPAA. If your organization creates, receives, maintains, or transmits PHI, you may be required to comply with HIPAA, regardless of whether you're a covered entity or a business associate.

Examples of PHI:

1. Medical records:
   • Doctor's notes, lab results, X-rays, or diagnostic reports.
   • Information in electronic health records (EHR) systems.
2. Payment information tied to health services:
   • Health insurance policy numbers.
   • Credit card details used to pay for medical services.
3. Health monitoring data:
   • Wearable device data (e.g., heart rate or glucose levels tracked by fitness apps).
   • Health-related information collected through telehealth platforms or patient portals.

Formats to consider:

PHI is not limited to specific mediums. If you handle any of the following types of communication involving health data, you are responsible for its protection under HIPAA:

• Electronic communication:
  • Email exchanges containing patient information.
  • Data stored on cloud platforms or transferred over a network.
• Physical records:
  • Printed medical reports, insurance documents, or patient intake forms.
  • Folders and paperwork kept in filing cabinets or office spaces.
• Verbal communication:
  • Phone conversations discussing patient treatment or insurance claims.
  • In-person discussions between healthcare staff about patient care.

Handling PHI in any form triggers HIPAA obligations. Organizations must establish policies and safeguards to ensure the confidentiality, integrity, and availability of PHI, regardless of whether it's stored digitally, on paper, or communicated verbally.

3.4 Do you offer wellness programs or apps?

Scope expansion:

The concept of Protected Health Information (PHI) isn't limited to traditional healthcare providers. Wellness programs, fitness apps, and wearable health devices often collect sensitive health-related data such as heart rate, sleep patterns, and workout routines.

If these programs or apps collect or transmit personal health data, they may inadvertently fall under HIPAA regulations, especially when partnering with covered entities like insurance companies or healthcare providers.

Examples of wellness programs and apps that may handle PHI:

1. Fitness and health tracking apps:
   • Mobile apps monitoring users' fitness progress, heart rate, or dietary habits (e.g., MyFitnessPal, Fitbit).
   • Mental health apps tracking mood patterns or counseling sessions.
2. Corporate wellness programs:
   • Employee wellness initiatives offering biometric screenings, weight management, or stress reduction programs.
   • Incentive-based programs encouraging healthy behavior, collecting health metrics in return for rewards or lower insurance premiums.
3. Wearable health devices:
   • Smartwatches tracking physical activity, sleep quality, or vital signs (e.g., Apple Watch, Garmin).
   • Medical-grade devices like continuous glucose monitors that collect and transmit patient data to healthcare providers.

Compliance implications:

If your wellness app, program, or wearable collects, processes, or shares data with covered entities (such as health insurers or medical providers), HIPAA may apply. Here are some critical compliance considerations:

• Business associate role:
  • If your app or wellness program transmits health data to healthcare providers or insurers, it may be classified as a business associate under HIPAA.
  • You'll need to sign Business Associate Agreements (BAAs) and implement appropriate security safeguards to protect transmitted data.
• Shared PHI liability:
  • Even if you operate independently, if you share PHI with covered entities (e.g., through APIs or health integrations), HIPAA's privacy and security rules extend to your operations.
• App and device security requirements:
  • All collected health data, whether stored locally or in the cloud, must be protected through encryption, access control, and regular monitoring to prevent unauthorized access and breaches.

Proactive tip: Even if HIPAA does not immediately apply to your wellness app or program, following best practices for data privacy and security will help ensure compliance as regulations evolve and partnerships grow.

Read also: Who enforces HIPAA? And how to ensure your business is compliant?

4. What is not a covered entity under HIPAA?

Under HIPAA, organizations that do not fall under the definition of a “covered entity” include those that do not engage in certain healthcare-related activities or transactions. Here's a detailed breakdown of entities that are not considered covered entities under HIPAA:

1. Employers (in general)

Employers managing health data internally (e.g., sick leave records or workplace wellness programs) are not covered entities unless they are part of a health plan.

2. Life insurance companies

Life, disability, and workers' compensation insurers are not covered under HIPAA, even though they may collect health-related information, as they are not involved in healthcare services or electronic transactions regulated by HIPAA.

3. Schools and educational institutions

Schools are generally regulated under FERPA (Family Educational Rights and Privacy Act) for student records, including health information, and are not considered covered entities under HIPAA.

4. Fitness and wellness app providers (unless handling PHI)

Fitness tracking apps (like Fitbit or MyFitnessPal) and wearable health devices are not covered entities unless they share data with a covered entity (e.g., a healthcare provider or insurer) under a business associate agreement.

5. Non-healthcare tech companies

Software companies providing general IT services (without handling PHI for covered entities) are not covered entities.

6. General retail stores and pharmacies selling non-medical products

Retail outlets that sell healthcare products (like over-the-counter drugs) without offering pharmacy services are not considered covered entities.

7. Medical device manufacturers

Companies that design or sell medical devices (unless they directly store or transmit PHI on behalf of covered entities) are typically not covered by HIPAA.

8. Third-party service providers (without PHI handling)

Entities providing non-health-related services, like cleaning companies or office supply vendors, are not subject to HIPAA unless they become business associates by accessing PHI.

If these organizations do not fit the roles of covered entities (healthcare providers, health plans, or healthcare clearinghouses) or business associates, HIPAA's privacy and security rules do not apply to them. However, organizations that interact with covered entities may still need to assess if they fall under the business associate category.

Read also: HIPAA vs HITRUST: A practical comparison for making compliance decisions

5. Common misconceptions about HIPAA compliance

Understanding HIPAA's scope is crucial, yet many organizations fall prey to common misconceptions. Below, we address these misunderstandings and clarify how HIPAA applies beyond traditional healthcare settings.

Misconception 1: “We aren't in healthcare, so HIPAA doesn't apply.”

Reality:
HIPAA compliance isn't just for hospitals or medical practices. Any business that handles PHI on behalf of covered entities must comply with HIPAA regulations. This applies to business associates such as:

• Tech companies developing healthcare software or apps.
• Marketing agencies running health-related campaigns involving PHI.
• Insurance brokers processing health insurance claims.

Even businesses outside the healthcare industry may need to comply if they encounter or process PHI in any form.

Misconception 2: “We store data in the cloud, so the vendor handles compliance.”

Reality:
While cloud service providers play a key role in securing data, HIPAA places primary responsibility on the organization handling PHI—not the vendor alone. Organizations using cloud platforms to store or process PHI must:

• Ensure the cloud vendor complies with HIPAA and signs BAAs.
• Implement their own access controls and encryption policies for data stored in the cloud.
• Monitor vendor compliance regularly to ensure ongoing adherence to HIPAA's rules.

Using a compliant cloud service is a good first step, but organizations cannot outsource their HIPAA obligations entirely.

Misconception 3: “HIPAA only applies to the U.S.”

Reality:
While HIPAA is a U.S.-based law, any U.S. organization handling PHI must remain compliant, even when working with foreign partners or storing data overseas. Examples include:

• Global partnerships: A U.S. healthcare provider sharing PHI with an international research partner.
• Offshore cloud storage: Storing PHI on servers located outside the U.S. (e.g., using an international cloud service).

Regardless of where data is stored or processed, U.S. entities remain subject to HIPAA. Compliance measures must extend across all locations to ensure PHI is adequately protected.

Read also: How to map HIPAA to ISO 27001?

6. Quick actionable summary: The HIPAA applicability checklist

• Are you a covered entity?

• Are you a business associate?

• Do you process PHI, even indirectly?

• Does your app or service collect health-related data?

Read also: GDPR vs HIPAA compliance: What's the difference?

7. How can Scrut help you in HIPAA compliance?

Scrut simplifies HIPAA compliance by offering an automated, end-to-end platform for managing security controls, documentation, and risk assessments. It provides pre-built frameworks aligned with HIPAA's privacy, security, and breach notification rules, streamlining the process of identifying gaps and implementing safeguards for PHI.

With continuous monitoring of systems and vendors, Scrut ensures real-time compliance tracking and helps businesses maintain readiness for audits. Additionally, it supports policy management, employee training, and incident reporting, making it easier for covered entities and business associates to stay compliant without the manual burden.

8. Final thoughts: Take the checklist seriously to avoid compliance pitfalls

Compliance pitfalls often arise from assumptions and oversight. Take the time to evaluate your exposure to PHI, identify any gaps in your compliance strategy, and ensure third-party vendors are equally committed to protecting health data. Adopting a serious and methodical approach to compliance today will protect your organization from unexpected issues tomorrow.

HIPAA compliance is not just about following regulations—it's about building a resilient, trustworthy business that values the privacy and security of the people it serves.Ensure seamless HIPAA compliance with Scrut! From automated control management to real-time risk monitoring, Scrut helps you safeguard Protected Health Information (PHI) and stay audit-ready. Simplify your compliance journey—schedule a demo today!

How do I know if I need to be HIPAA compliant?

You need to be HIPAA-compliant if your organization is a covered entity (such as a healthcare provider, health plan, or healthcare clearinghouse) or a business associate that handles Protected Health Information (PHI) on behalf of a covered entity. If your organization collects, stores, transmits, or processes PHI, even indirectly, HIPAA compliance is required. This includes companies in IT, cloud services, marketing, and software development that engage with healthcare clients.

Who is required to be HIPAA compliant?

HIPAA compliance is mandatory for:
Covered entities, including:
Healthcare providers (hospitals, clinics, doctors, pharmacies)
Health plans (insurance companies, HMOs, employer-sponsored health plans)
Healthcare clearinghouses (billing services, claim processors)
Business associates that provide services involving PHI (e.g., cloud providers, billing companies, IT vendors, and telehealth platforms).

Which of the following are not required to comply with HIPAA?

The following types of organizations are not required to comply with HIPAA:
Life insurers and disability insurance companies
Employers managing employee health records internally
Educational institutions regulated under FERPA
Fitness apps and wearable health devices (unless they share data with covered entities)
General IT service providers without access to PHI

What data requires HIPAA compliance?

HIPAA applies to Protected Health Information (PHI), which is any individually identifiable health information that relates to:
An individual's physical or mental health status
Healthcare services provided to the individual
Payment details for healthcare services
PHI can be in any format—electronic, paper, or verbal—and includes medical records, insurance policy numbers, lab results, and patient communications.

What are the three requirements of HIPAA?

The three main requirements of HIPAA are:
Privacy rule: Regulates how PHI can be used and disclosed to protect patient privacy.
Security rule: Mandates safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).
Breach notification rule: Requires organizations to notify individuals, regulators, and media of any data breach involving unsecured PHI.

‍