Do I Need to Comply with HIPAA? A Decision Guide
By BAA Generator Editorial · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 6 min read
Key Takeaways
- ✓ Covered entities must comply with all HIPAA rules (Privacy, Security, Breach Notification)
- ✓ Business associates must comply with the Security Rule and their BAA obligations
- ✓ Consumer health apps are NOT covered entities unless they interface with clinical systems
- ✓ HIPAA does not cover all health data — only PHI held by covered entities and their BAs
The Decision Framework: Do You Need HIPAA Compliance?
Start with these questions in order:
| Question | If Yes | If No |
|---|---|---|
| Are you a healthcare provider who transmits health information electronically (e.g., billing)? | You are a covered entity. HIPAA fully applies. | Continue to next question. |
| Are you a health plan (insurer, HMO, self-insured employer health plan)? | You are a covered entity. HIPAA fully applies. | Continue to next question. |
| Are you a healthcare clearinghouse? | You are a covered entity. HIPAA fully applies. | Continue to next question. |
| Do you create, receive, maintain, or transmit PHI on behalf of a covered entity as part of services you provide? | You are a business associate. HIPAA Security Rule and BAA obligations apply. | Continue to next question. |
| Do you collect health data directly from consumers without any covered entity involvement? | You are likely not subject to HIPAA — but state laws may apply. | HIPAA likely does not apply to your organization. |
Who Needs HIPAA Compliance: Examples
The following organizations clearly need HIPAA compliance:
- Hospital systems and integrated delivery networks
- Solo and group physician, dental, and mental health practices
- Health insurance companies and managed care organizations
- Medicare and Medicaid plans
- Employer-sponsored self-insured group health plans
- EHR and practice management software vendors (business associates)
- Medical billing and coding companies (business associates)
- Cloud hosting providers used to store PHI (business associates)
- Healthcare analytics platforms that access patient data (business associates)
For a detailed breakdown of covered entity types, see when does HIPAA apply. For the CE vs. BA distinction, see covered entity vs. business associate.
Who Does NOT Need HIPAA Compliance (Generally)
- Consumer health and fitness apps — Apps that collect user-entered health data (like step counts, sleep tracking, or symptom logs) without any covered entity involvement are not covered by HIPAA. The FTC Act and state privacy laws may apply instead.
- Employers — For employment records, HR data, and workplace health programs not connected to a group health plan, HIPAA does not apply.
- Life insurance companies — Life insurers are not covered entities (though they may be impacted by state insurance regulations and must handle health information carefully).
- Workers' compensation payers — Not covered entities, though they often deal in health information.
- Schools and universities — Education records are governed by FERPA, not HIPAA (with exceptions for university hospital components).
- Non-clinical technology companies — A general SaaS CRM company that has no healthcare clients and handles no PHI is not subject to HIPAA.
What "HIPAA Compliance" Actually Requires
For covered entities, HIPAA compliance involves implementing three rules:
- Privacy Rule — Governs how PHI may be used and disclosed; requires Notice of Privacy Practices; grants patients rights (access, amendment, accounting)
- Security Rule — Requires administrative, physical, and technical safeguards for electronic PHI (ePHI)
- Breach Notification Rule — Requires notification to individuals, HHS, and (if applicable) media when unsecured PHI is breached
Additionally, covered entities must have signed BAAs with every business associate that handles PHI. See what is a business associate agreement for the full requirements.
For business associates, HIPAA compliance means: Security Rule compliance, honoring BAA obligations, reporting breaches to the covered entity, and obtaining subcontractor BAAs.
Minimum Steps to Become Compliant
If you have determined that HIPAA applies to your organization and you are not yet compliant, these are the minimum steps to take:
- Conduct a Security Risk Analysis — Required under the Security Rule; identifies vulnerabilities in your ePHI handling
- Implement required policies and procedures — Privacy and Security Rule policies covering workforce training, access controls, incident response, and more
- Inventory all vendor relationships involving PHI — Identify every business associate who accesses your PHI
- Execute BAAs with all business associates — Before sharing any PHI with each vendor
- Train workforce — HIPAA requires workforce training on relevant policies
- Designate a Privacy Officer and Security Officer — Required roles under the Privacy and Security Rules
When to Consult a Healthcare Attorney
This article provides a decision framework, but HIPAA's application to edge cases — hybrid entities, consumer apps with clinical integrations, state law preemption, employer health programs — can be complex. If your situation involves any ambiguity, consulting a healthcare attorney before sharing health data with vendors is strongly recommended. The cost of a consultation is far less than the cost of an OCR enforcement action.
Frequently Asked Questions
Does my healthcare app need to comply with HIPAA?
It depends on how the app interacts with health data. A consumer wellness app that collects user-entered data directly — without involvement from a covered entity — is generally not subject to HIPAA. However, if your app receives PHI from a covered entity (like pulling data from an EHR via API), provides services to covered entities, or integrates with clinical systems that transmit PHI to your platform, you are likely a business associate and HIPAA applies to your handling of that data.
Do small medical practices need HIPAA compliance?
Yes. HIPAA applies to all covered entities regardless of size. A solo physician practice that accepts insurance and transmits claims electronically is a covered entity subject to HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule in full. The same requirements that apply to large hospital systems also apply to small practices. OCR does consider organization size and financial capacity when determining penalty amounts, but the underlying compliance obligations are the same.
Is a health coaching company subject to HIPAA?
Generally no — unless the health coaching company has a contractual relationship with a covered entity that involves PHI. A standalone health coaching business that collects client health information directly through its own programs is not a covered entity. However, if the coaching company contracts with health plans or healthcare providers and accesses patient PHI as part of those services (for example, participating in a hospital's care management program), it becomes a business associate and HIPAA applies to the PHI it receives.
What is the difference between being HIPAA compliant and signing a BAA?
Being HIPAA compliant means your organization has implemented all required administrative, physical, and technical safeguards under the Privacy Rule, Security Rule, and Breach Notification Rule — including workforce training, risk analysis, policies, incident response procedures, and more. Signing a BAA is one specific contractual step required when sharing PHI with a business associate. A BAA is an element of HIPAA compliance for covered entities and BAs, but it is not the entirety of what compliance requires.
Confirmed You Need HIPAA Compliance?
Start by generating BAAs for your vendor relationships — a foundational step in any HIPAA compliance program.
Generate Your BAA Free →