HIPAA Basics

When Does HIPAA Apply? Covered Entities, Business Associates, and PHI

Q: Does HIPAA apply to employers?

Generally no — employers are not covered entities. However, if an employer sponsors a self-insured group health plan, that health plan is a covered entity and HIPAA applies to the plan (though employment records remain separate). Employer wellness programs that involve health information may also trigger HIPAA if they are part of a group health plan.

By BAA Generator Editorial · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 5 min read

Key Takeaways

✓ Three covered entity types: healthcare providers (who transmit electronically), health plans, healthcare clearinghouses
✓ Business associates are also subject to HIPAA under the HITECH Act
✓ PHI = individually identifiable health information maintained in any form
✓ Most consumer apps, employers (for employment purposes), and non-clinical tech companies are NOT covered entities

Direct answer: HIPAA applies when an organization is (1) a covered entity — a healthcare provider, health plan, or healthcare clearinghouse — or (2) a business associate that creates, receives, maintains, or transmits PHI on behalf of a covered entity. If your organization handles protected health information in either capacity, HIPAA applies.

Covered Entity Definition and Examples

HIPAA's Privacy and Security Rules apply to "covered entities" — a defined class of organizations under 45 CFR § 160.103. There are exactly three types of covered entities:

Healthcare providers who transmit health information electronically in connection with covered transactions (billing, eligibility verification, claims status). This includes hospitals, physician practices, dental offices, chiropractors, pharmacies, nursing homes, home health agencies, and mental health providers — as long as they transmit claims or eligibility information electronically, even occasionally.
Health plans — including health insurance companies, HMOs, company-sponsored health plans, government health programs (Medicare, Medicaid, Medicare supplement plans, and military health programs), and long-term care insurers.
Healthcare clearinghouses — entities that process nonstandard health information (e.g., claim data) into standard electronic formats, or vice versa. These are relatively rare; most organizations are not clearinghouses.

Business Associate Definition

A business associate is a person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI. Under the HITECH Act, business associates are directly subject to HIPAA's Security Rule and the provisions of their BAA. For a deeper comparison, see covered entity vs. business associate.

Common business associates include EHR vendors, medical billing companies, cloud storage providers, IT support firms with PHI access, legal counsel handling PHI, accountants accessing PHI, transcription services, and healthcare analytics platforms. If you perform any of these functions for a covered entity, you are a BA and HIPAA applies to you.

What Is PHI?

Protected Health Information is individually identifiable health information that is: (1) created or received by a covered entity or business associate; (2) relates to the past, present, or future physical or mental health condition of an individual, the provision of healthcare to an individual, or payment for healthcare; AND (3) identifies the individual or there is a reasonable basis to believe it could identify the individual.

The 18 HIPAA safe harbor identifiers include: name, geographic data smaller than a state, dates (except year) for individuals older than 89, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifier.

What Is NOT PHI

De-identified data (properly de-identified under 45 CFR § 164.514)
Employment records maintained by an employer in its capacity as employer
Education records covered by FERPA (school records)
Health data collected directly by consumers via apps with no covered entity involvement

HIPAA Coverage Quick Reference

Organization Type	Covered Entity?	BAA Required?
Hospital or physician practice	Yes	Yes — with all vendors accessing PHI
Health insurance company	Yes	Yes — with all vendors accessing PHI
Medical billing company	No (it's a BA)	Yes — must sign BAAs with covered entity clients
SaaS EHR vendor	No (it's a BA)	Yes — must sign BAA with each healthcare provider customer
Law firm with PHI access	No (it's a BA)	Yes — must sign BAA with covered entity client
Employer (employment records)	No	No (for employment records)
Consumer fitness/health app	No (generally)	No — unless it receives PHI from a covered entity

Frequently Asked Questions

What is a HIPAA covered entity?

A HIPAA covered entity is one of three types of organizations: (1) a healthcare provider who transmits any health information electronically in connection with covered transactions such as billing claims — this includes virtually all hospitals, physician practices, and pharmacies that accept insurance; (2) a health plan, including health insurers, HMOs, Medicare, and Medicaid; or (3) a healthcare clearinghouse that processes nonstandard health information into standard electronic formats.

Does HIPAA apply to my healthcare app?

It depends. A consumer health app that collects data directly from users — without involvement from a covered entity — is generally not a covered entity and not subject to HIPAA. However, if your app connects to a covered entity's system, receives PHI from a covered entity (e.g., pulls data from an EHR via API), or provides services to covered entities involving PHI access, you are likely a business associate and HIPAA applies to your handling of that PHI.

Does HIPAA apply to employers?

Generally no — employers acting in their capacity as employers are not covered entities, and HIPAA does not apply to employment records. However, if an employer sponsors a self-insured group health plan, that health plan is a covered entity and HIPAA applies to the plan. The plan must have BAAs with its third-party administrators and other vendors who access plan member PHI. The employer-employee relationship remains outside HIPAA.

When does a business associate need to comply with HIPAA?

A business associate must comply with HIPAA's Security Rule and the terms of its BAA from the moment it begins performing services that involve creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity. The HITECH Act made BAs directly liable for Security Rule compliance and for breaches caused by their own actions — meaning OCR can pursue enforcement directly against a BA without going through the covered entity. See what is a business associate agreement for the full BA obligation list.

Are You a Covered Entity or BA with PHI Vendors?

Generate a HIPAA-compliant BAA for any vendor relationship — free, customizable, no account required.

Generate Your BAA Free →