What Does HIPAA Compliance Mean?
HIPAA compliance means complying with all applicable standards, requirements, and implementation specifications of the HIPAA Administrative Simplification Regulations in order to safeguard the privacy of Protected Health Information (PHI) and ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically.
This general explanation of what does HIPAA compliance mean can be interpreted differently depending on an organization’s functions within the healthcare or health insurance industries, on a workforce member’s role, and on a patient’s perspective – notwithstanding that regulatory agencies can also have their own interpretations on terms used throughout HIPAA such as “applicable”, “reasonable and appropriate”, and “flexibility of approach”.
Consequently, this guide to what does HIPAA compliance mean looks at the general explanation from several angles. It discusses who needs to be HIPAA compliant, who needs HIPAA compliance (the two answers are not the same), and what does it mean to be HIPAA compliant in a challenging regulatory environment in which state laws, evolving cybersecurity requirements, and disruptive court decisions can take the focus away from the original objectives of HIPAA.
Who Needs to be HIPAA Compliant?
The first part of the answer to who needs to be HIPAA compliant is health plans, health care clearinghouses, and healthcare providers who conduct electronic healthcare transactions for which the Department of Health and Human Services (HHS) has adopted standards. Organizations and individuals who fall within this explanation of who needs to be HIPAA compliant are referred to as covered entities.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Third parties who provide a service for or on behalf of a covered entity (referred to as business associates) also need to be HIPAA compliant when the service involves uses and disclosures of PHI for a HIPAA-regulated activity. The degree of compliance is subject to the nature of the service being provided. It is not necessarily the case that business associates and their subcontractors only have to comply with the applicable standards of the Security Rule.
Members of covered entities’ and business associates’ workforces also need to be HIPAA compliant. As is discussed below, complying with a covered entity’s or business associate’s workforce policies does not constitute HIPAA compliance. Workforce members can be sanctioned for non-compliance by their employer or by a regulatory agency for any violation of the HIPAA Privacy Rule even if the applicable standard is not covered in HIPAA training.
Exceptions to the Definition of Covered Entities
When discussing who needs to be HIPAA compliant, it is important to be aware that not all insurance companies that provide health benefits qualify as HIPAA covered entities. Similarly not all healthcare providers qualify as HIPAA covered entities. In addition, some organizations and individuals can operate as hybrid covered entities or partial covered entities.
Insurance Companies
Companies that provide health benefits in insurance policies only qualify as covered entities if the provision of health benefits is the primary activity of the company. Insurance companies that provide health benefits as a secondary benefit to a primary benefit (i.e., auto insurance) do not qualify as covered entities and are not required to safeguard PHI or comply with the patients’ rights provisions of HIPAA (although other privacy and security regulations may apply).
Healthcare Providers
Healthcare providers who do not conduct transactions for which HHS has adopted standards – or who do not conduct them electronically – do not qualify as covered entities. Examples include therapists who exclusively bill clients directly, and clinics which conduct healthcare transactions through the mail. However, if a non-qualifying therapist provides a service for or on behalf of a covered entity, the therapist is required to comply with HIPAA as a business associate.
Hybrid and Partial Covered Entities
Hybrid and partial covered entities are organizations who are required to comply with HIPAA for some activities, but not all activities. An example of a hybrid entity is an educational institution that provides healthcare services to students (covered by FERPA) and to the public (covered by HIPAA). An example of a partial covered entity is an employer who administers a self-insured health plan, or who acts as an intermediary between employees, healthcare providers, and health plans.
HIPAA Compliance for Business Associates
As mentioned previously, business associates and their subcontractors do not only have to comply with the applicable standards of the Security Rule. Under the Applicability standard of the HIPAA General Provisions (§160.102), the standards, requirements, and implementation specifications adopted under this subchapter (e.g. the HIPAA Administrative Simplification Regulations) apply to a business associate or subcontractor “where provided”.
This standard is worded as such because some business associates provide billing and claims services on behalf of covered entities – in which case Part 162 of the HIPAA Administrative Simplification Regulations apply. Other business associates may provide B2C healthcare services on behalf of covered entities or remote services that involve uses and disclosures of PHI to which HIPAA Privacy Rule standards apply (i.e., the Minimum Necessary Standard).
It can also be the case that some business associates take responsibility for fulfilling the breach notification requirements when a breach of unsecured PHI occurs. While §164.410 of the Breach Notification Rule requires business associates to notify covered entities of data breaches, there are many examples in HHS’ Data Breach Portal of business associates directly notifying HHS’ Office of Civil Rights, affected individuals, and the media of a data breach.
HIPAA Compliance for Workforce Members
In the context of answering the question who needs to be HIPAA compliant, it is important not to overlook workforce members. While most workforce members will be aware of their compliance obligations through HIPAA training, some who may not be directly involved with plan members and patients – or who may not have authorized access to PHI – also need to be made aware that they have to comply with the Privacy and Breach Notification Rules.
This requirement appears in §164.530(e) of the Privacy Rule, which requires covered entities (and, where provided, business associates) to “apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart (the Privacy Rule) or subpart D of this part (the Breach Notification Rule).” Members of the workforce are defined in §160.103 of the General Provisions.
In addition to sanctions being applied by the covered entity, workforce members can also be sanctioned by regulatory and licensing agencies if non-compliant actions result in the wrongful disclosure of individually identifiable health information contrary to §1177 of the Social Security Act. There are many examples of workforce members losing their jobs, their licenses, and their liberty for HIPAA violations that were (mostly) not attributable to the non-compliance of the covered entity.
Who Needs HIPAA Compliance?
While it could be argued that covered entities, business associates, and workforce members need HIPAA compliance in order to avoid the consequences of non-compliance in healthcare, the portion of the compliance environment who needs HIPAA compliance more than any other is patients. There are several ways in which non-compliance with HIPAA, a perception of non-compliance, or a lack of understanding about what does HIPAA compliance mean can impact patient outcomes.
Non-Compliance with HIPAA
The most common consequences of a HIPAA data breach are additional administrative, physical, and/or technical safeguards being implemented by the non-compliant party. The safeguards often involve developing new policies and procedures which take time to learn and adopt. This can result in delays in processing, examining, and treating patients. Studies claim that breach remediation efforts are associated with a deterioration in the timeliness of care and patient outcomes.
A Perception of Non-Compliance
A perception of non-compliance with HIPAA – whether justified via a breach notification or not – can lead to patients withholding information from healthcare providers due to privacy concerns. Withholding information gives healthcare providers less data to make accurate diagnoses and prescribe effective treatment plans; and, when a lack of trust exists, patients are less likely to comply with treatment plans – potentially resulting in higher readmission rates and worse patient outcomes.
What Does HIPAA Compliance Mean?
A lack of understanding about what does HIPAA compliance mean can not only result in an unjustified perception of non-compliance, but it can also result in unjustified complaints being made to HHS’ Office for Civil Rights. HHS’ Office for Civil Rights receives around 17,500 complaints per year. Nearly 70% of these are rejected after being reviewed due to there being no eligible case for enforcement.
With a better understanding of what does HIPAA compliance mean, HHS’ Office of Civil Rights would have around 10,000 fewer unjustified complaints to review each year and would have more resources to support HIPAA compliance – reducing the number of times breach remediation efforts impacted patient outcomes and perceptions of non-compliance. Therefore, it is important patients also understand what does HIPAA compliance mean.
What Does it Mean to be HIPAA Compliant?
The original objectives of HIPAA as far as organizations within the healthcare and health insurance industries are concerned were to simplify the administration of healthcare transactions to reduce costs. Because more transactions were being conducted electronically, the Security Rule was added to protect electronic PHI at rest and in transit, and the Privacy Rule was added due to Congress failing to pass separate privacy legislation.
Complying with the HIPAA Administration Simplification Regulations at the time they were first published should not have been that difficult. However, due to a general disregard of the regulations and a lack of enforcement action, what does it mean to be HIPAA compliant has become more challenging due to states assuming responsibilities for data privacy and security, HHS having to propose mandatory cybersecurity requirements, and courts handing down disruptive decisions.
How State Laws Affect What Does HIPAA Compliance Mean
Since the passage of HIPAA, most states have introduced their own privacy, security, and/or breach notification laws – some of which (but not all) exempt HIPAA-covered entities and business associates, and some of which have more stringent requirements that overlay HIPAA. In addition, some state laws apply to PHI maintained by a covered entity or business associate, but not to personally identifiable information maintained separately from PHI.
Cybersecurity Requirements Could Affect 98% of Providers
This hotchpotch of state laws was one of the things HIPAA tried to prevent by creating a federal floor of privacy and security protections. However, due to some organizations failing to understand what does it mean to be HIPAA compliant, there is now a scenario in which HHS is proposing new cybersecurity requirements that will not only be written into the Security Rule but may also become a condition of participation in Medicare and Medicaid – affecting up to 98% of healthcare providers.
Disruptive Court Decisions Further Impact HIPAA Compliance
Over the next couple of years, possibly the biggest challenge to what does it mean to be HIPAA compliant will be attributable to disruptive court decisions. In April 2024, a new section had to be added to the HIPAA Privacy Rule to account for the Supreme Court overturning Roe vs. Wade. Although most of the standards relating to reproductive health care was subsequently vacated by a Texas judge, they still appear as current and applicable in the Code of Federal Regfulations.
The overturning of the Chevron deference doctrine in June 2024 also has the potential to impact HIPAA compliance. The event resulted in the state of Texas filing suit to vacate the entire Privacy Rule; and, although the suit was dismissed in November 2025, it emboldened industry bodies to challenge the proposed update to the HIPAA Security Rule.
What Does HIPAA Compliance Mean? Conclusion
While the general explanation of what does HIPAA compliance mean provided in the introduction to this article still applies, what it means to be HIPAA compliant can mean different things to different portions of the compliance environment. Currently, covered entities, business associates, and workforce members need to comply with HIPAA and any state laws that preempt HIPAA to eliminate breach remediation efforts and trust issues that can impact patient outcomes.
At the same time, covered entities, business associates, and workforce members need to be prepared for potential widescale regulatory changes that will impact what does HIPAA compliance mean. Similarly, patients need to have a better understanding of what does it mean to be HIPAA compliant so fewer unjustified complaints are submitted to HHS’ Office for Civil Rights and the agency can get on with supporting HIPAA compliance. Effectively, every portion of the compliance environment has a responsibility to understand what does HIPAA compliance mean.
