Home
Pricing
Talk to our team
Compliance Hub

Who Needs HIPAA Compliance

Espresso Labs Team
3 min read
Who Needs HIPAA Compliance

HIPAA applies to two categories of organizations: covered entities (the primary regulated parties) and business associates (vendors and partners who handle PHI on their behalf). If your organization creates, receives, maintains, or transmits Protected Health Information in either role, HIPAA applies to you.

Covered Entities

HIPAA defines three types of covered entities:

Healthcare Providers

Any provider of medical or health services that transmits health information electronically in connection with certain transactions (such as claims, eligibility inquiries, or referral authorizations) is a covered entity. This includes:

  • Hospitals and health systems
  • Physician practices and clinics
  • Dental and vision practices
  • Mental health and behavioral health providers
  • Physical therapists, chiropractors, and other licensed practitioners
  • Pharmacies and pharmacy chains
  • Home health agencies and hospice providers
  • Nursing homes and long-term care facilities
  • Laboratories and radiology centers
  • Telemedicine and virtual care providers

Health Plans

Any individual or group plan that provides or pays for medical care is a covered entity:

  • Health insurance companies
  • HMOs and managed care organizations
  • Medicare and Medicaid programs
  • Employer-sponsored health plans (with some small plan exceptions)
  • Long-term care insurers
  • Employer self-insured health plans

Healthcare Clearinghouses

Organizations that process nonstandard health information into standard formats (or vice versa) for electronic claims submission. These are typically intermediaries between providers and payers.

Business Associates

A business associate is any person or organization that performs a function or activity on behalf of a covered entity that involves the use or disclosure of PHI. HIPAA requires covered entities to have written Business Associate Agreements (BAAs) with all business associates.

Common business associates include:

  • Cloud storage and hosting providers storing ePHI (AWS, Azure, Google Cloud with healthcare workloads)
  • EHR and practice management vendors
  • Medical billing and coding companies
  • IT managed service providers with access to systems containing ePHI
  • Data analytics and population health companies
  • Legal firms handling matters involving PHI
  • Accounting firms with access to PHI
  • Consultants with access to ePHI
  • Shredding companies that destroy paper records containing PHI
  • Telehealth platforms and virtual care vendors

Subcontractors of Business Associates

A subcontractor of a business associate that handles PHI on behalf of the business associate is also considered a business associate and is directly subject to HIPAA. This means the HIPAA chain extends throughout the supply chain.

Who Is NOT Covered

The following organizations are generally NOT covered entities or business associates under HIPAA:

  • Employers accessing employee health information in their role as employers (not in their role as health plan sponsors)
  • Life insurers that do not engage in electronic healthcare transactions
  • Workers’ compensation carriers in most circumstances
  • Schools and school districts (FERPA typically applies instead)
  • Law enforcement agencies obtaining PHI through legal process
  • Researchers who only receive de-identified data

How Espresso Labs Helps

Whether you’re a covered entity managing patient records or a business associate handling ePHI on behalf of clients, Espresso Labs implements and maintains the HIPAA Security Rule safeguards your organization is required to have — covering technical controls, documentation, risk assessments, and the audit evidence needed to demonstrate compliance.

Ready to Get Started?

CMMC compliance does not have to require a large internal team or a 6-figure budget. Espresso Labs delivers it as an automated, managed service so you can focus on winning contracts, not managing controls.

Talk to our team