HIPAA Data Protection Requirements for Covered Entities
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes federal data protection requirements that apply directly to covered entities handling protected health information (PHI). These requirements span administrative, physical, and technical safeguards, with enforcement authority resting with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Non-compliance exposes covered entities to civil monetary penalties tiered by culpability, and in egregious cases, criminal referral. This page describes the regulatory structure, operative mechanisms, common compliance scenarios, and the boundary conditions that determine which rules apply.
Definition and scope
Under 45 CFR §160.103, "covered entities" fall into three statutory classifications:
- Health plans — entities that provide or pay for medical care, including insurers, HMOs, Medicare, and Medicaid programs.
- Health care clearinghouses — entities that process nonstandard health information into standard formats or vice versa.
- Health care providers — any provider that transmits PHI electronically in connection with HIPAA-covered transactions, regardless of practice size.
PHI is defined as individually identifiable health information held or transmitted in any medium — electronic, paper, or oral. The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) governs permissible uses and disclosures. The HIPAA Security Rule (45 CFR Part 164, Subpart C) governs electronic PHI (ePHI) exclusively.
Business associates — vendors and contractors who create, receive, maintain, or transmit PHI on behalf of a covered entity — are not covered entities themselves but are bound by direct regulatory obligation under the HITECH Act of 2009. This distinction is central to scope determinations and is explored in the Data Protection Providers section of this provider network.
How it works
HIPAA compliance for covered entities operates through three interlocking rule sets, each with discrete implementation specifications classified as either required or addressable. Required specifications must be implemented as written; addressable specifications must be implemented, documented as equivalent, or documented with justification for non-implementation (HHS Guidance on Addressable Implementation Specifications).
Privacy Rule obligations include:
Security Rule obligations apply exclusively to ePHI and require covered entities to:
- Conduct a documented, organization-wide risk analysis (45 CFR §164.308(a)(1)).
Breach Notification Rule obligations (45 CFR Part 164, Subpart D) require covered entities to notify affected individuals within 60 days of discovering a breach affecting 500 or more individuals and to notify HHS simultaneously. Breaches affecting fewer than 500 individuals must be logged and reported to HHS annually.
Civil monetary penalties under the tiered structure established by the HITECH Act range from $100 to $50,000 per violation, with an annual cap of $1.9 million per identical violation category (HHS Civil Money Penalties).
Common scenarios
Scenario 1: Small provider transmitting claims electronically. A solo-practice physician billing Medicare electronically qualifies as a covered entity. Even without a dedicated IT department, the Security Rule's full administrative and technical safeguard requirements apply. The risk analysis requirement is non-negotiable regardless of entity size.
Scenario 2: Hospital sharing data with a billing vendor. When a hospital engages a third-party billing company, the vendor qualifies as a business associate — not a covered entity. A Business Associate Agreement (BAA) is required under 45 CFR §164.308(b). The hospital retains liability for ensuring the BAA is in place; the vendor carries direct statutory liability under HITECH for its own compliance failures.
Scenario 3: Health plan disclosing PHI for marketing. Health plans may not use or disclose PHI for marketing communications without valid patient authorization (45 CFR §164.514(e)). Treatment-related communications and general health promotion materials that do not involve third-party remuneration are carved out. The distinction between "health care operations" and "marketing" determines whether authorization is required.
The page provides context on how HIPAA intersects with state-level privacy statutes, which in some cases impose stricter requirements than the federal floor.
Decision boundaries
The primary boundary question for any organization is whether it qualifies as a covered entity or functions solely as a business associate. The two categories carry overlapping but distinct obligations:
| Dimension | Covered Entity | Business Associate |
|---|---|---|
| Privacy Rule | Full obligations | Contractual only (via BAA) |
| Security Rule | Full obligations | Direct statutory obligations (HITECH) |
| Breach Notification | Direct HHS reporting required | Must notify covered entity within 60 days |
| Patient Rights | Must honor | No direct patient-facing obligation |
A second boundary involves the Privacy Rule's distinction between de-identified data and PHI. Data that meets either automated review processes Determination method or the Safe Harbor method under 45 CFR §164.514(b) is no longer PHI and falls outside HIPAA's scope entirely. Safe Harbor requires removal of 18 specific identifiers; Expert Determination requires a qualified statistician to certify that re-identification risk is very small.
A third boundary applies to hybrid entities — organizations that perform both covered and non-covered functions. A university hospital is a canonical example. HIPAA allows hybrid entities to designate the covered components formally, isolating compliance obligations to those components. The designation must be documented and maintained. The How to Use This Data Protection Resource page describes how service-sector professionals navigate multi-framework compliance environments involving HIPAA alongside frameworks such as NIST SP 800-66.