The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology

A-Z Index  |  Questions? 

  • Print this
  • Email this

Who is Required to Comply with HIPAA Requirements?

All those who meet the definition of a ‘covered entity’ under HIPAA must comply with HIPAA requirements to protect the privacy and security of health information.  They must also provide individuals with certain rights with respect to accessing their health information.  

Those defined as covered entities are:  

  • Health care providers
  • Health plans
  • Healthcare clearinghouses  

Until recently, only covered entities were required to comply with the HIPAA Privacy Rule and the Security Rule.  In 2009, HITECH extended HIPAA rules to apply to those who assist covered entities, known as ‘business associates.’  The proposed HIPAA rule would change HIPAA’s definition of business associates to include:   

  • Entities or persons that provide data transmission services to a covered entity and require routine access to protected health information (PHI)
  • Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate
  • Vendors that offer personal health records to one or more individuals on behalf of a covered entity    

HITECH also strengthens enforcement penalties for healthcare professionals who are guilty of willful neglect.  It extends HIPAA’s penalties to business associates as well.  

Related Resources:

Summary of the HIPAA Privacy Rule; Who Is Covered? – HHS Office for Civil Rights’ (OCR) summarizes who is covered under HIPAA and provides a CMS decision tool to help you determine whether you are a covered entity.  
Summary of HIPAA Rule: Business Associates – OCR’s overview of the key elements of the Privacy Rule including who is covered, what information is protected, and how protected health information can be used and disclosed.
HHS Strengthens Health Information Privacy and Security through New Rules – HHS Press Release describes how the HITECH Act will strengthen and expand enforcement of the HIPAA Privacy, Security, and Enforcement Rules.  
Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act – Federal Register notice of the Health and Human Services Department’s July 14, 2010 proposed changes to HIPAA.  

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed