HIPAA Rules – Who Has To Comply?


HIPAA Rules - Who Has To Comply?

Back in 2013, HIPAA rules were updated when the final Omnibus Rule became effective on March 26, 2013. I know that seems like ancient history to most, but really it was less than 10 years ago. That’s how long it has been since third-party vendors, referred to as Business Associates (BAs), of all sizes have been required to comply with HIPAA Privacy, Security, and Breach Notification Rules.

These days most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other individuals or businesses. Health & Human Services (HHS) defines this type of service provider as a BA, as defined in 45 CFR 160.103.

HIPAA Rules - What Do the Rules Say?

Covered Entities (CEs) and BAs, collectively referred to as regulated entities, in accordance with § 164.306: 

Must ensure the confidentialityintegrity, and availability of all electronic protected health information (ePHI) the regulated entity createsreceivesmaintains, or transmits on the CE’s behalf only if the CE obtains satisfactory assurances, in accordance with § 164.314(a) that the BA will appropriately safeguard the information.

Every CE must document that their BAs are HIPAA compliant, this requirement includes documentation of their workforce training, and they have HIPAA compliant security policies in place and that they there is an incident reporting procedure in place between your practice and the BA.


And remember to document your findings – If it’s not documented, it didn’t happen! After all, an auditor might ask you for the data.

Covered Entities

Any healthcare provider, health plan, or healthcare clearinghouse that transmits any information in an electronic form in connection with transactions for which HHS has adopted a standard. For example, hospitals, academic medical centers, physicians, pharmacies, and other healthcare providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. CEs can be institutions, organizations, or individuals.

Third-Party Vendors

Third-party vendors, referred to as BAs, is a person or entity including subcontractors, other than a member of the workforce* of a CE, who performs functions or activities that involve access by the BA to PHI. BAs are also subcontractor that createsreceivesmaintains, or transmits protected health information (PHI) on behalf of another BA. 

*Note: Anyone paid with a 1099 freelancer/contractor is not a member of your workforce. Be sure your organization is following the 1099 Freelancer/Contractor IRS Rules


An entity to which a BA delegates a function, activity, or service, other than as a member of the BAs workforce.

There is no limit to the number of subcontractors that may be liable, because a subcontractor might delegate functions to other subcontractors, creating a chain of BA entities.

Covered Entities and their third-party vendors should understand that patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?