HIPAA applicability checker

Frequently asked questions

Does this tool produce a binding determination?

No. It applies the definitions in 45 CFR 160.103 and related HHS guidance to your answers and returns a structured assessment. HIPAA status is fact-specific: an organization can be a covered entity for one part of its business and a business associate for another, and a vendor's status can differ per client. Settling it is the job of your privacy officer or counsel; this tool shows the path the definitions point down.

What is a HIPAA covered entity?

One of three things, defined in 45 CFR 160.103: a health plan (an organization that provides or pays the cost of medical care), a health care clearinghouse (an organization that converts health information between standard and nonstandard formats), or a health care provider that transmits health information electronically in connection with a HIPAA standard transaction such as claims or eligibility checks. The provider category is conditional; the other two are covered as such.

What is a business associate?

An organization that creates, receives, maintains, or transmits protected health information on behalf of a covered entity, or provides services to one involving such information: software and hosting vendors, billing companies, analytics providers, transcription services, lawyers and consultants whose work involves the data, and more (45 CFR 160.103). Subcontractors of business associates that handle the data are business associates too, all the way down the chain. The definition has specific exceptions, including a covered entity's own workforce members, disclosures to a provider for treatment, certain plan-sponsor and government benefit-program functions, and certain activities inside an organized health care arrangement.

We host encrypted data and never look at it. Are we still a business associate?

Yes. HHS treats a cloud service provider that creates, receives, or maintains electronic protected health information as a business associate even when the data is encrypted and the provider lacks the decryption key (the no-view scenario, addressed in the HHS OCR Guidance on HIPAA and Cloud Computing). The narrow conduit exception covers only mere transmission services with transient access, like a telecommunications carrier, not vendors that store data.

Our practice does not bill insurance electronically. Are we covered by HIPAA?

Possibly not. A health care provider is a covered entity only if it transmits health information in electronic form in connection with a transaction covered by the HIPAA Transactions Rule (45 CFR 160.102 and 160.103). A practice that takes only direct payment and never submits electronic claims or eligibility checks, directly or through a billing service, may fall outside the definition. The carve-out is fragile: one electronic standard transaction changes the answer, and state confidentiality law applies regardless.

Can an organization be both a covered entity and a business associate?

Yes. A provider can also sell billing services to other providers, which makes it a business associate for that work, and HIPAA assesses each function separately. Organizations whose activities are only partly covered can also formally designate themselves a hybrid entity (45 CFR 164.103 and 164.105) so the HIPAA Rules apply to the health-care component rather than the whole organization. Run this check once per role if your organization wears several hats.

Does HIPAA apply to employers handling employee health information?

Generally not as such: protected health information excludes employment records held by a covered entity in its role as employer (45 CFR 160.103), and an ordinary employer is not a covered entity. The significant exception is the employer-sponsored group health plan, which is generally a health plan and therefore a covered entity in its own right (the definition carves out only plans with fewer than 50 participants administered solely by the employer), with HIPAA rules limiting what the plan may share with the employer as plan sponsor. Other laws, such as the ADA and FMLA, impose their own confidentiality duties on employee health information.

Does HIPAA cover consumer health apps and wearables?

Usually not. Data a consumer gives directly to an app or device with no provider or insurer involved is not protected health information, because no covered entity is in the chain. The FTC fills part of that gap: the Health Breach Notification Rule (16 CFR Part 318) requires vendors of personal health records, PHR related entities (including connected health apps in covered circumstances), and their third-party service providers to notify after a breach, and the FTC Act covers deceptive privacy promises; the rule does not reach entities already covered by HIPAA for those activities. The same app becomes business-associate territory the moment it handles data on a provider's or plan's behalf.

Is the HIPAA Security Rule changing?

A change is proposed but not final. HHS published a proposed rule on January 6, 2025 (90 FR 898) that would significantly strengthen the Security Rule's cybersecurity requirements, including making most implementation specifications mandatory. As of June 11, 2026, no final rule has been issued, and the proposal would not change who is regulated: the covered-entity and business-associate definitions this checker applies are untouched by it. If it is finalized, what changes is the depth of the safeguards, not the scope.

By ISMS Copilot. Based on the HIPAA Rules at 45 CFR Parts 160 and 164 and HHS Office for Civil Rights guidance.