Part 1 of 5 — Do You Actually Need to Be HIPAA Compliant? Asking the Right Threshold Question

A Practical Series for Small Healthcare Organizations, Nonprofits, and Telehealth Providers

I regularly get calls that starts roughly the same way: "We need to become HIPAA compliant — what does that cost and how fast can we get it done?" The caller is usually a small medical practice owner, a startup founder building a healthcare-adjacent product, or a nonprofit director who has been told by a hospital partner that they need to "be HIPAA compliant" before any information can be shared. They have already mentally committed to a compliance project before we have established whether HIPAA actually applies to what they are doing.

Before spending a dollar on policies, software, or consultants, every organization needs to answer one question: does HIPAA apply to us, and if so, in what capacity? The answer determines everything else — what rules you are subject to, what documents you need, what contracts you must sign, and what enforcement risk you face. Getting this wrong at the outset is expensive in two directions: organizations that wrongly assume HIPAA applies overspend on compliance theater they do not legally need, and organizations that wrongly assume it does not apply find themselves in regulatory trouble when something goes wrong.

Who HIPAA Actually Covers

HIPAA's Privacy, Security, and Breach Notification Rules apply directly to two categories of organizations.

Covered Entities are the front-line healthcare actors: health plans (insurers, HMOs, employer-sponsored health benefits, Medicare, Medicaid), healthcare clearinghouses (the back-office entities that process claims), and healthcare providers who transmit health information electronically in connection with covered transactions. See 45 C.F.R. § 160.103 (definitions of "covered entity," "health plan," "health care clearinghouse," and "health care provider"). The "transmits electronically" piece is what sweeps in most providers — if you submit claims, check eligibility, or exchange referral information electronically, you are a covered entity. A purely cash-pay practice that handles no electronic transactions technically falls outside the definition, though almost no modern practice operates that way.

Business Associates are the second category, and this is where most small businesses, vendors, and nonprofits land. The Privacy Rule defines a business associate as a person or entity that, on behalf of a covered entity, performs functions or activities involving the use or disclosure of PHI. See 45 C.F.R. § 160.103 (definition of "business associate"). The classic examples are billing companies, IT vendors, transcription services, cloud storage providers, document shredding companies, and consultants. The 2013 Omnibus Rule expanded the definition substantially — see Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) — and subcontractors of business associates are themselves business associates, so the obligations flow downstream.

If you are neither a covered entity nor a business associate, HIPAA does not apply to you directly. This is true even if you handle health information. A fitness app collecting workout data, a wellness coach taking notes about a client's diet, or a charity collecting medical hardship applications directly from patients are not subject to HIPAA — though they may well be subject to state privacy laws, the FTC Act, and sector-specific rules like the FTC's Health Breach Notification Rule. See 16 C.F.R. pt. 318; FTC, Health Breach Notification Rule, 89 Fed. Reg. 47028 (May 30, 2024) (final rule expanding scope to include health apps and similar technologies). FTC enforcement under the HBNR has expanded notably in recent years, and organizations that handle consumer health data outside HIPAA's framework should not assume the absence of federal oversight.

The Question That Actually Matters: Are You a Business Associate?

For most small organizations reading this, the operative question is whether they are or will become a business associate. The test has two parts:

First, will you create, receive, maintain, or transmit PHI? PHI is individually identifiable health information held or transmitted by a covered entity or its business associate. See 45 C.F.R. § 160.103. The "individually identifiable" piece is broader than people expect — it includes any of eighteen specific identifiers (names, dates, geographic data smaller than a state, account numbers, biometric identifiers, and so on) when combined with health information. The full list of identifiers appears at 45 C.F.R. § 164.514(b)(2).

Second, are you doing it on behalf of a covered entity to perform a service for that entity? This is the part that often determines status. A nonprofit that receives patient referrals from a hospital to provide a service to the hospital's patients is likely a business associate. A nonprofit that accepts applications directly from patients, with no information flowing from the hospital, is likely not — even if it ultimately serves the same patients. HHS guidance on the distinction is available through the OCR Business Associates page at hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates.

The distinction sounds technical but has enormous practical consequences. Business associates are directly liable under HIPAA pursuant to the HITECH Act of 2009 (Pub. L. 111-5, §§ 13401, 13404), implemented in the 2013 Omnibus Rule. They must sign Business Associate Agreements with their covered entity partners (45 C.F.R. § 164.504(e)), must comply with the full Security Rule (45 C.F.R. §§ 164.302–164.318), must report breaches up the chain (45 C.F.R. § 164.410), and face the same civil monetary penalties as covered entities.

Penalty amounts are adjusted annually for inflation under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (Pub. L. 114-74). Per the most recent adjustment published at 91 Fed. Reg. 3664 (Jan. 28, 2026), and reflected in 45 C.F.R. § 102.3, maximum penalties reach $2,190,294 per identical violation per calendar year in the most severe (willful neglect, uncorrected) tier, with lower amounts in the lower tiers under OCR's 2019 Notice of Enforcement Discretion. Penalty inflation continues annually.

Why Organizations Get This Wrong

Three common errors come up in early-stage analysis.

Confusing "handling health information" with "being subject to HIPAA." A wellness app that collects user-reported health data from consumers is handling health information but is not handling PHI in the HIPAA sense, because there is no covered entity in the chain. The FTC, not HHS, is the relevant regulator. The compliance program looks completely different. The FTC has signaled increasing attention to this space — see, e.g., In re GoodRx Holdings, Inc., FTC File No. 2023190 (Feb. 1, 2023) (first HBNR enforcement action, settling for $1.5 million).

Assuming that a hospital partnership automatically creates business associate status. It usually does, but not always. A donor giving an unrestricted gift to a hospital is not a business associate. A hospital marketing partner that receives no PHI is not a business associate. A research collaborator operating under a properly structured data use agreement for a limited data set may not be a business associate — see 45 C.F.R. § 164.514(e) (limited data sets and data use agreements). The function being performed matters more than the existence of the relationship.

Treating BAA requests as conclusive. Hospital procurement departments routinely send BAAs to vendors whose services do not actually involve PHI, because it is easier to send one to everyone than to analyze each relationship. Signing a BAA when you are not actually a business associate does not change your legal status — but it does contractually commit you to obligations you may not be set up to meet, and it may create liability you did not need to accept.

What This Means Practically

Before any compliance build-out, organizations should engage healthcare counsel to make a written threshold determination. The deliverable is short — usually a one or two page memo — but it shapes the entire compliance program. The memo should identify:

• The organization's status under HIPAA (covered entity, business associate, neither, or hybrid — see 45 C.F.R. § 164.103 defining "hybrid entity")
• The specific information flows that drive that status
• The covered entity partners (current and anticipated) and the services performed for each
• Any state law requirements that apply independently of HIPAA — California's Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56–56.37) is a major one, with the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.) layering additional requirements; Texas (Tex. Health & Safety Code ch. 181), New York (N.Y. Gen. Bus. Law § 899-aa), Washington (the My Health My Data Act, Wash. Rev. Code § 19.373 et seq.), and several other states have their own overlays
• Any sector-specific requirements that apply independently — 42 C.F.R. Part 2 for substance use disorder records (substantially amended by HHS final rule at 89 Fed. Reg. 12472 (Feb. 16, 2024), compliance required by February 16, 2026); FERPA, 20 U.S.C. § 1232g, for educational records; GINA, 42 U.S.C. § 2000ff et seq., for genetic information

This analysis costs a few thousand dollars and saves organizations from one of two bad outcomes: building an expensive program they did not need, or operating without one they did.

A Note on Pending Regulatory Change

Readers should be aware that HIPAA's regulatory landscape is in flux. On December 27, 2024, OCR issued a Notice of Proposed Rulemaking to substantially modify the Security Rule for the first time since 2013. See HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025) (proposed rule). The comment period closed March 7, 2025, and OCR has indicated a target for final rule publication in May 2026, though that timeline remains uncertain pending the new administration's review of the more than 4,700 public comments received. If finalized as proposed, the rule would eliminate the distinction between "required" and "addressable" implementation specifications, mandate specific technical controls (encryption, multi-factor authentication, network segmentation, vulnerability scanning), and impose substantial new documentation requirements. Organizations building compliance programs in 2026 should design for current requirements while monitoring the final rule's status.

Looking Ahead in This Series

The remaining four posts in this series assume the threshold analysis has been done and the organization has concluded that HIPAA applies. We will cover:

• Part 2: The Business Associate Agreement — why it is the foundational document of any compliance program, what it should contain, and the negotiation points small organizations consistently miss.
• Part 3: The Security Risk Analysis — what it is, who can perform one, and why it is the document OCR asks for first.
• Part 4: Administrative, Physical, and Technical Safeguards — translating the Security Rule's three safeguard categories into specific operational steps.
• Part 5: Certification, Attestation, and Ongoing Compliance — what you can credibly tell partners about your compliance posture, what frameworks exist, and what the realistic long-term cost looks like.

A final note: nothing in this series constitutes legal advice. HIPAA's application is fact-specific, and the consequences of getting it wrong are significant enough that every organization should work with qualified healthcare counsel rather than relying on general guidance. The goal of this series is to help readers understand the landscape well enough to have productive conversations with their attorneys, not to substitute for those conversations.

Up next in Part 2: The Business Associate Agreement — why it is the keystone of HIPAA compliance and what small organizations need to know before signing one.

Selected Authorities and Resources

Statutory and regulatory:

• Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191
• Health Information Technology for Economic and Clinical Health Act, Pub. L. 111-5, div. A, tit. XIII (HITECH Act)
• 45 C.F.R. Parts 160, 162, and 164 (HIPAA Administrative Simplification Rules)
• Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) (Omnibus Rule)
• HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025) (proposed)
• HHS Annual Civil Monetary Penalties Inflation Adjustment, 91 Fed. Reg. 3664 (Jan. 28, 2026)
• Confidentiality of Substance Use Disorder Patient Records, 89 Fed. Reg. 12472 (Feb. 16, 2024)

HHS/OCR guidance:

• OCR, Covered Entities and Business Associates, hhs.gov/hipaa/for-professionals/covered-entities
• OCR, Business Associates, hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates

FTC authority for non-HIPAA health data:

• FTC Health Breach Notification Rule, 16 C.F.R. pt. 318, as amended at 89 Fed. Reg. 47028 (May 30, 2024)
• In re GoodRx Holdings, Inc., FTC File No. 2023190 (2023)