Who must be HIPAA Compliant?

by Sarah Harvey / April 3rd, 2017

Who must be HIPAA Compliant, and how can they prepare?

If you are just beginning to learn about HIPAA, you may be wondering, “Who must be HIPAA Compliant?” Up until 2009, the answer was simple: Covered Entities. But when the Health Information Technology for Economic and Clinical Health (HITECH) Act passed, it expanded the oversight of the Office for Civil Rights (OCR) to Business Associates. The HITECH Act was passed in 2009 to promote the adoption and meaningful use of health information technology (HIT).

Stephanie Rodrigue Discusses Who must be HIPAA Compliant?

The OCR’s proactive supervision will hold all covered entities and business associates responsible for their own compliance with the laws. According to the Omnibus Rule, business associates are being held directly responsible for their compliance with any relevant HIPAA laws. This means that business associate compliance will be a focus of the coming Phase 2 HIPAA enforcement actions.

Covered Entities are healthcare providers such as doctors’ offices, hospitals, health plans, or healthcare clearing houses. If your business is a covered entity preparing for Phase 2 of the OCR’s HIPAA Audit Program, we recommend that you prepare through Risk Analysis, Risk Management, Breach Reporting, and Privacy Notice and Access. Phase 2 audits of covered entities will focus on:

  • Device and Media Controls
  • Transmission Security
  • Risk Analysis and Risk Management
  • Safeguards and Training on Policies and Procedures
  • Notice of Privacy Practices and Access Rights
  • Breach Notification Content and Timeliness


Business Associates HIPAA Fines for Business Associatesare the vendors who provide services on behalf of Covered Entities. Right now, the OCR is conducting audits of business associates and assigning fines for lack of HIPAA compliance. For business associates, these audits will focus on Risk Analysis, Risk Management, and Breach Reporting to Covered Entities. If you are a business associate, we recommend that you prepare through:

  • Conducting Security Rule Risk Analysis and Risk Management
  • Reviewing Policies and Procedures related to ePHI vulnerability, accessibility, and integrity
  • Identifying all systems that include ePHI
  • Evaluating security measures to reduce risk
  • Breach Reporting (impermissible acquisition, use, access, or disclosure of ePHI)
  • Evaluating Policies and Procedures

KirkpatrickPrice can service both covered entities and business associates through:

  • Experienced Risk Analysis Practices
  • Policy and Procedure Review
  • Approach Modeled on HIPAA Audit Protocol
  • Expert Information Security Personnel
  • Web-based Portal Experience

If you’re unsure which parts of HIPAA laws apply to your business, contact us for help.

Who must be HIPAA Compliant? This is a question we get asked from time to time. Up until 2009, the answer was Covered Entities, which are healthcare providers like doctors’ offices and hospitals. But when the HITECH Act passed, it expanded the oversight of the OCR to the Business Associates, which are the vendors who provide services to the Covered Entities.
Right now, the OCR is conducting audits of Business Associates and assessing fines for lack of HIPAA Compliance. If you’re unsure which parts of HIPAA laws apply to your business, contact us for help.

Share Tweet Share Email

Related Posts