Who is Affected by HIPAA?HIPAA applies to health plans, healthcare clearinghouses, and to healthcare providers that electronically transmit health information in connection with standard transactions.
"Health plan" generally includes any individual or group plan, private or governmental that provides or pays for medical care. Employee health benefit plans are excluded if they are self-administered and have fewer than 50 participants. Government-funded programs are excluded if their principal purpose is something other than providing or paying for health care, or if their principal activity is the direct provision of health care or the making of grants to fund health care.
"Healthcare clearinghouse" is a public or private entity that processes health information received from another entity, or converts transactions from non-standard into standard format, or vice versa. The regulations distinguish between a clearinghouse dealing with information in its own right (in which case it is bound by all the requirements of the regulations), and in its capacity as a business associate of another covered entity (in which case some of the requirements do not apply, but it is bound by its business associate contract with the covered entity). For example, the patient rights provisions would be enforced through the business associate contract, not directly.
"Healthcare provider" is any person or organization who furnishes, bills, or is paid for health care in the normal course of business. However, healthcare providers are covered by the rules only if they transmit electronic health information in connection with a standard transaction.