Who Must Follow HIPAA? Covered Entities, Business Associates, and Exceptions Explained

Reviewed By:
Stephen Kohler
Last Updated on
April 9, 2026

HIPAA applies to covered entities—health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically—and to their business associates, meaning any third-party vendor or contractor that creates, receives, maintains, or transmits protected health information on a covered entity's behalf. The estimated first-year compliance cost of the 2025 proposed Security Rule updates across the entire healthcare industry is $9 billion (HHS, 2025), reflecting how broadly HIPAA obligations now extend across the healthcare ecosystem.

What Is a Covered Entity Under HIPAA?

A covered entity is any organization in one of three categories that handles protected health information in connection with healthcare delivery or payment. Covered entity status is not optional—if your organization meets the definition, you must comply with all applicable HIPAA rules.

Healthcare Providers: Any provider that transmits health information in electronic form in connection with a covered transaction is a covered entity. This includes physicians, hospitals, clinics, psychologists, dentists, chiropractors, physical therapists, nursing homes, and pharmacies. A solo practitioner who submits claims electronically is a covered entity. A mental health therapist who bills insurance electronically is a covered entity.

Health Plans: Health insurance companies, HMOs, company health plans, and government programs including Medicare, Medicaid, and CHIP are all covered entities. Employer-sponsored health plans with 50 or more participants are also covered.

Healthcare Clearinghouses: Organizations that process nonstandard health information into standard formats (or vice versa) for billing and claims purposes are covered entities. Most practices don't interact with clearinghouses directly—their billing software does—but the clearinghouse itself is bound by HIPAA.

Who Are Business Associates Under HIPAA?

A business associate is any person or organization, other than a covered entity's workforce member, that performs functions involving the use or disclosure of PHI on behalf of a covered entity. Business associate status has expanded significantly since HIPAA's original enactment—the HITECH Act of 2009 made business associates directly liable for HIPAA compliance, not just contractually obligated through their covered entity clients.

Common business associates include: medical billing and coding companies, EHR vendors, patient intake software platforms (like Zentake), cloud storage providers that host PHI, IT support companies with access to systems containing PHI, transcription services, legal and accounting firms that handle PHI, and medical record storage and destruction services.

Any business associate must sign a Business Associate Agreement (BAA) with each covered entity they serve before handling PHI. The BAA defines permissible uses of PHI, required safeguards, breach notification obligations, and data return or destruction requirements at contract end.

Who Is Exempt From HIPAA?

Not all organizations that handle health information are covered by HIPAA. Organizations exempt from HIPAA's requirements include: employers who maintain employee health information as an employer (not as a health plan), life insurers, workers' compensation carriers, most schools and school districts, most law enforcement agencies, and many state agencies. Importantly, consumer health apps and wearable devices that are not connected to a covered entity are generally not subject to HIPAA—though they may be subject to FTC regulations.

Does HIPAA Apply to Online Patient Intake Forms?

Yes. While HIPAA's text predates widespread use of online forms, its Privacy and Security Rules apply to any medium used to collect, transmit, or store PHI—including web-based forms, mobile apps, and electronic tablets. Any practice using an online intake form that collects health information must ensure the platform is HIPAA-compliant and that a signed BAA is in place with the vendor. Using non-compliant tools (including standard Google Forms or Typeform) for patient intake is a HIPAA violation.

What Are the Penalties for Non-Compliance?

HIPAA penalties are tiered by level of culpability, ranging from $145 per violation (Tier 1: lack of knowledge) to $2,190,294 per violation category (Tier 4: willful neglect, uncorrected) as of January 2026. In 2024, HHS OCR resolved 22 enforcement cases with financial penalties, making it one of the most active enforcement years in HIPAA history (HHS OCR, 2025). Both covered entities and business associates can be penalized directly.

Frequently Asked Questions About Who Must Follow HIPAA

Does a solo practitioner have to follow HIPAA?
Yes, if they transmit health information electronically in connection with covered transactions (e.g., submitting insurance claims electronically). A cash-only practice that never submits electronic claims may not meet the covered entity definition, but most solo practitioners do.

Does HIPAA apply to mental health therapists?
Yes, if they bill insurance electronically or transmit health information in electronic form. Private-pay only therapists who never submit electronic transactions may be exempt, but they are still subject to state privacy laws that often provide equal or greater protection.

Is my patient intake software vendor a business associate?
Yes. Any software vendor that stores or transmits patient health information on your behalf is a business associate. You must have a signed BAA with them before using their platform for patient data. Zentake provides a BAA to every practice as a standard part of onboarding.

Does HIPAA apply to telehealth platforms?
Yes. Telehealth platforms that transmit or store PHI are business associates and must sign a BAA with covered entity providers. During the COVID-19 public health emergency, HHS temporarily allowed the use of non-HIPAA-compliant platforms—that enforcement discretion ended, and full compliance is now required.

Are patient intake forms considered medical records under HIPAA?
Yes. Completed patient intake forms containing health information are PHI and are subject to HIPAA's privacy protections, including patient rights of access and amendment, and your obligations regarding storage, transmission, and disposal.

What is the difference between a covered entity and a business associate?
A covered entity is a healthcare provider, health plan, or clearinghouse that directly provides or pays for healthcare. A business associate is a third-party vendor that handles PHI on behalf of a covered entity. Both are directly subject to HIPAA—but covered entities bear primary compliance responsibility, while business associates are obligated through both direct regulation and their BAA contracts.

If your practice uses digital intake forms, see how Zentake meets HIPAA requirements or schedule a demo to review our BAA and security infrastructure.

Last reviewed: April 2026

Zentake's Logo

The leading patient intake platform. HIPAA compliant forms for healthcare providers and organizations. Find out what you're missing!

Product

HomeFeaturesTestimonialsElation Integration

Resources

Contact UsHelp CenterBlogHow It Works

Company

About UsPrivacy PolicyTerms of ServiceSecurity
© 2026 Zentake. All rights reserved. HIPAA-compliant forms.