The Federal HIPAA privacy regulations apply to what is termed “Covered Entities.” Below are the groups identified as covered entities:

  • Health care providers such as, physicians, dentists, psychiatrists, hospitals, clinics, pharmacies, and laboratories. Other groups may also meet HIPAA definition of Covered Entities.
  • Health plans
  • Health care clearinghouses

Covered Entities are bound by the HIPAA Privacy Rules for their own activities as well as those organizations with which they contract for essential functions such as telehealth platforms, billing, collections, medical record storage, etc. These entities are called “Business Associates.”

The HIPAA Privacy Rule created national standards to protect individuals' medical records and other personal health information by:

  • Establishing appropriate safeguards that health care providers and others must achieve to protect the privacy of health information;
  • Holding violators accountable, with civil and criminal penalties that can be imposed if they violate patients' privacy rights;
  • Setting boundaries on the use and release of health records;
  • Giving patients more control over their health information; and
  • Striking a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.

Health care providers are required to comply with HIPAA's Privacy and Security Rules and the requirements added in 2013 by the Health Information Technology for Economic and Clinical Health Act.

New HIPAA regulations will be released in 2021 or 2022 and may include changes to requirements for Covered Entities.

The Privacy Rule applies to all forms of individuals' protected health information (PHI). The HIPAA Security Rule requirements are limited to protecting health information that is created, maintained, received, or transmitted electronically (e-PHI).

HIPAA requires Covered Entities to:

  • Assign HIPAA responsibility to a designated person to serve as the HIPAA privacy and security officer.
  • Know the use and disclosure rules for PHI. 
  • Know the rights of individual patients.
  • Implement and maintain written Privacy and Security policies. 
  • Develop compliant forms such as authorizations to release PHI and notice of privacy practices. 
  • Execute appropriate business associate agreements. 
  • Perform and document a risk analysis of e-PHI
  • Implement required safeguards. 
  • Train workforce. 
  • Respond immediately to any violation or breach. 
  • Provide notice of a data breach to affected individuals, the Secretary of the Department of Health and Human Services, and, in some cases, the media.
  • Document actions. 
  • Comply with State laws, including those that have more stringent privacy protections. 

Disclaimer: This information is general in scope and educational in nature. It is not intended as legal advice. If you require legal advice, contact an attorney.  
The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired. 

Last Updated



American Academy of Pediatrics