Are health technology companies automatically considered HIPAA-covered entities?

by | Mar 3, 2023 | HIPAA News and Advice

No, health technology companies are not automatically considered HIPAA-covered entities; whether a health technology company is considered a HIPAA-covered entity depends on whether it electronically maintains or transmits individually identifiable health information and performs covered functions outlined in the HIPAA regulations. Health technology companies provide innovative solutions that enhance patient care, streamline operations, and improve overall efficiency. With the increasing reliance on electronic health records (EHRs), telemedicine platforms, mobile health applications, and other digital tools, questions arise about whether these entities fall under HIPAA as covered entities. However, the determination of whether a health technology company is automatically considered a HIPAA-covered entity is not straightforward and necessitates an analysis of its activities and interactions with protected health information (PHI).

Key Points to ConsiderExplanation
HIPAA-Covered Entities DefinitionDefines covered entities as healthcare providers, health plans, and healthcare clearinghouses subject to HIPAA.
Role of Health Technology CompaniesEHR vendors, telemedicine platforms, mobile app developers, and data analytics.
Electronic Maintenance and Transmission of PHIDetermining factor: whether a company electronically maintains or transmits identifiable health information (ePHI).
Functions Involving PHIThe company must perform functions like creating, storing, or transmitting ePHI on behalf of covered entities.
Business AssociatesEntities providing PHI-related services to covered entities; must comply with HIPAA’s Privacy, Security, and Breach Notification Rules.
Developing vs. Handling PHIMerely developing healthcare tech doesn’t make a company covered. It must handle PHI for covered entities.
Voluntary ComplianceSome tech companies voluntarily comply with HIPAA to enhance data security and trust when dealing with health data.
Hybrid EntitiesCompanies operating in both covered and non-covered capacities; compliance varies based on specific activities.
HITECH Act and Business Associate SubcontractorsHITECH Act introduced “business associate subcontractors,” extending compliance responsibilities down the chain.
Assessment and ClassificationDetermining HIPAA applicability requires assessing roles, interactions with PHI, and contractual obligations.
Clear Responsibilities and Data FlowsDefining roles and data flows accurately is important for proper compliance with HIPAA regulations.
Ongoing VigilanceIn evolving healthcare and tech services, maintaining accurate classification and compliance is necessary.
Table: Key Points for Determining if a Health Technology Company is HIPAA-covered

HIPAA comprises regulations aimed at safeguarding the privacy, security, and confidentiality of PHI. Covered entities, as defined by HIPAA, include healthcare providers, health plans, and healthcare clearinghouses. These entities are required to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule when handling PHI in electronic form. Business associates, or organizations that provide services involving PHI to covered entities, are also subject to HIPAA regulations.

Health technology companies, which include entities such as EHR vendors, telemedicine platform providers, mobile app developers, and health data analytics firms, may or may not be classified as covered entities or business associates under HIPAA. The determining factor hinges on whether these companies meet specific criteria outlined in the regulations. A health technology company could potentially be considered a HIPAA-covered entity if it electronically maintains or transmits individually identifiable health information (ePHI) and performs functions outlined in the regulations. If the company engages in activities that involve creating, receiving, storing, or transmitting ePHI on behalf of a covered entity or health plan, it might be classified as a business associate. For instance, an EHR vendor that stores patient records on behalf of a healthcare provider would fall under the business associate category, subject to the same HIPAA requirements as covered entities.

However, merely creating technology that could potentially be used to handle ePHI does not automatically make a company a covered entity or business associate. A health technology company that develops a healthcare app, for example, might not be subject to HIPAA if it doesn’t process PHI on behalf of covered entities. If the app merely provides general health information or allows users to track their fitness without involving a healthcare provider, it might not meet the criteria for HIPAA regulation. While health technology companies are not automatically considered covered entities or business associates, some may choose to voluntarily comply with HIPAA standards to enhance customer trust and data security. This can be particularly relevant when a company’s technology involves health data, even if it’s not technically required by law.

The situation becomes more complex when considering hybrid entities, where a company operates in both covered and non-covered capacities. For instance, a healthcare provider that offers telemedicine services through a technology platform it developed in-house would need to ensure HIPAA compliance for the telemedicine component but not necessarily for other aspects of its operations. The introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 also expanded the scope of HIPAA regulations. It introduced the concept of “business associate subcontractors,” extending liability to entities working with business associates, thereby creating a cascade of compliance responsibilities down the chain.

To determine whether a health technology company falls under HIPAA regulations, a detailed assessment of its activities is necessary. This assessment could involve scrutinizing the company’s role concerning PHI, understanding the nature of the services it provides, and assessing its contractual obligations with covered entities or business associates. Clear definition of responsibilities, data flows, and the nature of interactions with PHI will contribute to an accurate classification.


Health technology companies are not automatically considered HIPAA-covered entities; whether they fall under HIPAA regulations hinges on their specific activities, interactions with PHI, and the functions they perform. Developing health-related technology does not inherently subject a company to HIPAA, and the determination requires a case-by-case analysis. As the healthcare and technology industry continues to evolve, ongoing vigilance and accurate classification of roles will be required to ensure compliance with HIPAA and maintain the security and privacy of patient health information.

HIPAA Covered Entity Topics

What is the definition of a HIPAA-covered entity?
How does an organization determine if it is a HIPAA-covered entity?
Are all healthcare providers considered HIPAA-covered entities?
What obligations does an entity covered by HIPAA have concerning patient data?
Do insurance companies fall under the category of entities covered by HIPAA?
What is a covered entity under HIPAA?
Who would not be considered a covered entity under HIPAA?
Is an employer a covered entity under HIPAA?
Who should HIPAA complaints be directed to within the covered entity?
What are the penalties for a HIPAA-covered entity that breaches patient confidentiality?
Are health technology companies automatically considered HIPAA-covered entities?
What distinguishes a HIPAA entity from non-covered entities?
Can a HIPAA-covered entity share medical records with another such entity without patient consent?
How often should HIPAA-covered entities review their compliance procedures?
What types of training must employees of an entity covered by HIPAA undergo?
How do entities covered by HIPAA handle data breaches?
What is the role of a privacy officer in a HIPAA-covered entity?
Are dental practices considered HIPAA-covered entities?
Can a patient sue a HIPAA-covered entity for a data breach?
How are HIPAA-covered entities audited for compliance?
What are the reporting obligations of a HIPAA entity in case of data exposure?
How do third-party vendors interact with HIPAA-covered entities?
Can a business associate be considered a HIPAA-covered entity?
How should a HIPAA entity respond to unauthorized access to protected health information?
What security measures must entities covered by HIPAA implement?
Are there exemptions for certain types of entities covered by HIPAA?
How long must a HIPAA-covered entity retain medical records?
What patient rights are recognized by entities covered by HIPAA concerning their personal data?
Are telemedicine platforms typically classified as HIPAA-covered entities?
What distinguishes business associates from HIPAA-covered entities?
How can patients file complaints against a HIPAA entity?
What is the significance of the Notice of Privacy Practices for a HIPAA-covered entity?
How do international medical tourism practices intersect with HIPAA-covered entities?
Are there specific encryption standards that a HIPAA-covered entity must adhere to?
How do federal and state laws regarding patient privacy relate to HIPAA-covered entities?
How do HIPAA-covered entities handle minor patient information?
Are pharmacies and drug stores universally categorized as HIPAA-covered entities?
How can a HIPAA-covered entity ensure compliance when integrating new technologies?
What are the key differences between a HIPAA-covered entity and a HIPAA business associate?
Are research institutions always considered HIPAA-covered entities?
What are the boundaries of marketing activities for an entity covered by HIPAA?
Can cloud service providers be classified as HIPAA-covered entities?
How should a HIPAA entity prepare for an official audit or review?
What documentation is essential for a HIPAA-covered entity’s compliance processes?
How often do regulations impacting HIPAA-covered entities get updated?
Do educational institutions fall under the scope of entities covered by HIPAA?
How do mobile health apps and digital health tools intersect with HIPAA-covered entities?
What is the role of electronic health record systems in a HIPAA-covered entity?
How does the Health Information Exchange (HIE) network impact HIPAA-covered entities?
Are mental health professionals bound by the same rules as other HIPAA-covered entities?
How do mergers and acquisitions impact the status of a HIPAA-covered entity?
Can patients access all their health data held by a HIPAA-covered entity?
Are billing and invoicing data handled differently by entities covered by HIPAA than medical data?
3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy