Which entities are subject to the HIPAA Security Rule?

The HIPAA Security Rule applies to health plans, healthcare providers, and healthcare clearinghouses that engage in electronic transactions involving Protected Health Information (PHI). This rule was established to ensure the confidentiality, integrity, and availability of electronic PHI. When these entities operate in a manner that requires them to handle electronic PHI, they are mandated to implement adequate safeguards to protect this sensitive information.

Healthcare providers encompass hospitals, doctors, and other practitioners that might transmit PHI electronically, while health plans include insurers and Medicare or Medicaid programs. Healthcare clearinghouses serve as intermediaries that process or facilitate the transmission of health information, thus playing a key role in the handling of PHI.

In contrast, while health apps on smartphones may handle health-related data, not all applications are classified under HIPAA unless they meet specific criteria, such as being a business associate that transmits PHI on behalf of a covered entity. Therefore, it is the combination of health plans, healthcare providers, and healthcare clearinghouses that are explicitly subject to the mandates of the HIPAA Security Rule when they manage PHI electronically.