Whose Responsibility Is It to Comply With HIPPA? (w/Examples) + FAQs

Everyone who touches protected health information (PHI) in a regulated role shares responsibility to comply with HIPAA — the Health Insurance Portability and Accountability Act of 1996. That includes covered entities, business associates, subcontractors, workforce members, and in some cases group health plan sponsors. HIPAA is not the patient’s job, and it is not the responsibility of every company that happens to hold medical data; it is a duty tied to specific roles defined by federal law at 45 CFR Part 160 and Part 164.

The governing rules come from the U.S. Department of Health and Human Services through its Office for Civil Rights (OCR), which enforces the Privacy Rule, the Security Rule, and the Breach Notification Rule. When any responsible party fails in its duty, the consequences range from corrective action plans to civil monetary penalties that, under the HITECH Act, can reach more than $2 million per violation category per year after inflation adjustments.

According to the HHS OCR enforcement highlights, OCR has resolved more than 320,000 HIPAA complaints and collected over $145 million in settlements and civil money penalties since 2003. Here is what this article gives you:

• 📘 A plain-English map of every party legally required to follow HIPAA.
• 🧭 Clear examples showing who answers for a breach and why.
• ⚖️ The exact federal rules, penalty tiers, and state overlays that control the outcome.
• 🧩 Scenario tables, named case studies, and mistakes to avoid.
• 🛡️ Answers to the ten questions most people ask about HIPAA responsibility.

The Federal Framework That Creates HIPAA Responsibility

HIPAA responsibility starts with federal statute and flows down through regulation. Congress passed the statute in 1996, and the HITECH Act of 2009 expanded it to cover business associates directly. The 2013 Omnibus Final Rule closed loopholes and pushed liability down the vendor chain.

The Three Core Rules

The HIPAA Privacy Rule tells regulated parties when PHI may be used or disclosed. The Security Rule tells them how to protect electronic PHI (ePHI). The Breach Notification Rule tells them what to do when protection fails.

Each rule sits inside 45 CFR Part 164 and carries its own administrative, physical, and technical safeguards. A plain-English way to see it: Privacy is the rulebook, Security is the lock, and Breach Notification is the fire alarm. The consequence of ignoring any one of these is a standalone violation, stackable by the day and by the record.

A common misconception is that only the Security Rule matters because “it’s all digital now.” That is wrong. A paper chart left on a break-room table triggers the Privacy Rule and, if it is seen by an unauthorized person, the Breach Notification Rule — no computer required.

The 2025 Proposed Security Rule Update

In December 2024, HHS published a Notice of Proposed Rulemaking to strengthen the Security Rule. The proposal removes the old “addressable vs. required” split, mandates multi-factor authentication, requires encryption of ePHI at rest and in transit, and forces annual compliance audits. The rule is expected to finalize in late 2026.

The consequence for regulated parties is clear: the bar for “reasonable and appropriate” safeguards is rising, and old risk analyses will not survive the new standard. Picture a rural clinic that still relies on a single shared password for its EHR login — under the proposed rule, that practice would be out of compliance the day the rule takes effect.

A misconception here is that the update only affects hospitals. It affects every covered entity and every business associate, including two-person therapy practices and solo billing consultants.

Who Is a “Covered Entity” Under HIPAA?

Covered entities are the first and most obvious responsible parties. The term is defined at 45 CFR 160.103 and includes three groups.

Health Care Providers Who Transmit Electronically

A provider becomes a covered entity only when it transmits health information electronically in connection with a HIPAA transaction, such as a claim, eligibility check, or referral. That means a cash-only naturopath who bills no insurance and files no electronic claims is technically not a covered entity.

The consequence of assuming you are outside HIPAA when you actually bill electronically is severe. OCR treats willful blindness as “willful neglect,” the highest penalty tier, reaching $71,162 to $2,134,831 per violation after 2024 inflation adjustments.

Consider Dr. Alvarez, a pediatric dentist in Ohio. She files claims to Delta Dental through a clearinghouse. That single electronic transaction pulls her entire practice under HIPAA, even for the paper files she keeps in a back cabinet.

A common misconception is that only hospitals are “providers.” Chiropractors, dentists, counselors, home-health aides, and pharmacies are all providers when they transmit covered transactions.

Health Plans

Health plans include insurers, HMOs, Medicare, Medicaid, employer-sponsored group health plans with 50+ participants or administered by third parties, and many ERISA welfare plans. A church plan or a very small self-administered plan may be exempt, but most are not.

The consequence of a plan failing to comply is high-profile. In 2018, Anthem, Inc. paid $16 million after a breach exposed nearly 79 million records. In 2020, Premera Blue Cross paid $6.85 million for a breach impacting 10.4 million people.

Think of Marcus, an HR director at a 400-person manufacturer. His self-insured group health plan is a covered entity, even though the company itself is not. Marcus must firewall PHI from general HR decisions or risk penalties against the plan.

Health Care Clearinghouses

Clearinghouses translate nonstandard data into standard electronic transactions. Companies like Change Healthcare and Availity sit in this bucket. Because clearinghouses hold massive volumes of PHI in transit, they face concentrated risk.

The 2024 Change Healthcare ransomware incident — which affected an estimated 190 million individuals — shows what happens when a single clearinghouse fails. OCR opened an investigation the same month the breach was disclosed.

A misconception is that clearinghouses are “just pipes” and therefore not responsible for content. They are covered entities in their own right and must maintain full Privacy and Security Rule compliance.

Who Is a “Business Associate” Under HIPAA?

A business associate (BA) is any person or entity that performs functions or services for a covered entity that involve the use or disclosure of PHI. The full definition sits at 45 CFR 160.103. Since the 2013 Omnibus Rule, BAs are directly liable to OCR for violations.

Common Business Associate Examples

Common BAs include cloud storage vendors, EHR software providers, medical billing companies, transcription services, shredding vendors, IT support firms, law firms handling PHI, and accountants auditing providers. A Business Associate Agreement (BAA) is required before any PHI changes hands.

The consequence of operating without a signed BAA is a per-se violation. In 2016, Raleigh Orthopaedic Clinic paid $750,000 for releasing X-ray films to a vendor with no BAA in place.

Take Priya, who runs a two-person billing company in Texas. She codes and submits claims for five small clinics. Priya is a business associate to all five, must follow the Security Rule, and must sign a BAA with each clinic before she touches a single remittance file.

A common misconception is that cloud vendors like AWS or Google Cloud are automatically HIPAA-compliant. They are only BAs after a signed BAA; their “HIPAA-eligible” service list does not make them responsible by default.

Subcontractors of Business Associates

Since the Omnibus Rule, subcontractors that create, receive, maintain, or transmit PHI on behalf of a BA are themselves business associates. Liability flows all the way down the chain.

The consequence is that a four-layer vendor stack — hospital → EHR vendor → data-center subcontractor → backup-tape courier — creates four independently liable HIPAA parties. If the courier loses a tape, OCR can name every link.

Imagine Jordan, who runs a small offsite backup company used by an EHR vendor. Jordan must sign a BAA with the EHR vendor, conduct his own risk analysis, and comply with the Security Rule, even though he never talks to a hospital directly.

A misconception is that “I never see patient names” excuses a subcontractor. Encrypted blobs of PHI are still PHI under 45 CFR 164.514 unless de-identified under the Safe Harbor or Expert Determination method.

Workforce Members: The Human Layer of Responsibility

HIPAA defines “workforce” broadly at 45 CFR 160.103 to include employees, volunteers, trainees, and other persons whose conduct is under the direct control of a covered entity or BA — paid or not. Workforce members are not directly liable to OCR, but they can be personally prosecuted under the criminal HIPAA statute at 42 U.S.C. 1320d-6.

Civil Liability Through the Employer

When a workforce member snoops, gossips, or mishandles PHI, the covered entity pays the OCR fine. In 2019, Touchstone Medical Imaging paid $3 million after an employee-related exposure of over 300,000 records.

The consequence for the individual is usually internal: termination, loss of license, and sometimes civil suit by the patient under state tort law. Think of Carla, a nurse who peeks at her ex-boyfriend’s ER chart. Her hospital will fire her, her state board may suspend her license, and OCR will still hit the hospital.

A misconception is that curiosity is harmless. OCR treats unauthorized access as a Privacy Rule violation, full stop, regardless of whether the information is further disclosed.

Criminal Liability Under 42 U.S.C. 1320d-6

Workforce members who knowingly obtain or disclose PHI face up to one year in prison, five years if under false pretenses, and ten years if for personal gain or malicious harm. Prosecutions are rare but real.

In United States v. Zhou, a UCLA researcher received four months in federal prison for snooping on celebrity charts. The consequence shows that individual liability is not theoretical.

A misconception is that only doctors get prosecuted. Receptionists, janitors with badge access, and IT interns have all been charged under this statute.

Who Is Not Responsible for HIPAA Compliance?

Knowing who is outside HIPAA is as important as knowing who is inside.

Entities Outside the Definition

Life insurers, workers’ compensation carriers, most employers in their role as employers, schools covered by FERPA, law enforcement, and consumer fitness apps that sell directly to users are not covered by HIPAA. A 23andMe-style consumer DNA service is regulated by the FTC Health Breach Notification Rule, not HIPAA.

The consequence of this gap surprises consumers. When a period-tracking app leaks data, the user often has no HIPAA remedy and must look to the FTC Act Section 5 or state privacy laws like the California Consumer Privacy Act.

Picture Lena, who downloads a mental-health journaling app. The app sells her mood entries to advertisers. HIPAA does not apply because the app is not a covered entity or BA. Her recourse is through the FTC and state consumer protection law.

A common misconception is that “medical information equals HIPAA.” HIPAA only reaches PHI held by covered entities and business associates — the data, not the subject matter, triggers the rule.

Patients Themselves

Patients are never regulated by HIPAA. They can share, post, or publish their own health information freely. A patient who posts her own MRI on Instagram has not violated HIPAA.

The consequence is that providers cannot hide behind HIPAA to silence patient reviews. OCR has fined multiple dentists and doctors who posted PHI in replies to negative Yelp reviews, including a $10,000 settlement with Elite Dental Associates in 2019.

A misconception is that providers can “sue patients under HIPAA.” HIPAA has no private right of action; only OCR and state attorneys general under HITECH Section 13410(e) can enforce it.

Three Scenario Tables: Who Pays When It Goes Wrong

Scenario 1: Lost Laptop at a Billing Company

Scenario 2: Nosy Employee at a Hospital

Scenario 3: Cloud Vendor With No BAA

Mistakes to Avoid When Assigning HIPAA Responsibility

HIPAA errors cluster in predictable places. Avoiding these saves money, licenses, and reputations.

• Assuming cash-pay means no HIPAA. If you ever submit one electronic transaction, the entire practice is covered. The consequence is that your paper files must also meet the Privacy Rule.
• Skipping the BAA. A missing BAA is a per-se violation under 45 CFR 164.502(e). OCR has fined multiple providers six figures for this alone.
• Confusing “HIPAA-compliant software” with compliance. Software is a tool, not a compliance program. The consequence of relying on vendor marketing is a Security Rule citation for missing risk analysis.
• Forgetting subcontractor BAAs. BAs must sign BAAs with their own subcontractors. The consequence is direct OCR liability up the chain.
• Treating workforce training as one-and-done. 45 CFR 164.530(b) requires ongoing training. The consequence of stale training is a willful-neglect finding.
• Ignoring state law overlays. Texas HB 300 reaches anyone who “comes into possession” of PHI — broader than HIPAA. The consequence is dual enforcement by the Texas AG.
• Posting to social media in response to reviews. OCR has repeatedly fined providers for this. The consequence is public-facing enforcement that damages reputation.
• Using personal email or texting for PHI. Unencrypted channels violate the Security Rule. The consequence is a breach notification obligation the moment a phone is lost.
• Skipping the annual risk analysis. The OCR risk analysis guidance makes this a cornerstone. The consequence is that OCR presumes willful neglect when it is missing.
• Assuming encryption alone solves everything. Encryption is a safe harbor for breach notification, not for the Privacy Rule. The consequence is that access controls, audit logs, and BAAs still apply.

Do’s and Don’ts for HIPAA Responsibility

Do’s

• Do conduct an annual enterprise-wide risk analysis because 45 CFR 164.308(a)(1)(ii)(A) requires it and OCR checks it first in every investigation.
• Do sign BAAs before any PHI moves because unsigned relationships create automatic violations with no defense available.
• Do train every new hire within a reasonable time because the Privacy Rule at 45 CFR 164.530(b) demands it and untrained workers cause the majority of breaches.
• Do encrypt ePHI at rest and in transit because encryption triggers the breach safe harbor and limits notification obligations.
• Do appoint a Privacy Officer and a Security Officer because 45 CFR 164.530(a) and 45 CFR 164.308(a)(2) require named individuals with authority.

Don’ts

• Don’t share login credentials because shared passwords destroy audit trails and create Security Rule violations across the board.
• Don’t respond to online reviews with PHI because OCR treats this as an impermissible disclosure, not as a permitted “business operation.”
• Don’t discard paper PHI in regular trash because improper disposal is a Privacy Rule violation under 45 CFR 164.530(c).
• Don’t email PHI to personal accounts because personal accounts fall outside the Security Rule and create immediate breach exposure.
• Don’t assume a “small practice” exemption exists because HIPAA applies equally to a solo chiropractor and a national hospital chain.

Pros and Cons of a Formal HIPAA Compliance Program

Pros

• Reduced OCR penalty exposure because demonstrated “reasonable diligence” can drop penalties to the lowest tier of $137 to $68,928 per violation.
• Faster breach response because documented incident-response plans cut the 60-day notification clock risk.
• Higher patient trust and referral volume because visible compliance signals professional competence.
• Easier vendor onboarding because a clean BAA template and risk-assessment toolkit shortens sales cycles for BAs.
• Strong defense in state AG actions because HIPAA compliance often satisfies parallel state law duties under CMIA and similar statutes.

Cons

• Upfront cost and staff time because risk analyses, policies, and training take real hours that small practices feel acutely.
• Ongoing documentation burden because every policy needs review and retention for six years under 45 CFR 164.530(j).
• Technology investment because encryption, MFA, and audit-log tools cost money that small vendors resist.
• Culture resistance because workforce members view training as overhead rather than protection.
• Over-compliance risk because overly strict policies can block permitted treatment, payment, and operations disclosures and slow patient care.

Key Enforcement Rulings and Settlements to Know

OCR publishes its major resolutions on the enforcement highlights page. A few cases define modern HIPAA responsibility.

Anthem, Inc. — $16 Million (2018)

The Anthem settlement remains the largest HIPAA resolution. Hackers obtained 78.8 million records after a phishing attack. OCR cited failures in risk analysis, information system activity review, and minimum-necessary access controls.

The consequence sent a signal to every health plan: cyber hygiene is a Security Rule duty, not an IT department afterthought. A misconception is that “we got hacked, not breached” — OCR rejects that framing when safeguards were missing.

Advocate Health Care — $5.55 Million (2016)

The Advocate settlement arose from three breaches, including stolen laptops. OCR emphasized physical safeguards under 45 CFR 164.310.

The consequence for providers is that cars and desks count as facilities. Leaving an unencrypted laptop in a car for a weekend is now a textbook Security Rule violation.

Ciox Health, LLC v. Azar (D.D.C. 2020)

In Ciox Health v. Azar, a federal court vacated part of HHS’s 2016 guidance on patient access fees. The ruling limited the “third-party directive” to electronic PHI only.

The consequence is that record custodians may charge market rates when non-patients request records, but the patient-rate cap at 45 CFR 164.524(c)(4) still binds when the patient herself requests copies.

State Law Overlays That Expand Responsibility

HIPAA sets a floor, not a ceiling. States may — and often do — go further.

Texas HB 300

Texas law at Texas Health & Safety Code Chapter 181 extends PHI duties to any “covered entity” that assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI. That is broader than HIPAA and reaches many businesses HIPAA misses.

The consequence is that a Texas cloud vendor without a BAA may still face state penalties up to $1.5 million per year. Think of Raj, a Dallas app developer building a symptom-checker. HIPAA may not apply to him, but HB 300 does.

A misconception is that federal law preempts state law here. HIPAA preempts only less-strict state laws; HB 300 is stricter and survives.

California CMIA

The California Confidentiality of Medical Information Act creates a private right of action. Patients can sue directly for $1,000 nominal damages plus actual damages.

The consequence is that California breaches generate class actions that federal law would never allow. The 2023 Sutter Health class action shows how quickly these cases scale.

A misconception is that the CCPA replaces CMIA. It does not. Both apply, and both create separate obligations for California providers.

How Responsibility Flows in a Real Vendor Stack

Imagine a 20-bed rural hospital using a cloud EHR, which uses an offshore transcription service, which uses a courier for encrypted backups. HIPAA creates four responsible parties: the hospital (covered entity), the EHR vendor (BA), the transcription service (subcontractor BA), and the courier (subcontractor BA).

Each party must sign a BAA with the party above. Each must complete its own risk analysis. Each must train its workforce. Each must notify upstream within 60 days of discovering a breach under 45 CFR 164.410.

The consequence of any break in the chain is that OCR names the party at the break and the party that failed to vet it. The hospital cannot say “our vendor’s vendor did it” as a defense.

A misconception is that contracts alone protect upstream parties. Contracts shift risk, but OCR enforces against the actual regulated entity regardless of indemnification language.

Penalty Tiers: What Noncompliance Actually Costs

OCR uses four culpability tiers set by the HITECH Act and adjusted annually for inflation. The 2024 inflation-adjusted amounts are the current reference point.

• Tier 1 — No Knowledge: $137 to $68,928 per violation, annual cap $2,134,831.
• Tier 2 — Reasonable Cause: $1,379 to $68,928 per violation, annual cap $2,134,831.
• Tier 3 — Willful Neglect, Corrected: $13,785 to $68,928 per violation, annual cap $2,134,831.
• Tier 4 — Willful Neglect, Not Corrected: $68,928 to $2,134,831 per violation, annual cap $2,134,831.

The consequence of tier creep is severe. A single missing BAA across 100 patients can be counted as 100 violations, not one. Picture Sam, a solo therapist who emailed records without encryption to 150 patients over a year. At Tier 2, that is potentially $206,850 to $10 million in theoretical exposure, even if OCR settles for far less.

A misconception is that “I meant well” zeroes out the penalty. Intent moves the tier; it does not remove liability.

The Individual Rights Side of Responsibility

Covered entities owe duties directly to patients beyond safeguarding data. These sit in 45 CFR 164.524 through 164.528.

Patients have the right to access their records within 30 days, amend inaccurate records, receive an accounting of disclosures, request restrictions, and request confidential communications. The consequence of ignoring an access request is OCR’s Right of Access Initiative, which has produced more than 45 settlements since 2019, many in the $15,000 to $240,000 range.

Consider Mia, who requests her own pediatric records from a clinic that closed. The successor custodian still owes her the access right. Failure to deliver within 30 days plus one 30-day extension is a per-se violation.

A misconception is that providers may refuse access because of unpaid bills. They may not. Access is independent of payment under 45 CFR 164.524(c)(4).

FAQs

Is the patient ever responsible for HIPAA compliance?

No. HIPAA regulates covered entities, business associates, and their workforces. Patients may share their own information however they wish and face no HIPAA duty of any kind.

Does HIPAA apply to every employer that offers health insurance?

No. Most employers are not covered entities. The group health plan itself may be covered, but the employer in its role as employer is generally outside HIPAA unless it self-administers the plan.

Are small medical practices exempt from HIPAA?

No. HIPAA has no small-business exemption. A solo dentist who bills electronically carries the same Privacy and Security Rule duties as a major hospital system, scaled to reasonableness.

Can a patient sue a provider directly under HIPAA?

No. HIPAA has no private right of action. Patients may file complaints with OCR, and state attorneys general may sue under HITECH, but individuals cannot sue under the federal statute alone.

Is a cloud provider automatically a HIPAA business associate?

No. A cloud vendor becomes a business associate only after a signed BAA, even if the service is technically “HIPAA-eligible.” Without the BAA, the covered entity bears full liability.

Does HIPAA cover genetic testing companies like 23andMe?

No. Direct-to-consumer genetic companies are generally not covered entities. They fall under the FTC Health Breach Notification Rule and state laws instead.

Can a workforce member go to prison for a HIPAA violation?

Yes. Under 42 U.S.C. 1320d-6, knowing disclosure can bring up to one year, five years for false pretenses, and ten years for personal gain or malicious harm.

Are schools required to follow HIPAA for student health records?

No. School records generally fall under FERPA, not HIPAA. Only a school-based clinic that bills insurance electronically may pull itself into HIPAA coverage.

Must a business associate do its own risk analysis?

Yes. Since the 2013 Omnibus Rule, every business associate must complete and document its own enterprise-wide risk analysis under 45 CFR 164.308(a)(1).

Does encryption remove all HIPAA responsibility?

No. Encryption creates a breach-notification safe harbor but does not replace Privacy Rule duties, access controls, BAA requirements, workforce training, or patient rights obligations.

Can a provider post about a patient on social media if no name is used?

No. Details like dates, conditions, or photos can re-identify patients. OCR treats such posts as impermissible disclosures unless the patient gives written HIPAA authorization.

Are law firms handling medical records business associates?

Yes. A law firm representing a covered entity in matters involving PHI is a business associate and must sign a BAA and comply with the Security Rule for any ePHI it holds.