Skip to Main Content
All Trimarc services are now delivered through TrustedSec! Learn more
October 02, 2025

HIPAA Applicability - Understanding the Security, Breach Notification, and Privacy Rules

Written by Chris Camejo
HIPAA/HITECH Privacy Compliance Information Security Compliance HITRUST

This post is intended to help organizations understand how the Health Insurance Portability and Accountability Act (HIPAA) Security, Breach Notification, and Privacy Rules apply to them, either directly as a Covered Entity or via their relationship with another organization as a Business Associate. Applicability of the Administrative Rule is also covered due to its overlap with the Security, Breach Notification, and Privacy Rules.

Many organizations misunderstand what qualifies as a Covered Entity or Business Associate, and also the definition of Protected Health Information (PHI) including Electronic Protected Health Information (ePHI), under HIPAA. These terms are not as broad as most organizations believe them to be, and this leads to misunderstandings about to whom and how the HIPAA Rules apply.

This post is part of a series that helps understand all of these terms related to HIPAA applicability. Organizations may want to confirm whether they meet the definition of a Covered Entity or Business Associate and their understanding of the definition of PHI before reviewing this applicability information:

TrustedSec has years of experience helping organizations meet HIPAA security and privacy compliance requirements. Please get in touch with us for any questions on this topic or if your organization needs assistance with its HIPAA Compliance program.

Basic Applicability

Once an organization determines whether they are a Covered Entity and/or Business Associate, it can be understood how the HIPAA Rules apply to it. This table shows an overview of the purpose and applicability of each HIPAA Rule, and links go to more details about the applicability of each rule later in this post:

Rule

Purpose

Applicability

Administrative

Standardization of health identifiers, code sets, and formats for electronic data exchanges

Applies uniformly to Covered Entities transmitting Covered Transactions. Only applies to Business Associates conducting Covered Transactions on behalf of Covered Entities.

Security

Protection of ePHI from unauthorized access

Applies uniformly to all Covered Entities and Business Associates handling ePHI.

Breach Notification

Notification of breaches affecting PHI

Applies to both Covered Entities and Business Associates handling PHI. Business Associates are only responsible for notifying Covered Entities of breaches, and Covered Entities are responsible for all other required breach notifications.

Privacy

Restricting when and how PHI can be shared and enumerating the rights of individuals with regard to their PHI

Applies to both Covered Entities and Business Associates handling PHI. Applicability to Covered Entities and/or Business Associates is identified on a clause-by-clause basis throughout the requirements.

Enforcement and Certification

HIPAA (and its HITECH amendment) are U.S. Federal laws supported by various regulations. HIPAA operates like nearly all other laws and regulations in that its requirements are expected to be followed, and violations can result in penalties.

HIPAA is enforced by the Department of Health and Human Services (HHS). Penalties are documented in the HIPAA regulations at 45 Code of Federal Regulations (CFR) 160.404(b) and range from $100 to $50,000 per violation based on:

  • Whether the violation was due to a reasonable cause or willful neglect
  • Whether the violation was corrected within 30 days of discovery (or when it should have been discovered with reasonable diligence as determined by HHS)

Identical violations within a calendar year can result in fines of up to $1,500,000.

TrustedSec often receives inquiries about HIPAA certification. This conversation is often complicated by the existence of the HITRUST certification program, which has long been heavily marketed in the health care sector and is confusingly named similarly to HIPAA and HITECH. There is no certification process described in HIPAA, HITECH, or their supporting regulations, and therefore no official certification program exists. Certification, using HITRUST or any other framework, does not automatically mean an organization is HIPAA compliant and does not offer protection against enforcement actions.

See our post, HIPAA, HITECH, and HITRUST - It’s HI Time to Make Sense of it All, for more details on the relationship between HIPAA, HITECH, and HITRUST, and why HITRUST is not a reliable indicator of HIPAA compliance.

Rule-by-Rule Applicability Details

To start at the top, Title 45 Subchapter C, which contains the regulations supporting HIPAA Title II has three parts that define the following:

Part Title Numbers

Name

Description

45 CFR 160

General Administrative Requirements

Contains the applicability, definitions, investigatory process, penalties, etc. for the entire subchapter

45 CFR 162

Administrative Requirements

Requirements for unique identifiers and standardized electronic transactions

45 CFR 164

Security and Privacy

Security, breach notification, and privacy requirements

The applicability for all of Subchapter C is defined in 45 CFR 160.102 and tells us that these requirements apply to:

  • Covered Entities “except as otherwise provided”
  • Business Associates “where provided”

This means:

  • We should consider every requirement in this subchapter to be applicable to Covered Entities unless a specific requirement or clause tells us otherwise.
  • We only need to apply requirements to Business Associates if a requirement or clause explicitly tells us to do so.

The Administrative, Security, Breach Notification, and Privacy Rules each contain their own Applicability sections that build on this concept with more detailed information, as described below.

Readers who followed the link above to the Applicability section of Subchapter C may have noticed that it does not actually contain the words “covered entity”. This is because the Applicability section uses the exact same terms as the definition of Covered Entity in 45 CFR 160.103.

Administrative Rule Applicability

The Administrative Rule in 45 CFR Part 162 contains its own Applicability section at 45 CFR 162.100 that tells us that Covered Entities must comply with the requirements of this rule by using the standardized health identifiers, code sets, and formats to transmit Covered Transactions.

The Administrative Rule does not directly apply to Business Associates; instead, it applies indirectly in two ways:

  • A Covered Entity may use a Business Associate to conduct Covered Transactions, but if they do so the Business Associate and their subcontractors must be required to comply with the Administrative Rule as well (45 CFR 162.923(c)).
  • When a covered health care provider uses Business Associates to conduct transactions on its behalf, the Business Associate must use the provider’s National Provider Identifier (NPI) (45 CFR 162.410(a)(5)).

This table shows simplified definitions for each Covered Transaction type with references to the source within the HIPAA regulations:

Transmission Contents

Transmitter(s)

Receiver(s)

Covered Transaction Type

Reference

A request to obtain payment, and the necessary accompanying information for health care

Health care provider

Health plan

Health care claims or equivalent encounter information

45 CFR 162.1101(a)

If there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting health care

Health care provider

Health plan

Health care claims or equivalent encounter information

45 CFR 162.1101(b)

An inquiry to obtain any of the following information about a benefit plan for an enrollee:

  • Eligibility to receive health care under the health plan
  • Coverage of health care under the health plan
  • Benefits associated with the benefit plan

Health care provider

Health plan

Health plan

Eligibility for a health plan

45 CFR 162.1201(a)

A response to an inquiry described above

Health plan

Health care provider

Health plan

Eligibility for a health plan

45 CFR 162.1201(b)

A request for the review of health care to obtain an authorization for the health care

Health care provider

Health plan

Referral certification and authorization

45 CFR 162.1301(a)

A request to obtain authorization for referring an individual to another health care provider

Health care provider

Health plan

Referral certification and authorization

45 CFR 162.1301(b)

A response to either of the requests described above

Health plan

Health care provider

Referral certification and authorization

45 CFR 162.1301(c)

An inquiry to determine the status of a health care claim

Health care provider

Health plan

Health care claim status

45 CFR 162.1401(a)

A response about the status of a health care claim

Health plan

Health care provider

Health care claim status

45 CFR 162.1401(b)

Subscriber enrollment information to establish or terminate insurance coverage

The sponsor of the insurance coverage, benefits, or policy

Health plan

Enrollment and disenrollment in a health plan

45 CFR 162.1501

Any of the following:

  • Payment
  • Information about the transfer of funds
  • Payment processing information

Health plan

Health care provider

Health care electronic funds transfers (EFTs) and remittance advice

45 CFR 162.1601(a)

Any of the following:

  • Explanation of benefits
  • Remittance advice

Health plan

Health care provider

Health care electronic funds transfers (EFTs) and remittance advice

45 CFR 162.1601(b)

Any of the following:

  • Payment
  • Information about the transfer of funds
  • Detailed remittance information about individuals for whom premiums are being paid
  • Payment processing information to transmit health care premium payments including any of the following:
    • Payroll deductions
    • Other group premium payments
    • Associated group premium payment information

The entity that is arranging for the provision of health care or is providing health care coverage payments for an individual

Health plan

Health plan premium payments

45 CFR 162.1701

For the purpose of determining the relative payment responsibilities of the health plan, either of the following for health care:

  • Claims
  • Payment information

Any entity

Health plan

Coordination of benefits

45 CFR 162.1801

Security Rule Applicability

The Security Rule in 45 CFR Part 164 Subpart C contains its own Applicability section at 45 CFR 164.302 that tells us:

  • Covered Entities and Business Associates must apply the requirements of the Security Rule (the “except as otherwise provided” and “where provided” language from the subchapter Applicability section is omitted).
  • The Security Rule specifically applies to a Covered Entity’s ePHI and therefore does not apply to PHI in non-electronic media.

With the exception of the clauses related to contracts and agreements between Covered Entities and Business Associates in 45 CFR 164.314, each of the Security Rule requirements also starts with “A covered entity or business associate must…”, making it clear that these requirements apply to both types of organizations. The clauses related to contracts and agreements contain additional details to clarify which terms need to be in which agreements.

There is some nuance to the definition of electronic media, upon which the definition of ePHI is based. See the blog post in this series on the definition of PHI for more details about the exceptions in the definition of ePHI.

Breach Notification Rule Applicability

The Breach Notification Rule in 45 CFR Part 164 Subpart D also contains its own Applicability section at 45 CFR 164.400, but this does not describe applicability to Covered Entities or Business Associates. (It just tells us that it applies to all breaches of PHI.) We must look to the individual requirements within the Breach Notification Rule to understand applicability.

The clauses about making breach notifications to individuals (45 CFR 164.404), the media (45 CFR 164.406), and HHS (45 CFR 164.408) do not apply to Business Associates because they all start with “A Covered Entity shall…” and make no mention of Business Associates.

Business Associates are required by 45 CFR 164.410 to notify the Covered Entity of a breach of the Covered Entity's PHI. Effectively, this means a Business Associate is responsible for notifying a Covered Entity of a breach, and the Covered Entity is in turn required to notify individuals, the media, and HHS as described above.

These clauses all refer to PHI so they apply to both electronic and non-electronic PHI.

Privacy Rule Applicability

The Privacy Rule in 45 CFR Part 164 Subpart E also contains its own Applicability section at 45 CFR 164.500. This subpart reverts to the applicability language used for all of Subchapter C and 45 CFR Part 164, indicating that Covered Entities must comply “except as otherwise provided” and Business Associates must comply “where provided”. This also tells us that the Privacy Rule only applies with respect to a Covered Entity’s PHI.

Section 45 CFR 164.500(b) applies some of the Privacy Rule requirements to health care clearinghouses that only handle PHI as a Business Associate, but health care clearinghouses that handle PHI in any capacity other than a Business Associate must still comply with all of the otherwise applicable privacy requirements.

Individual requirements and clauses within the Privacy Rule indicate whether they apply to Covered Entities or Business Associates. Some clauses begin with “Covered Entity:” or “Business Associate:” while others contain more nuanced applicability information in their text. When implementing the Privacy Rule, it is important to closely examine each clause to determine applicability.

These clauses all refer to PHI so they apply to both electronic and non-electronic PHI.