For Covered Entities

The Privacy and Security Rules apply only to covered entities. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If an entity is not a covered entity, it does not have to comply with the Privacy Rule or the Security Rule.

A Covered Entity is one of the following:

A Health Care Provider

A Health Plan

A Health Care Clearinghouse

This includes providers such as:

Doctors
Clinics
Psychologists
Dentists
Chiropractors
Nursing Homes
Pharmacies

...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

This includes:

Health insurance companies
HMOs
Company health plans
Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs

This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Are You a Covered Entity?
View an easy-to-use question and answer decision tool.

	Guidance Materials for Small Providers, Small Health Plans, and other Small Businesses
	View materials about the Privacy Rule for small providers, small health plans and other small businesses.

Guidance Materials for Covered Entities

Summary of the Privacy Rule-This is a summary of the key elements of the Privacy Rule, including who is covered, what information is protected, and how covered entities can use and disclose protected health information.

Guidance on Significant Aspects of the Privacy Rule-A collection of documents explaining many provisions of the Privacy Rule including business associates, special topics such as disclosures for public health and research, and incidental uses and disclosures.

Guidance on How to Comply with the Security Rule-A collection of documents explaining how the Department expects covered entities to achieve substantial compliance with the Security Rule.

Fast Facts for Covered Entities-Answers to many common questions and misconceptions about patient consent, incidental disclosures, child abuse reporting, electronic media, and other disclosures.

Provider Guide: Communicating With a Patient's Family, Friends, or Other Persons Identified by the Patient-This is a guide for health care providers to help them determine when they can disclose a patient's health information to the patient's family, friends, or other identified by the patient.

Guidance on the Application of FERPA and HIPAA to Student Health Records-This guide addresses school administrators, health care professionals, and others interested in how these two laws apply to student health records.
Frequently Asked Questions About Family Medical History Information-These frequently asked questions and answers address how the Privacy Rule permits the use and disclosure of family medical history information.
Sample Business Associate Contract-This sample contract provides covered entities with sample language to help them comply with the business associate requirements of the Privacy Rule.

Misleading Marketing Claims-This notice addresses marketing claims that suggest compliance programs may be endorsed by HHS. HHS and OCR do not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as Privacy Rule compliant.

Sign Up for the OCR Privacy Listserv-OCR has established a listserv to inform the public about Privacy and Security Rule FAQs, guidance, and technical assistance materials as they are released.