Do I need to be HIPAA Compliant?

We frequently get this question from clients.

The answer ultimately comes down to whether or not your business is a covered entity, a business associate, or neither.

Do I need to be HIPAA Compliant?

The only business entities that have a responsibility to maintain HIPAA compliance are covered entities which are defined as follows:

  1. Health plans;
  2. Health care clearinghouses;
  3. Health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

The only other organization that needs to worry about HIPAA is a business associate, which is defined as:

“A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

If you are neither of those then you do not have to worry about HIPAA compliance because it does not apply to you. However, there may be state laws about protecting sensitive information that you may be required to follow.

Sensitive information can include personally identifiable information like drivers license photos or credit card numbers. Those do need to be protected in some way, but the lengths you have to go to protect it and the consequences of a breach really vary by state. Research your state’s information privacy laws to find further details.

Are you still unsure if you need to be HIPAA compliant?

Give us a ring at (503) 389-5666! We’re here to help compliance feel like a walk through a breezy savanna. You can also email us at

Nav close