I frequently get this question from clients and the answer ultimately comes down to whether or not your business is a covered entity, a business associate, or neither. The only business entities that have a responsibility to maintain HIPAA compliance are covered entities which are defined as follows:
“(1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.”
The only other organization that needs to worry about HIPAA is a business associate, which is defined as, “A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
If you are neither of those then you do not have to worry about HIPAA compliance because it does not apply to you. There may be state laws about protecting sensitive information that you may be required to follow, however. Sensitive information can include personally identifiable information like drivers license photos or credit card numbers and those do need to be protected in some way, but the lengths you have to go to protect it and the consequences of a breach really vary by state.
Look up your state’s information privacy laws to find out more specifically.