Skip to content
Get started
Image contains text that says "Who has to follow HIPAA? Hint: It's more than just doctors". Image also contains icons showing a HIPAA logo and clipboard.
HIPAA

Who Has to Follow HIPAA? (Hint: It’s More Than Just Doctors)

Fortress Concepts |

If you think HIPAA is only something doctors need to worry about, you’re not alone — but you’d be wrong. The Health Insurance Portability and Accountability Act (HIPAA) applies to a much broader group of people and businesses than most realize. Whether you run a dental practice, manage IT systems, or help with billing, HIPAA might legally require you to protect sensitive health information.

 

What HIPAA Actually Regulates

At its core, HIPAA is about protecting patient data — specifically, Protected Health Information (PHI). This includes anything that can identify a patient (name, date of birth, address, etc.) when combined with health-related details like diagnoses, treatments, prescriptions, or insurance information.

If your business touches that kind of information — even for a moment — you’re probably subject to HIPAA.

 

The Two Categories That Must Comply

1. Covered Entities

These are the organizations HIPAA was originally written for. Covered Entities include:

  • Healthcare providers who bill electronically:

    Dentists, orthodontists, physicians, psychologists, chiropractors, clinics, pharmacies, hospitals, nursing homes — basically anyone providing care and submitting insurance claims or handling billing electronically.

  • Health plans:

    Insurance companies, HMOs, employer-sponsored health plans, Medicare/Medicaid.

  • Healthcare clearinghouses:

    These are backend services that translate billing data between different systems.

If you’re a dental office or healthcare provider, you are definitely a Covered Entity under HIPAA.

 

2. Business Associates

This is where most people get surprised. Business Associates are any vendors, contractors, or service providers who handle PHI on behalf of a Covered Entity.

That means HIPAA compliance is required for:

  • IT providers and cybersecurity firms

  • Billing companies and payment processors

  • Cloud storage providers

  • Email/fax service providers

  • Practice management software vendors

  • Lawyers, accountants, consultants with access to PHI

  • Document shredding and disposal companies

If you see, store, transmit, or touch PHI — even briefly — you need to sign a Business Associate Agreement (BAA) and follow HIPAA’s rules for data security and breach reporting.

 

Why This Matters (Even If You’re “Just a Vendor”)

HIPAA violations can result in fines of up to $1.5 million per year, per violation category, even for small businesses. And since 2013’s HITECH Act expansion, Business Associates can be held just as liable as Covered Entities.

Being “just the IT guy” or “just the cloud service” won’t protect you from penalties if you mishandle patient data.

 

The Bottom Line

If you’re:

  • A dental or healthcare provider of any kind

  • A business that helps those providers manage data, software, or operations

  • An employee or contractor with any access to patient info

Then HIPAA likely applies to you, and ignoring it is a risk you can’t afford to take.

Share this post

Keep reading