The Privacy Rule applies to health plans, health care clearinghouses, and any health care provider who electronically transmits health information in connection with certain transactions, which include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which DHHS has established standards under the HIPAA Transactions Rule.
It is important to note that many research organizations that handle individually identifiable health information will not have to comply with the Privacy Rule because are not considered covered entities. The Privacy Rule will not directly regulate researchers who are engaged in research within such organizations even though they may gather, generate, access, and share personal health information. For instance, entities that sponsor health research or create and/or maintain health information databases may not themselves be covered entities, and thus may not directly be subject to the Privacy Rule. However, researchers may rely on covered entities for research support or as sources of individually identifiable health information to be included in research repositories or research databases. The Privacy Rule may affect such independent researchers, as it will affect their relationships with covered entities.