Any person or organization that stores or transmits individually identifiable health information electronically is considered a “covered entity” and is required by law to comply with HIPAA. For example, if you submit claims electronically or make referrals or obtain authorizations by sending e-mail messages that contain individually identifiable health information, you are a covered entity.
If your practice is paper based, don’t automatically assume you’re exempt from the regulation. For example, if you submit hard copies of claims to your billing company and it transmits them electronically to payers, the HIPAA rule applies to you.
If you aren’t a covered entity, the law does not apply to you directly. However, you will feel its impact if you deal with any physician or organization that is a covered entity. For example, a covered entity may ask you to sign a business associate agreement to provide assurance that you will safeguard any individually identifiable health information to the same extent it does.