I see a bit of confusion in this thread about what and where HIPAA applies to. I ran a HealthTech company a few years back. We spent extensive time working with lawyers to understand our obligations under HIPAA. While we always held ourselves to the same standard as a covered entity, our product/service was not technically obligated to follow HIPAA. I was shocked by this and we got serval differing legal opinions that all said the same.
Put simply, HIPAA is enforced on healthcare providers via their relationship with insurance companies. And, in turn those insurance companies relationship with the government.
For example, a cash-only clinic is not required to be HIPAA compliant. They do not process "transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard." [0]. Therefore, they are not a covered entity and not bound by HIPAA.
In fact, there are a lot of loopholes that HIPAA doesn't apply to. For most of your healthcare, it doesn't matter. It's far easier for most hospitals/doctors just to treat everything as though it's HIPAA compliant. All of their systems are already compliant, so they don't benefit from the loopholes.
Things get weird with "direct-to-consumer" health providers. Particularly, the cash-only (or credit card) providers. They aren't covered entities, so they are not bound by HIPAA. They are bound by general privacy law, but not by HIPAA.
tldr: HIPAA is far less limited in reach than most people think.
Put simply, HIPAA is enforced on healthcare providers via their relationship with insurance companies. And, in turn those insurance companies relationship with the government.
For example, a cash-only clinic is not required to be HIPAA compliant. They do not process "transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard." [0]. Therefore, they are not a covered entity and not bound by HIPAA.
In fact, there are a lot of loopholes that HIPAA doesn't apply to. For most of your healthcare, it doesn't matter. It's far easier for most hospitals/doctors just to treat everything as though it's HIPAA compliant. All of their systems are already compliant, so they don't benefit from the loopholes.
Things get weird with "direct-to-consumer" health providers. Particularly, the cash-only (or credit card) providers. They aren't covered entities, so they are not bound by HIPAA. They are bound by general privacy law, but not by HIPAA.
tldr: HIPAA is far less limited in reach than most people think.
0 - https://www.hhs.gov/hipaa/for-professionals/covered-entities...