Is your sensitive data at risk? Request a free scan to learn more.


Download free DLP for AI whitepaper


  • While non-covered entities aren’t subject to HIPAA regulations, the law now requires these entities to ensure the products or services they use don’t compromise patient privacy.
  • This means that non-covered entities need to be careful about the suppliers they work with, including cloud software providers like Slack, Google, and Box. 
  • Cloud apps are often a hot spot for sensitive data leakage, which can lead to compliance violations. 
  • Protecting patient health data (PHI) in cloud apps requires specialist tools like cloud-based data loss prevention (DLP). 

HIPAA data governance extends beyond doctors and healthcare providers to most entities providing services in the healthcare area. Understanding the role and responsibilities of the service providers is essential. The American Medical Association (AMA) now requires non-HIPAA-covered entities to protect sensitive Patient Health Information (PHI) they collect.

In this third blog of our HIPAA blog series, we take a closer look at what non-covered entities must know regarding protecting PHI.

What is HIPAA?

HIPAA is an acronym for Health Insurance Portability and Accountability Act. Enacted in 1996, this federal law safeguards the privacy rights of individuals in the United States against the disclosure and individually identifiable PHI.

HIPAA protects PHI such as:

  • Diagnosis and treatment information
  • Prescription information
  • Medical test results
  • Billing information

With that out of the way, the next question becomes;

What is a covered and non-covered entity?

To understand HIPAA rules for covered and non-covered entities, it is crucial to first distinguish between the two.

Covered entities

These entities are subject to HIPAA privacy regulations. There are three categories of covered entities under HIPAA as outlined below:

Healthcare provides

These get paid to offer healthcare. They include pharmacies, doctors, hospitals, dentists, and urgent care clinics, to mention but a few.

Health plans

These pay the cost of medical care. They include government-funded health plans such as Medicaid and Medicare, employer-sponsored group health plans, HMOs, health insurance companies, and more.

Healthcare clearinghouses

These process data for transmission in a standard format between covered entities.

Clearinghouses act as the link between healthcare providers and health plans. However, due to their function, they rarely handle patients directly.

For instance, a clearinghouse can take info from a doctor and convert it into a coded format for insurance purposes.

Free HIPAA Employee Training & Quiz

HIPAA Employee Training

Non-covered entities

Non-covered entities are not subject to HIPAA regulations. Examples include:

  • Health social media apps.
  • Wearables such as FitBit.
  • Personal Health Record (PHR) vendors.
  • Personal record storage such as exercise and calories intake log.
  • Providers who don’t have any records in electronic forms, such as some counselors.

While not-covered entities aren’t subject to HIPAA regulations, the law requires that they ensure the products or services they use don’t compromise patient privacy.

Are business associates covered entities?

Business associates create, receive, maintain and transmit PHI on behalf of a covered entity or another association acting as a subcontractor. See 45 CFR § 160.103 for the definition of a business associate.

Associates often provide services that don’t involve patient interaction. However, an associate may act on behalf of an organization that gives Personal Health Record (PHR) to individuals on behalf of covered entities.

It is this interaction that makes business associates “covered entities”.

For example, suppose an associate uses a device or app to carry out a business function involving handling PHI for a covered entity. In that case, the associate becomes subject to HIPAA privacy and security rules regarding the app and device.

In a nutshell, business associates must protect PHI they handle when offering services to covered entities.

How HIPAA affects covered entities

HIPAA penalties for covered entities

Covered entities must implement appropriate structures and policies to ensure that they comply with the Security Rule requirements. 

The law requires a covered entity’s written security policies and procedures for at least six years since their initial creation date.

In addition, the entity must review and update these policies periodically in response to the organization and environmental changes affecting the security of electronic Protected Health Information (ePHI).

It is worth noting that HIPAA compliance is crucial for covered entities.

The consequences of HIPAA violations can be dire and crippling. Non-compliance can attract penalties ranging from $100 to 50,000 per violation with a maximum penalty of up to $1.5 per year.

Also, violations can result in jail time for the culprits.

How can non-covered entities secure SaaS products to ensure HIPAA compliance?

Even as a non-covered entity, you must ensure 3rd party SaaS products you’re using abide by the Security Rule.

Typically, HIPAA-compliant SaaS products offer technical, administrative, and physical safeguards against unauthorized leaks.

Administrative safeguards

These ensure admins and developers with access to ePHI are responsible for the data. Further, this implies training employees about the legal and ethical requirements of their roles.

Physical safeguards

These prevent data breaches by limiting persons with access to facilities and devices that carry ePHI. They include workstation management and having access control policies.

Technical safeguards

These deal with software and technologies used to protect ePHI.

The National Institute of Standards and Technology requires ePHI encryption to ensure sensitive patient data is undecipherable. Technical safeguards include integrity, access, and audit controls.

Unfortunately, not all SaaS products used by non-covered entities meet these standards. Therefore, you must practice due diligence when to avoid HIPAA, not compliance, which takes us to our next topic.

How to send HIPAA compliant emails and document sharing

With the right solution, you can share sensitive information and remain HIPAA compliant at the same time.

Polymer’s data governance and data loss prevention (DLP) solution for 3rd party SaaS apps allow you to keep the patient’s data secure while meeting HIPAA compliance standards even if you’re a non-covered identity.

The solution installs in a few clicks and is customizable as per your organization’s requirements.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.


Get Polymer blog posts delivered to your inbox.