Q: Who is subject to HIPAA?
A: An employer’s first inquiry under the privacy rules is determining whether it is a covered entity. Only covered entities are regulated by the rules. The rules identify three covered entities: health plans; health care providers that conduct electronic transactions; and health care clearinghouses. Employers are not listed; however, most employers are still captured by the rules. Employers that maintain a health plan for their employees as defined by the rules are plan sponsors and are, therefore, regulated by HIPAA. As a plan sponsor, the employer assumes the plan’s obligations.