HIPAA classifies those who must comply into three groups:
Covered entities – Healthcare organizations that handle ePHI. They include most health plans, healthcare clearing houses, and healthcare providers.
Business associates – Service providers who receive, create, maintain, or transmit ePHI for a covered entity. Examples include services for medical transcription, insurance processing, and network management. Additionally, the subcontractors of business associates who handle ePHI are also subject to the rules.
Workforce – All employees, volunteers, and trainees of a covered entity or business associate. This includes anyone who is under the “direct control” of the organization, whether or not they are paid.