Does HIPAA Apply to Everyone? Who’s Actually Covered (and Who Isn’t)

UPDATED ON: May 06,2026

Most behavioral health practitioners assume HIPAA covers them automatically the day their license is approved. That isn’t how the law works. Does HIPAA apply to everyone? No. It applies to specific roles handling specific information, not to every clinician with a license or every record in a chart.

The question matters more in 2026 than it did five years ago. Telehealth vendors, AI scribes, and tighter 42 CFR Part 2 enforcement (full compliance was required by February 2026)¹ have pulled HIPAA applicability back to the top of every practice owner’s desk. We’ll walk through who counts as a covered entity, which vendors qualify as business associates, who’s exempt, and the behavioral health wrinkle that trips up therapists and SUD programs alike.

So who does HIPAA apply to?

HIPAA covered entities fall into three buckets: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically for covered transactions like eligibility checks, claims, and authorizations.² For most behavioral health practices, the trigger is that last category.

Here’s the practical version. A solo LCSW running cash-only with paper charts and no insurance billing is technically not a HIPAA covered entity. The same LCSW the day they start submitting electronic claims to Medicaid becomes one.³ Licensure and HIPAA aren’t the same thing.

That doesn’t mean cash-only practices can skip confidentiality. State licensing boards usually impose duties that are stricter than HIPAA anyway, and ethics codes from NASW, the APA, and AAMFT carry their own weight. “I’m not a covered entity” is a technical fact, not a free pass.

Group practices with prescribers, therapists, and an in-house biller are almost always covered. If you submit even one claim electronically, you’ve crossed the line. Who does HIPAA apply to in real life? Just about every practice doing modern billing.

Business associates: the vendors most practices forget about

A business associate is any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity.² Each one needs a written Business Associate Agreement (BAA) before any PHI changes hands.

The list of HIPAA business associates inside a typical behavioral health practice is longer than people expect. Billing companies. IT and MSP providers. Cloud storage. Transcription services. AI scribes. Secure messaging tools. The EHR vendor itself.

The 2024–2026 wave of AI documentation tools has made this question a lot more common. Plenty of vendors market themselves as “HIPAA compliant” without offering a signed BAA. That marketing claim isn’t a BAA, and a missing BAA is a HIPAA violation the moment PHI starts flowing.⁴

One scenario we see often: a few independent therapists share an office and a part-time admin who handles intake calls and scheduling. There’s no formal legal entity tying them together. That admin is a business associate of each therapist, and each therapist needs a BAA in place with them.⁵ Informal arrangements don’t get an informal compliance pass.

At PIMSY, we sign BAAs with our customers and bring our integration partners (DrFirst, Twilio, Jitsi, Waystar, and the rest) under the same coverage so practices aren’t chasing paper from every direction.

Who does HIPAA NOT apply to? (the exemptions)

HIPAA exemptions cover more ground than people realize. Entities that aren’t providers, plans, or clearinghouses, and aren’t acting as a business associate, simply aren’t covered. That list includes most employers, life insurance carriers when they’re not acting as health plans, schools (handled under FERPA), law enforcement agencies, and financial institutions doing standard banking.⁶

Some information also isn’t PHI at all. Education records under FERPA. Employment records held by an employer in its employer role. De-identified health data. And anything a patient voluntarily shares about themselves outside a covered relationship, like posting their own diagnosis on Reddit.

Small employer-administered group health plans with fewer than 50 participants get an exemption too.⁶

One practical caveat for behavioral health: “not covered by HIPAA” doesn’t mean “free to share.” When a school IEP team asks for therapy records, the school’s handling of those records is FERPA, but your handling of the same information at the practice is still HIPAA-governed. State law, ethics rules, and 42 CFR Part 2 often fill the gap where HIPAA stops.

The behavioral health wrinkle: 42 CFR Part 2 and psychotherapy notes

If your practice provides substance use disorder diagnosis, treatment, or referral and receives any federal assistance, 42 CFR Part 2 sits on top of HIPAA. The February 2024 Final Rule aligned Part 2 more closely with HIPAA but kept stricter consent requirements, especially for SUD counseling notes.¹ Full compliance was required by February 2026.

Psychotherapy notes get their own protection tier under HIPAA. They have to be kept separate from the rest of the chart and require their own authorization to release.⁷ Worth knowing what does and doesn’t qualify: progress notes, treatment plans, diagnoses, session start and stop times, and clinical test results are NOT psychotherapy notes. Those live in the regular record.

The implication for software is uncomfortable for a lot of practices. Your EHR has to actually segment psychotherapy notes and Part 2 records. Many general-purpose EHRs treat all clinical notes as one bucket, leaving you a click away from an unauthorized disclosure during a routine records release.

PIMSY was built for HIPAA and 42 CFR Part 2 from day one, which is unusual in the behavioral health EHR market. Psychotherapy notes can be segmented from the standard chart so a release-of-information request doesn’t accidentally hand over notes that needed their own consent.

So how do you actually know if HIPAA applies to your practice?

Three quick questions:

Do you transmit health information electronically for a covered transaction (claims, eligibility, authorizations)?
Do you handle PHI on behalf of someone who does?
Do you treat SUD patients, or do your clinicians keep psychotherapy notes?

A yes to any one of those puts you inside HIPAA, and possibly inside 42 CFR Part 2 as well. The honest answer for most behavioral health practices is yes on at least two. The real question isn’t whether HIPAA applies. It’s how cleanly your workflows and your EHR handle the obligations that come with it.

A short to-do list if you haven’t audited recently: pull your full vendor list and check for missing BAAs, confirm psychotherapy notes are segmented from the rest of the chart, and confirm your SUD records follow Part 2 consent rules under the updated Final Rule.

Conclusion: HIPAA doesn’t apply to everyone, but it probably applies to you

HIPAA is narrower than most people think, and broader than most practices treat it. Does HIPAA apply to everyone? No. But behavioral health practices almost always fall inside it, and once you add Part 2 and psychotherapy notes, the bar goes up further.

The work isn’t memorizing the statute. It’s setting up your workflows and your vendors so compliance is the default, not a quarterly fire drill. PIMSY was built specifically for behavioral health, with HIPAA and 42 CFR Part 2 baked in from the start. If you’re auditing your current setup and want a second set of eyes on it, we’re happy to walk through how we handle it.