> … providers fall into the Covered Entity category …
If doctor etc is a Covered Entity then that doctor is most likely a Provider, but is every doctor providing healthcare a really CE?
I wouldn’t have said no but I don’t track it ultra closely so I’m curious what’s the latest? My first three results matched my expectation but they could easily be out of date…
Yup! Not every provider is classified as a Covered Entity and not every healthcare business is classified as a Business Associate. It's where the nuances of HIPAA law come into play.
For example, you could be a medical app that processes pages and pages of medical data from an individual, but if you're not doing it on behalf of a Covered Entity, then you won't be subject to HIPAA.
In cases like these, as well as certain therapist examples and other scenarios described in the final article you provided, HIPAA is not applicable. It's still good practice to have proper security measures in place, since there could be other governing bodies regulating you (e.g. the FTC, https://www.ftc.gov/news-events/news/press-releases/2018/10/...), but you're not regulated under HIPAA.
For example, you could be a medical app that processes pages and pages of medical data from an individual, but if you're not doing it on behalf of a Covered Entity, then you won't be subject to HIPAA.
In cases like these, as well as certain therapist examples and other scenarios described in the final article you provided, HIPAA is not applicable. It's still good practice to have proper security measures in place, since there could be other governing bodies regulating you (e.g. the FTC, https://www.ftc.gov/news-events/news/press-releases/2018/10/...), but you're not regulated under HIPAA.