Many organizations outside the healthcare sector mistakenly believe that HIPAA does not apply to them. In reality, HIPAA’s compliance requirements extend beyond traditional healthcare companies and their vendors. If your organization manages its own employee health plan, for example, it is considered a covered entity under HIPAA, regardless of your industry or primary business focus.
Understanding HIPAA Compliance
HIPAA, the Health Insurance Portability and Accountability Act, is a US federal law enacted in 1996 that establishes standards for protecting individually identifiable health information, known as protected health information (PHI). Compliance is enforced by the HHS Office for Civil Rights (OCR), which investigates breach reports, conducts compliance reviews, and has the authority to impose civil monetary penalties. Penalties are tiered by the level of culpability, ranging from situations in which the organization was unaware of the violation to cases of willful neglect. OCR can also require organizations to enter into resolution agreements and corrective action plans, which typically run for two years and require the organization to implement specific controls under HHS oversight.
Who Must Comply with HIPAA?
HIPAA applies to three categories of organizations:
Covered entities, which include health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically. A self-insured employer that administers its own health plan is a covered entity.
Business associates, which are vendors, contractors, or service providers that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity. Examples include IT vendors, billing companies, cloud storage providers, and law firms that handle PHI-related matters.
Subcontractors of business associates: Any third parties hired by business associates who handle PHI are also subject to HIPAA requirements.
The definition of "covered entity" is particularly important for organizations outside the healthcare sector. Employers that self-administer their employee health plans often fall under HIPAA without realizing it. These employers face the same compliance requirements as traditional health insurers, including conducting risk analyses, implementing security controls, and following breach notification rules.
Why HIPAA Is Often Overlooked in Risk Assessments
In organizations with established enterprise risk management programs, HIPAA compliance is usually identified and monitored as a key regulatory requirement. However, gaps most often appear in two situations:
First, in large or complex organizations, the Chief Information Security Officer (CISO) or the information risk team may lack complete visibility across all business units or subsidiaries. For example, benefits administration may reside within HR, with minimal interaction with the security team.
Second, in organizations that lack a centralized enterprise risk management function, risk assessments are often conducted in departmental silos. Regulatory requirements may be determined informally, increasing the likelihood that HIPAA will be overlooked.
If those involved in the risk assessment process are unaware that the organization self-administers its health plan, HIPAA compliance is unlikely to be considered or addressed.
A Real-World Example: When Non-Healthcare Companies Face HIPAA Penalties
In January 2026, the HHS Office for Civil Rights (OCR) announced a resolution agreement with SG Health Plan, the employee benefits plan for Star Group, L.P., an energy distribution company based in the United States. Although Star Group's primary business is delivering heating oil and propane, it became subject to HIPAA because it self-administers its employee health plan, making it a covered entity.
In October 2021, Star Group experienced a ransomware attack that impacted 9,316 health plan members. OCR’s investigation found the company had never conducted a HIPAA-compliant risk analysis. As a result, Star Group agreed to a $245,000 settlement and must now comply with a two-year corrective action plan. This plan includes conducting a comprehensive risk analysis, developing a risk management plan, updating relevant policies and procedures, and providing workforce training.
Although the breach occurred in 2021, the resolution agreement was not finalized until January 2026.
Key Questions to Improve Your Risk Assessment
If you are responsible for information risk in an organization outside the healthcare sector, it is important to include the following questions in your risk assessment process:
Does the organization self-administer its employee health plan? If so, it is likely considered a covered entity under HIPAA.
Do any vendors, contractors, or service providers handle employee health information on the organization’s behalf? If so, those relationships may require business associate agreements and impose HIPAA obligations.
Does the organization maintain a current and comprehensive inventory of regulatory obligations? If this inventory does not exist or has not been updated recently, establishing or reviewing it is essential for compliance.
By addressing these questions, you can help ensure your organization does not overlook potential HIPAA exposure and remains in compliance with all applicable regulations.
Monitoring HIPAA-Related Incidents in VenariX
VenariX monitors incidents across all sectors and tags those involving confirmed or suspected PHI exposure with a HIPAA alert. The tag applies to covered entities, business associates, and their subcontractors, not just healthcare organizations.
In VenariX, you can:
See current incidents with potential or confirmed HIPAA implications.
Receive email notifications when a new HIPAA-related incident is added to the platform.
If you want to see how we track this, sign up for a VenariX account at https://app.venarix.com/signup.