(a) Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to the following entities:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
(b) Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.
(c) To the extent required under the Social Security Act, 42 U.S.C. 1320a–7c(a)(5), nothing in this subchapter shall be construed to diminish the authority of any Inspector General, including such authority as provided in the Inspector General Act of 1978, as amended (5 U.S.C. App.).
[65 FR 82798, Dec. 28, 2000, as amended at 67 FR 53266, Aug. 14, 2002]
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.