HIPAA applies to organizations that have electronic health records.

HIPAA is about protecting protected health information (PHI) and applies to entities that create, receive, maintain, or transmit PHI, not just to those that use electronic health records. Having an electronic health record is one way PHI is stored or accessed, but HIPAA covers PHI in any form—electronic, paper, or spoken—and it applies to covered entities and their business associates. So an organization could have no EHR and still be subject to HIPAA if it handles PHI, and conversely, merely possessing an EHR doesn’t automatically place an organization under HIPAA if they don’t meet the covered entity or business associate criteria. In practice, a clinic with paper charts must protect PHI under HIPAA, and a technology vendor that stores PHI for a covered entity is a business associate and must follow HIPAA safeguards. Jurisdiction isn’t the determinant—HIPAA is federal law that governs PHI handling nationwide, regardless of local rules.