HIPAA applies to “covered entities” which include health care practitioners, health plans and health care clearing houses. Since 2013, HIPAA also directly applies to the “Business Associates” of “covered entities.”
One of the most misunderstood concepts relate to practitioner use of paper versus electronic records. Practitioners who do not use electronic patient records often declare themselves free of HIPAA requirements. Even if true, other laws would impose the same standards that HIPAA imposes so it is often a foolish excercise.
First, avoiding electronic health records is not the same as avoiding the regulatory definition that would require a practitioner to avoid “certain transactions in electonic form. The term is broadly defined to include electronic billing, electronic verification of health plan coverage, benefit and eligibility questions, and other electronic communications about treatment and payment for care.
Here is an HHS chart to help you decide if you are a covered entity.
If the practitioner has engaged in any covered electronic transactions then the rules apply to both paper and electronic records.
Other state, federal, and local laws govern health information privacy and would apply even in the absence of a HIPAA standard.