"[i]s created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and
"[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."
The entity list above (health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse) includes a wide variety of different organizations that require HIPAA compliance on their site or HIPAA-compliant portal. This compliance is intimately related to a company's website or online/mobile application, and security should be top-of-mind for these professionals.