Do you know your compliance responsibilities under the Health Insurance Portability and Accountability Act (HIPAA)? Understanding whether organizations qualify as HIPAA-covered entities is the first step in the compliance journey. This article explains what covered entities are and what they need to do to ensure HIPAA compliance.
HIPAA Covered Entity definition
A HIPAA Covered Entity is an organization or individual that handles or stores electronic Protected Health Information (ePHI). ePHI includes confidential information that discloses a patient’s identity. The Health Insurance Portability and Accountability Act (HIPAA) defines what counts as ePHI. It sets out rules about how to protect this data. Covered Entities must follow all sections of HIPAA, including:
- The Privacy Rule, which requires the Covered Entity to protect patient privacy.
- The Security Rule, which requires the Covered Entity to secure patient records. The CE must protect health records against data breaches and cyber-attacks.
- The Breach Notification Rule, which requires organizations to inform patients and regulators about disclosures.
Organizations must know whether they occupy the correct regulatory category. Failure to comply leads to significant fines and reputational damage. Deliberate disclosure of PHI can also result in criminal penalties.
Understanding whether a company qualifies as a Covered Entity can be challenging. Not all organizations involved in healthcare are Covered Entities. Some hybrid organizations also need partial compliance strategies.
This article will explain who qualifies as a Covered Entity. It will describe the status of healthcare providers and insurers. We will look at organizations that do not fall into the category and explain how Covered Entities differ from Business Associates.
Who qualifies as a HIPAA Covered Entity?
HIPAA defines three main categories of Covered Entities. These categories include healthcare providers, clearinghouses, and health plans.
- Healthcare providers. Providers deal with patients. They provide patient services to diagnose, support, or treat health conditions. This category can include large organizations like hospitals. However, providers can be as small as an individual physician.
- Healthcare clearinghouses. Clearinghouses move data between insurers, patients, and providers. Their role is to assess claims and support insurers when billing policyholders.
- Health plans. Plans are organizations that pay the medical costs of policyholders. This category includes a variety of organization types. It covers individual and group insurers. Plans that pay medical fees in full and those providing partial coverage are also Covered Entities.
Compliance requirements of Covered Entities
Critical responsibilities of a HIPAA Covered Entity include:
- Ensuring patient privacy. A Covered Entity cannot disclose PHI without written consent. It must protect confidential health data from unauthorized access and disclosure.
- Empowering patients. Giving patients the right to access their health data. Enabling them to request changes.
- Securing data. Applying security controls to protect ePHI. Creating systems that cut data breach risks and neutralize cyber-attacks.
- Ensuring portability. Applying data processing standards. This allows seamless exchange with other Covered Entities. It also makes it easier for patients to change their health plans.
- Meeting compliance obligations. Reporting data breaches to the Department for Health and Human Services (HHS). This complies with the Breach Notification Rule. CEs must also follow rulings of the Office for Civil Rights (OCR).
- Managing risks. Assessing compliance risks linked to HIPAA. Auditing systems for security and privacy violations. Documenting changes to provide evidence of compliance.
Healthcare providers as Covered Entities
Covered Entities under HIPAA in the provider category include:
- General physicians
- Hospitals
- Clinics that handle treatment and diagnostics
- Dentists
- Osteopaths
- Physiotherapists
- Chiropractors
- Podiatrists
- Nursing and residential homes
- Psychiatrists
- Opticians
- Dieticians and nutritionists
A pharmacist usually qualifies as a HIPAA Covered Entity. However, pharmacies are only covered by HIPAA if they handle PHI. Over-the-counter or general eCommerce merchants may not need a compliance plan.
Why providers are defined as HIPAA Covered Entities
Providers have a close relationship with patients. There are many reasons why providers need a comprehensive strategy to protect PHI.
- Providers keep detailed records about the patient’s identity, condition, and treatment. This information is valuable for external attackers. However, providers often have to share PHI internally and with third parties.
- Providers use many clinical professionals, administrators, and technical specialists. This range of individuals potentially exposes PHI to insider threats. Compliance violations at providers often result from unauthorized access. Protecting patient confidentiality is a critical HIPAA compliance challenge for providers.
- Providers also store ePHI on cloud platforms or local networks. Insecure ePHI storage exposes health information to cyber-attackers. Providers need a compliance strategy to mitigate the risk of data breaches.
Health plans as Covered Entities
Health plan vendors and managers must comply with HIPAA. Covered Entities in the health plan categories include:
- Traditional health insurance companies
- Health Maintenance Organizations (HMOs)
- Preferred Provider Organizations (PPOs)
- Providers of corporate health plans
- Medicaid and Medicare
- Other government health plans, such as TRICARE for veterans
HIPAA does not cover all health insurance coverage. Life insurance companies are not generally subject to HIPAA regulations. Employer health plans and worker compensation packages also do not fall under HIPAA.
Healthcare clearinghouses
Healthcare clearinghouses usually qualify as HIPAA Covered Entities. And there are a couple of reasons for this.
Clearinghouses send healthcare data to health insurers and providers. They generally deal with claims data related to billing and treatment. They must follow HIPAA rules to secure information during processing and transmission.
Clearinghouses also standardize health information. Most clearinghouses have adopted standards in HIPAA legislation. Standardization makes it easier for patients to switch insurers. Deviating from these standards often results in compliance penalties.
What is a non-Covered Entity under HIPAA?
The categories above capture many healthcare organizations in the United States. However, not every health-related company or body is a HIPAA Covered Entity. Many organizations fall into the non-Covered Entity category.
Non-Covered Entities support healthcare providers. They send or store patient health data. But they are not clearinghouses or health insurance providers. Examples include:
- Fitness apps and devices like Fitbit or Peloton
- Digital health data platforms like Zus Health
- Companies that sell Personal Health Records (PHR)
To be HIPAA Compliant, non-Covered Entities must follow the Security Rule and the HIPAA Breach Notification Rule. However, they are not covered by the HIPAA Privacy Rule. This exemption limits their HIPAA compliance requirements.
Business Associates and Covered Entities
Business Associates are the most common form of non-Covered Entity under HIPAA. A Business Associate generally partners with a HIPAA Covered Entity. They perform tasks or provide services to organizations that handle PHI. For example, Business Associates include:
- Companies that provide accounting support for hospitals or clinics
- Financial services companies that support electronic transactions
- Management consultants carrying out work for a Covered Entity
- Independent transcription services supporting physicians
- Attorneys providing legal services for health plans
These roles may allow individuals to access Protected Health Information, which creates various HIPAA compliance issues. Supply chain attacks are a good example. Attacks on Business Associates can lead to upstream data breaches. Poor security at third parties compromises medical databases at healthcare services.
Business Associate Agreements
The Department of Health and Human Services passed the Omnibus Rule in 2013. This rule sought to improve third-party security in the healthcare sector. It also tightened restrictions on the partners used by healthcare providers.
The Omnibus Rule requires a Covered Entity to sign Business Associate Agreements (BAAs). BAAs apply to all third parties used by Covered Entities.
A Business Associate Agreement enforces compliance with HIPAA regulations. Under these agreements, Business Associates must meet the standards of a Covered Entity.
A Business Associate may also sub-contract operational duties to downstream third parties. Compliant sub-contractors must sign a separate Business Associate Agreement. This extra agreement protects PHI at all stages of the supply chain.
Hybrid entities
Some organizations combine the functions of a Covered Entity and a Business Associate. HIPAA defines these organizations as hybrid entities.
Only some components of hybrid entities fall under HIPAA regulations. These components need strict privacy and security controls. Other aspects of the organization are less tightly regulated.
Determining what to treat as HIPAA-regulated is a challenging compliance task. But it enables organizations to cut their compliance costs while meeting HIPAA obligations.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.