DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses what constitutes a covered entity under the HIPAA law and regulations.
What are Covered Entities?
Under the HIPAA Privacy Rule, "covered entities" are obligated to safeguard protected health information (PHI) from unauthorized and impermissible uses and disclosures.
There are three types of covered entities:
1. Health plans.
2. Healthcare clearinghouses.
3. Healthcare providers that electronically transmit health information, in connection with a HIPAA-covered transaction.
Health plans
Health plans may include:
- Individual and group plans that provide or pay the cost of medical care (e.g., health, dental, vision, and prescription drug insurers)
- Health Maintenance Organizations (HMOs)
- Medicare, Medicaid, and Medicare supplement insurers
- Long-term care insurers
- Employer-sponsored group health plans
- Government and church-sponsored plans
- Multi-employer health plans
Healthcare Clearinghouses
A healthcare clearinghouse is a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that does either of the following functions:
1. Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; OR
2. Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Healthcare Providers
Healthcare providers include providers of medical or health services, and any other person or organization that furnishes, bills, or is paid for healthcare. Examples of healthcare providers include:
- Doctors
- Clinics
- Psychologists
- Dentists
- Chiropractors
- Nursing homes
- Pharmacies
To qualify as a covered entity, a healthcare provider must transmit health information in i connection with a HIPAA-covered transaction. The transmission must be in electronic form. These transactions (“covered transactions”) involve transmission of information between two parties to carry out financial or administrative activities related to health care.
HIPAA-covered transactions include the following types of information transmissions:
- Health claims or equivalent encounter information
- Health care payment and remittance advice
- Transmissions related to coordination of benefits
- Health care claim status transmissions
- Transmissions regarding enrollment and disenrollment in a health plan
- Transmissions related to eligibility for a health plan.
- Health plan premium payments.
- Referral certification and authorization.
If an Entity is Not A Covered Entity, Does That Mean the Entity is a Business Associate?
Not necessarily. To be a "covered entity" under HIPAA, an entity must meet the definition of "Covered Entity" discussed above. If an entity does not meet that definition, it is not a business associate by default. Rather, to meet the definition of "business associate," the entity must meet the specific requirements for business associate status (performing a specific, legally-defined service for or on behalf of a covered entity, that involves the creation, transmission, receipt, and/or maintenance of PHI). It is possible that an entity is neither a covered entity nor a business associate. Such entities are not subject to the HIPAA regulations.
What About Entities That Perform Covered Entity Functions and Business Associate Functions?
Some entities perform both covered entity functions (such as healthcare providers who engage in one or more HIPAA-covered transactions) as well as business associate functions (such as, for example, a hospital that offers services to another healthcare provider that involve handling PHI, such as data analysis or claims processing). Entities that perform both covered entity and business associate functions are not "hybrid entities," as HIPAA defines that term. Hybrid entities refer to a different kind of entity - one that performs HIPAA-regulated functions, and that also performs functions unregulated by HIPAA (think of a grocery store with a pharmacy department; the pharmacy function is a HIPAA function). A entity that performs covered entity and business associate functions must comply, with respect to its covered entity functions, the HIPAA Privacy Rule and the HIPAA Security Rule. With respect to its business associate functions, the entity must comply with the Security Rule, and those portions of the Privacy Rule it is obligated to comply with under the terms of its business associate agreements.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article