DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
HIPAA Classification Guide: Covered Entities and Business Associates
HIPAA regulates two groups:
Covered entities
Business associates
Covered entities include:
1. Health plans.
2. Healthcare clearinghouses.
3. Healthcare providers that transmit health information in electronic form, in connection with a HIPAA-covered transaction.
Health plans
Health plans may include:
Individual and group plans that provide or pay the cost of medical care (i.e., health, dental, vision, and prescription drug insurers)
Health Maintenance Organizations (HMOs)
Medicare, Medicaid, and Medicare supplement insurers
Long-term care insurers
Employer-sponsored group health plans
Government and church-sponsored plans
Multi-employer health plans
NOTE: If an insurance company has separate business lines, only one of which is a health plan, HIPAA applies to the health plan business line.
Healthcare Clearinghouses
A healthcare clearinghouse is a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that does either of the following functions:
(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; OR
(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Healthcare Providers
Healthcare providers include providers of medical or health services, and any other person or organization that furnishes, bills, or is paid for healthcare. Examples of healthcare providers include:
Doctors
Clinics
Psychologists
Dentists
Chiropractors
Nursing homes
Pharmacies
To be a covered entity, a healthcare provider must transmit health information in connection with a HIPAA-covered transaction. The transmission must be in electronic form.
“HIPAA-covered transactions” are:
Information transmissions between a provider and another entity, to carry out financial or administrative activities related to health care.
HIPAA-covered transactions include electronic information transmissions regarding:
1. Health claims or equivalent encounter information.
The health care claims or equivalent encounter information transaction includes either of the following:
- A request to obtain payment, and the necessary accompanying information from a health care provider to a health plan, for health care.
- The transmission of encounter information for the purpose of reporting health care, if there is no direct claim.
2. Health care payment and remittance advice.
The health care payment and remittance advice transaction is the transmission of either:
- Payment, with information about the transfer of funds and payment processing from a health plan to a health care provider’s financial institution; or
- Explanation of benefits or remittance advice from a health plan to a health care provider.
3. Transmissions related to coordination of benefits
The coordination of benefits transaction is the transmission from any entity to a health plan for the purpose of determining the relative payment responsibilities of a health plan for health care claims or payment information.
4. Health care claim status transmissions.
A health care claim status transaction is used for:
- An inquiry from a provider to a health plan to determine the status of a health care claim.
- A response from the health plan to a provider about the status of a health care claim.
5. Transmissions regarding enrollment and disenrollment in a health plan
The enrollment/disenrollment transaction is the transmission of subscriber enrollment information from the sponsor of the insurance coverage, benefits, or policy to a health plan to establish or terminate insurance coverage. It may be used in coordination with health plans for:
- New enrollments
- Changes in a member’s enrollment
- Reinstatement of a member’s enrollment
- Disenrollment of members (i.e., termination of plan membership)
The enrollment/disenrollment transaction can include a periodic full update of a health plan sponsor’s health plan enrollees, or it can reflect a change to existing enrollment with modification instructions for certain enrollees.
6. Transmissions related to eligibility for a health plan.
The eligibility/benefit inquiry transaction is used to obtain information about a benefit plan for an enrollee, including information on eligibility and coverage under the health plan. This inquiry can be sent from a health care provider to a health plan, or from one health plan to another. The eligibility benefit/response transaction is used by health plans to respond to a healthcare provider’s (or another health plan’s) inquiry about an enrollee’s eligibility and coverage.
7. Health plan premium payments.
The health plan premium payment transaction is used to initiate the transfer of payment for health insurance premiums and to provide health plans with information about the transfer of funds, remittance details for individuals for whom premiums are being paid, and payment processing information (e.g., for payroll deductions).
8. Referral certification and authorization.
The referral certification and authorization transaction is any of the following:
- A request from a health care provider to a health plan to obtain an authorization of health care
- A request from a health care provider to a health plan to obtain authorization for referring an individual to another health care provider
- A response from a health plan to a health care provider about authorization and referral requests
Health care claims and equivalent encounter information.
Enrollment and disenrollment in a health plan
Health care payment and remittance advice
Health plan premium payments
Healthcare claim status requests and responses
Referral certification and authorization
Eligibility inquiry and response
Coordination of benefits
Generally, a “cash only” business that does not work or communicate with Medicare or Medicaid or private insurers, and that is “cash only” (patients pay it directly) does not engage in HIPAA-covered transactions.
If a healthcare provider does not transmit information relating to these activities, IT IS NOT A COVERED ENTITY. THIS DOES NOT AUTOMATICALLY MEAN THAT IT IS A BUSINESS ASSOCIATE, though.
If an organization has determined that it or another organization is not a covered entity, the organization must then make a separate determination of whether it or the other organization is a business associate.
What is a Business Associate?
HIPAA defines a business associate as a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the creation, transmission, maintenance, or receipt of PHI. Business associates may use or disclose a covered entity’s PHI, but only in accordance with the HIPAA regulations. These regulations require that a covered entity and business associate enter into an agreement (business associate agreement) in which the BA agrees to safeguard PHI that it accesses.
Business associate functions and activities include: Claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.
Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial services.
Classification tips for Business Associates:
Persons and organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information.
Also, an organization that uses or discloses PHI for its own purposes, and not on behalf of, a covered entity, is not a business associate. To be a business associate, an entity must:
Perform business associate functions and activities on behalf of a covered entity, or
Perform business associate services on behalf of a covered entity.
What is a Business Associate Subcontractor?
A business associate subcontractor performs functions and activities, or performs business associate services, on behalf of another business associate. Business associate subcontractors must safeguard the PHI of business associates whose PHI these subcontractors access.
If an entity does not meet the definition of a business associate, it is not a business associate. If an entity does not meet the definition of a business associate subcontractor, it is not a business associate. Not being a business associate does not automatically mean that an entity is a covered entity, though.
If an organization has determined that it or some other entity is not a business associate, the organization must then make a separate determination of whether the entity is a covered entity. If the entity is neither a covered entity nor a business associate, the entity is not regulated by HIPAA.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article