The term “HIPAA Covered Entity” was not actually included in the initial Healthcare Insurance Portability and Accountability Act when it was originally formulated in August 1996. The term first came to light during the HHR´s proposed HIPAA Privacy Rule when the Rule was made available for public comments in November 1999 and subsequently published after changes had been made during December 2000.
The HIPAA Privacy Rule grew from the “Administrative Simplification Rule” of the original legislation. This Rule stated that the Secretary of the Department of Health & Human Services must develop a group of national standards for the protection of certain health details. These standards classified what health information was to be protected and who was responsible for safeguarding it – Covered Entities.
HIPAA Covered Entity Definition
When first reviewing it, the HIPAA Covered Entity definition appears basic. The Privacy Rule defines a Covered HIPAA Entity as any health plan or any healthcare clearinghouse, or any healthcare provider who shares Protected Health Information (or PHI as per the standards developed by the Department of Health & Human Services) in an electronic format.
However, looking more closely at the HIPAA Covered Entity definition uncovers a few gray areas. For example insurance companies providing workers´ compensation are not regarded as health plans, despite the fact they will be sent personally identifiable information – usually thought to be protected – in currently settling workers´ compensation claims.
A further area of uncertainty is evident in relation to the definition of a healthcare clearinghouse – which, in most instances only receives PHI when it is providing processing services to a health plan or healthcare supplier. This would make a healthcare clearinghouse a Business Associate (see “HIPAA Covered Entity vs Business Associate) instead of a Covered HIPAA Entity under the HIPAA Covered Entity definition.
Is an Employer a HIPAA Covered Entity?
One would consider a healthcare clearinghouse qualifies as a Covered Entity under HIPAA, an employer must also. An employer – especially an employer´s HR department – receives lots of personally identifiable information that is categorized as protected; but even when an employer sponsors a self-insured group health plan, the reply to “Is an employer a HIPAA Covered Entity?” is generally “No”.
The reason for this is due to the fact that a self-insured group health plan is considered to be a complete legal entity from the sponsoring employer. Therefore it is the group health plan and not the employer that is the Covered Entity under HIPAA – unless the employer also manages the group health plan and it has more than fifty participants. (This scenario does not happen often. Large plans are usually handled by a third party who acts as a Business Associate to the group health plan).
However, because PHI is sent to an employer in the execution of administrative functions on behalf of the group plan, certain conditions exist about the use and disclosure of the data. Among these conditions is that the information shared with the employer will remain secured (as per the HIPAA Privacy Rule) and not used-for employment-related actions. In effect, employers – although not Covered Entities – are policed by the same rules as a Covered HIPAA Entity in certain circumstances.
HIPAA Covered Entity Examples
In order to show some HIPAA Covered Entity examples, we have used the examples supplied by the Department of Health & Human Services. These examples are not thorough and are subject to change. Any group that does not appear among the following HIPAA Covered Entity examples, but believes they may be subject to HIPAA, should review the section at the end of the this article entitled “Is Your Organization a Covered HIPAA Entity?”
HIPAA Covered Entity Examples: Health Plans
HIPAA-covered health plans are typically plans that insure against the cost of health treatment, dental treatment, vision treatment or prescription drugs. Other HIPAA Covered Entity examples within the health plan section include health maintenance organizations (“HMOs”), long-term healthcare insurers (excluding nursing home fixed-indemnity policies) and – as referred to above – employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans.
HIPAA Covered Entity Examples: Healthcare Clearinghouses
In medical billing, healthcare clearinghouses are sent claims information from healthcare providers, check the claims for mistakes, and see to it that the format of each claim is compatible with the payer´s software. Healthcare clearinghouses, repricing companies, and community health management information systems are classified as HIPAA Covered Entity examples as their sole roles are PHI-related – an important point to remember before talking about “HIPAA Covered Entity vs Business Associate” below.
HIPAA Covered Entity Examples: Healthcare Providers
The HIPAA Covered Entity definition of a healthcare provider has not evolved since 1999 despite the healthcare industry evolving massively. Therefore HIPAA Covered Entity examples of healthcare providers remains “providers who submit HIPAA transactions electronically” – electronic transactions refers to claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Privacy or Security Rule.
HIPAA Covered Entity vs Business Associate
There have been many references to date in this article relating to Business Associates, and it is important to remember how the definitions of a HIPAA Covered Entity vs Business Associate differ. It was noted above that a healthcare clearinghouse is categorized as a HIPAA Covered Entity because its sole role is PHI-related. By comparison a Business Associate is an entity whose chief role is unrelated to PHI, but who has access to it in the provision of a service performed for a Covered HIPAA Entity.
Since the release of the Final Omnibus Rule in 2013, Business Associates are as much to blame for the security, or lack thereof, of any PHI they encounter as a Covered Entity under HIPAA. Before sharing PHI with a Business Associate, a Covered Entity should complete due diligence on the service provider and obtain a signed Business Associate Agreement setting out the permissible sharing of the PHI; but even without an Agreement in place, Business Associates can still be penalized if they are to blame for a breach of PHI occurring.
A similarity in a HIPAA Covered Entity vs Business Associate comparison is, if a Business Associate subcontracts services that includes an electronic exchange of PHI, the Business Associate also has to complete due diligence on the subcontractor. The Business Associate has to ensure the subcontractor complies with the Privacy and Security Rules and sign a Business Associate Agreement with the subcontractor, who then is to blame if a breach of PHI occurs.
When a Covered Entity under HIPAA Carries out Duties for another Covered HIPAA Entity
One very confusing aspect of HIPAA legislation is the different scenarios that occur when a Covered Entity under HIPAA works for – or provides a service for – another Covered HIPAA Entity. Under the HIPAA Privacy Rule there is no requirement for a Covered Entity to sign a Business Associate Agreement with another Covered Entity when PHI is being shared for treatment reasos – for example if a radiologist interprets diagnostic pictures for a local physician.
However, if a hospital (Covered Entity A) contracted the services of another hospital (Covered Entity B) to help with the training of medical students, it would be necessary for a Business Associate Agreement to be signed before Covered Entity A could share PHI to Covered Entity B. Similarly, if a healthcare clearinghouse was unable to format a claim so it is compatible with a payer’s software, it would have to sign a Business Associate Agreement with a healthcare clearinghouse that could format the claim.
It is important to add at this point that a staff member of a Covered HIPAA Entity is neither a Covered Entity under HIPAA nor a Business Associate. According to the American Hospitals Association: “Any person(s) whose conduct, in the performance of work for a Covered Entity, is under the direct control of such entity, whether they are paid by the Covered Entity or not”. This definition includes not only staff members, but also agency nurses, temporary workers and volunteers.
Is Your group a Covered HIPAA Entity?
Due to the many gray areas linked to HIPAA and Covered Entities, the Centers for Medicare & Medicaid Services have gathered an interactive tool that can help a group determine whether or not they are a Covered HIPAA Entity. Alternatively, for further details about HIPAA compliance, read this thorough guide to HIPAA, for more details about HIPAA’s objectives, and the Privacy, Security and Breach Notification Rules.