The Health Insurance Portability and Accountability Act was established in 1996 with a variety of objectives. Though one of its primary goals was to give expand access to health insurance and introduce tax reforms, it has now become synonymous with health data privacy. HIPAA, and the subsequent rules that were added to it over the years, stipulate how a patient’s sensitive information (termed “Protected Health Information” in the context of HIPAA) can be used, who can access it, what the minimum technical, physical, and administrative safeguards are required to protect it, among other things. However, not all organizations that handle patient data are covered by the Act, begging the question – what is a Covered Entity under HIPAA?
HIPAA Covered Entities are organizations, agencies, and individuals that must comply with HIPAA (including the Privacy, Security, Breach Notification, and Omnibus Final Rule). The Department for Health and Human Services (DHSS) defines Covered Entities as healthcare providers, health plans, and healthcare clearinghouses that electronically transmit PHI to carry out specific services related to financial and administrative transactions for which the DHSS has established a standard. These include benefit eligibility inquiries, claims, or referral authorization requests.
Examples of each organization are given as follows:
- Healthcare Providers including doctors, nurses, nursing homes, psychologists, dentists, pharmacies etc.
- Health Plans including health insurance companies, HMOs, government health plans etc.
- Healthcare clearinghouses that process nonstandard information from another entity into a standard (e.g. into a standard electronic format)
This may be a confusing definition, particularly because the definition only specifies “electronic” information. In this day and age, this will include the vast majority of the organizations listed above, particularly because the definition simply requires that any PHI be electronically transmitted. It is important to note that, under HIPAA, all PHI is protected, regardless of its format.
There are different types of Covered Entities. A Hybrid Entity, for example, carries out a mix of activities, only some of which are covered by HIPAA. A dentist that is based in a university for three days of the week, for example, would be covered by FERPA for those activities, and by HIPAA for their remaining activities.
Partial Covered Entities, by contrast, only have to comply with specific parts of HIPAA. Employers that operate a self-insured health plan may be considered a Partial Covered Entity, as only the activities related to this plan are subject to HIPAA. Technically, the health plan and the employer are two separate entities. The employer would need to ensure that the PHI is not used for any other purposes.
Covered Entities should ensure that all of their employees, volunteers, or students, are adequately trained in HIPAA so that they are aware of their duties under HIPAA and what penalties are in place for non-compliance.