HIPAA is known by many, but who is actually covered by HIPAA? Is everyone who has any health-related data required to be HIPAA compliant? How does an organization know if they are a HIPAA-Covered Entity? We will discuss the answers to these questions here.
When it was originally enacted in 1996, Health Insurance Portability and Accountability Act did not actually include a definition of a “Covered Entity” (that is, any organization required to be HIPAA-compliant). The definition was only added to the act with the Privacy Rule in 2002, which also established how and when protected health information (PHI) could be used.
According to HIPAA, a Covered Entity is any health plan, healthcare organization, or healthcare clearinghouse that handles PHI in electronic form (ePHI). This, however, is misleading, as all PHI is protected under HIPAA, not just those that are electronically stored and transmitted.
Healthcare clearinghouses are businesses that receive and process claims from healthcare providers. This also applies to any community health management information systems and repricing companies, as their primary role is to handle PHI.
Health plans cover any insurance company that covers health-related expenses (including vision and dental). Health maintenance organizations (HMOs) are also HIPAA-covered, as are employer-, government-, and church-sponsored health plans.
Covered Entities will often engage third parties to perform specific tasks using PHI that cannot be completed in-house. However, before doing so, CEs must enter into a Business Associate Agreement (BAA) with the party, rendering them Business Associates. This BAA will outline the responsibilities of the BA in relation to the use and protection of any PHI they will handle. This will include how and when PHI can be disclosed, what should happen if a HIPAA violation is detected, and how PHI should be disposed of at the end of the BAA.
If the BA themselves contracts another vendor to complete a task that uses PHI, they must also enter into a BAA with this vendor.
As much as it is important to know who is covered by HIPAA, it is also essential to know who is not covered. Employers, for example, are not covered, even though they may be able to access sensitive information (which would have significant overlap with PHI). This is because this sensitive information is only protected by HIPAA when it is used in a HIPAA-covered transaction and relates to the past, present, or future health condition of an individual. Covered transactions include claims for health insurance payments or referrals for treatment.
So, in summary, HIPAA defines Covered Entities as any health plan, healthcare organization, or healthcare clearinghouse that handles PHI in electronic form (ePHI). However, all PHI is protected under HIPAA, so long as it is used in a HIPAA-covered transaction.