The term “HIPAA covered entity” wasn’t included in the Healthcare Insurance Portability and Accountability Act when it was enacted in August 1996. The term was first used in the proposed HIPAA Privacy Rule by HHS when it was released for public feedback in November 1999 and eventually published in December 2000.
The HIPAA Privacy Rule developed from the “Administrative Simplification Rule” of the original law. This Rule mandated the Secretary of the Department of Health & Human Services create a set of national standards for protecting certain health data. These standards determined what health information must be protected and by whom – HIPAA-covered entities.
HIPAA Covered Entity Defined
Initially, the definition of HIPAA covered entity seems clear-cut. A HIPAA-covered entity is defined by the Privacy Rule as any healthcare provider, health plan, or healthcare clearinghouse, that communicates Protected Health Information (or PHI) in digital format.
Looking deeper into that definition reveals some gray areas. For instance, insurance firms that give workers’ compensation aren’t considered health plans, even if they handle personally identifiable information in the process of settling the compensation claims of workers.
The definition of a healthcare clearinghouse is another gray area. A healthcare clearinghouse generally only obtains PHI for processing services for a healthcare provider or health plan. In this case, a healthcare clearinghouse becomes a Business Associate instead of a HIPAA-covered entity.
Is an Employer Considered a HIPAA Covered Entity?
If a healthcare clearinghouse can be considered a covered entity under HIPAA, then an employer may be too, especially if an employer – particularly its HR department – is provided with personally identifiable information. However, if an employer sponsors a self-insured group health plan, the employer is generally not considered a HIPAA covered entity.
The explanation for this is that a self-insured group health plan is deemed a different legal entity from the sponsoring employer. Consequently, the group health plan becomes the covered entity under HIPAA and not the employer, except if the employer likewise manages the group health plan which has over fifty members. (This circumstance seldom happens. Large plans are typically managed by a third party who serves as the group health plan’s business associate).
Nevertheless, since PHI is disclosed to an employer for administrative purposes on behalf of the group plan, there are particular conditions concerning allowable uses and disclosure of PHI. One condition is the protection of information shared with the employer (as per the HIPAA Privacy Rule) which cannot be used-for employment-related activities. Essentially, employers – though not covered entities – are limited by the same guidelines as a covered entity is in some situations.
Examples of HIPAA Covered Entity
The Department of Health & Human Services provides the following HIPAA covered entity examples. These examples aren’t comprehensive but they illustrate what is a covered entity under HIPAA.
When Health Plans are HIPAA Covered Entities
HIPAA-covered health plans are mainly plans that provide insurance against health treatment, vision treatment, dental treatment or prescription medicine costs. Other examples of HIPAA covered entity under the health plan category include:
- Health maintenance organizations (“HMOs”)
- Long-term medical insurers (not including nursing home fixed-indemnity policies)
- Employer-sponsored group health plans
- Government and church-sponsored health plans
- Multi-employer health plans
When Healthcare Clearinghouses are HIPAA Covered Entities
In relation to medical billing, healthcare clearinghouses obtain claims data from healthcare providers, check claims for mistakes, and confirm the format of every claim making sure it is appropriate for the payer’s software. Examples of HIPAA covered entities in this category include healthcare clearinghouses, repricing firms, and community health management information systems.
When Healthcare Providers are HIPAA Covered Entities
There has been no change in the definition of a healthcare provider since 1999 even though the healthcare industry has changed significantly since then. Hence HIPAA covered entity examples of healthcare providers are still providers of healthcare who conduct HIPAA transactions digitally. Digital transactions include claims, benefit eligibility queries, requests for referral authorization, and transactions for which HHS has set standards under the HIPAA Privacy or Security Rules.
HIPAA Covered Entity Versus Business Associate
There are a number of references in this article to business associates, so it is important to state the differences between a HIPAA covered entity and a business associate. It was mentioned previously that a healthcare clearinghouse is categorized as a HIPAA covered entity since its only function is PHI-associated. In contrast, a business associate is an entity whose major role is not related to PHI, but gets access to PHI in order to provide a service for a covered entity.
Since the Final Omnibus Rule was published in 2013, business associates are just as responsible for the protection of PHI they access as a covered entity under HIPAA. Prior to disclosing PHI to a business associate, it is the responsibility of a covered entity to research a service provider and get a signed Business Associate Agreement (BAA) establishing the allowable uses of PHI; however, even without a BAA in place, business associates will still be liable for fines for HIPAA violations.
A business associate will be like a HIPAA covered entity if it subcontracts services which involves a digital transfer of PHI. In such cases, it is the responsibility of a business associate to conduct research on the subcontractor and to make sure that the subcontractor follows the Privacy and Security Rules. There must be a Business Associate Agreement with the subcontractor, who would take responsibility for any breach of PHI that is their own fault.
What if a Covered Entity under HIPAA Works with Another HIPAA Covered Entity
One complex area of HIPAA legislation is when a HIPAA covered entity works with or offers services to another covered entity. As per the HIPAA Privacy Rule, the covered entity does not need to sign a BAA with another covered entity if it is sharing PHI for treatment reasons. However, when a hospital (Covered Entity A) contracts with another hospital (Covered Entity B) to provide services (for training medical students for example), a BAA will be required before Covered Entity A can share PHI with Covered Entity B. In the same way, in case a healthcare clearinghouse cannot prepare a claim in a format that works with a payer’s software, a BAA with a healthcare clearinghouse will be necessary before formatting the claim.
It is important to note that a covered entity’s employees are neither covered entities nor business associate under HIPAA. The American Hospital Association explains that any person(s) doing a job for a covered entity, is directly controlled by that entity, whether he/she is paid by the covered entity or not. This definition applies to employees, agency nurses, non permanent workers and volunteers.
How Do You Know if Your Organization is a HIPAA Covered Entity?
Because of the numerous gray areas pertaining to HIPAA and covered entities, an interactive tool has been developed by the Centers for Medicare & Medicaid Services which can help an organization determine if it is a covered HIPAA entity or not.