The term “HIPAA covered entity” wasn’t included in the Healthcare Insurance Portability and Accountability Act when it was enacted in August 1996. The term was first used in the proposed HIPAA Privacy Rule by HHS when it was released for public feedback in November 1999 and eventually published in December 2000.
The HIPAA Privacy Rule developed from the “Administrative Simplification Rule” of the original law. This Rule mandated the Secretary of the Department of Health & Human Services create a set of national standards for protecting certain health data. These standards determined what health information must be protected and by whom – HIPAA-covered entities.
HIPAA Covered Entity Defined
Initially, the definition of HIPAA covered entity seems clear-cut. A HIPAA-covered entity is defined by the Privacy Rule as any health plan, healthcare clearinghouse, or healthcare provider that communicates Protected Health Information (or PHI) in digital format.
Looking deeper into that definition reveals some gray areas. For instance, insurance firms that give workers’ compensation aren’t considered health plans, even if they handle personally identifiable information in the process of settling the compensation claims of workers.
The definition of a healthcare clearinghouse is another gray area. A healthcare clearinghouse generally only obtains PHI to provide services for a healthcare provider or health plan. In this case, a healthcare clearinghouse should be a Business Associate instead of a HIPAA-covered entity.
Is an Employer Considered a HIPAA Covered Entity?
If a healthcare clearinghouse can be considered a covered entity under HIPAA, then an employer could be too, especially if an employer – particularly its HR department – is provided with individually identifiable health information. However, even if an employer administers a self-insured group health plan, the employer is generally not considered a HIPAA covered entity.
The explanation for this is that a self-insured group health plan is deemed a different legal entity from the sponsoring employer. Consequently, the group health plan becomes the covered entity under HIPAA and not the employer, except if the employer likewise manages the group health plan which has over fifty members. (This circumstance seldom happens. Large plans are typically managed by a third party who serves as the group health plan’s business associate).
Nevertheless, since PHI is disclosed to an employer for administrative purposes on behalf of the group plan, there are particular conditions concerning allowable uses and disclosure of PHI. One condition is the protection of information shared with the employer (as per the HIPAA Privacy Rule) which cannot be used-for employment-related activities. Essentially, employers – though not covered entities – are limited by the same guidelines as a covered entity is in some situations.
Examples of HIPAA Covered Entity
The Department of Health & Human Services provides the following HIPAA covered entity examples. These examples aren’t comprehensive but they illustrate what is a covered entity under HIPAA.
When Health Plans are HIPAA Covered Entities
HIPAA-covered health plans are mainly plans that provide insurance against health treatment, vision treatment, dental treatment or prescription medicine costs. Other examples of HIPAA covered entity under the health plan category include:
- Health maintenance organizations (“HMOs”)
- Long-term medical insurers (not including nursing home fixed-indemnity policies)
- Employer-sponsored group health plans
- Government and church-sponsored health plans
- Multi-employer health plans
When Healthcare Clearinghouses are HIPAA Covered Entities
In relation to medical billing, healthcare clearinghouses obtain claims data from healthcare providers, check claims for mistakes, and confirm the format of every claim making sure it is appropriate for the payer’s software. Examples of HIPAA covered entities in this category include healthcare clearinghouses, repricing firms, and community health management information systems.
When Healthcare Providers are HIPAA Covered Entities
There has been no change in the definition of a healthcare provider since 1999 even though the healthcare industry has changed significantly since then. Hence HIPAA covered entity examples of healthcare providers are still providers of healthcare who conduct HIPAA transactions electronically using transaction codes for which the Department of Health & Human Services has developed standards. Electronic transactions include claims, benefit eligibility queries, requests for referral authorization, and payment transactions.
HIPAA Covered Entity Versus Business Associate
There are a number of references in this article to business associates, so it is important to state the differences between a HIPAA covered entity and a business associate. It was mentioned previously that a healthcare clearinghouse is categorized as a HIPAA covered entity since its only function is PHI-associated. In contrast, a business associate is an entity whose primary function is not necessarily related to PHI, but who has access to PHI in order to provide a service for – or behalf of – a covered entity.
Since the Final Omnibus Rule was published in 2013, business associates are just as responsible for the protection of PHI they access as a covered entity under HIPAA. Prior to disclosing PHI to a business associate, it is the responsibility of a covered entity to research a service provider and get a signed Business Associate Agreement (BAA) establishing the allowable uses of PHI; however, even without a BAA in place, business associates will still be liable for fines for HIPAA violations.
A business associate will be like a HIPAA covered entity if it subcontracts services which involves disclosures of PHI. In such cases, it is the responsibility of a business associate to conduct research on the subcontractor and to make sure that the subcontractor follows the Privacy and Security Rules. There must be a Business Associate Agreement with the subcontractor, who would take responsibility for any breach of PHI that is their own fault.
What if a Covered Entity under HIPAA Works with Another HIPAA Covered Entity
One complex area of HIPAA legislation is when a HIPAA covered entity works with or offers services to another covered entity. As per the HIPAA Privacy Rule, the covered entity does not need to sign a BAA with another covered entity if it is sharing PHI for treatment reasons. However, when a hospital (Covered Entity A) contracts with another hospital (Covered Entity B) to provide services (for training medical students for example), a BAA will be required before Covered Entity A can share PHI with Covered Entity B. In the same way, in case a healthcare clearinghouse cannot prepare a claim in a format that works with a payer’s software, a BAA with a healthcare clearinghouse will be necessary before formatting the claim.
It is important to note that a covered entity’s employees are neither covered entities nor business associate under HIPAA. The American Hospital Association explains that any person(s) doing a job for a covered entity, is directly controlled by that entity, whether he/she is paid by the covered entity or not. This definition applies to employees, agency nurses, non permanent workers and volunteers.
Summary: Who is a Covered Entity under HIPAA – and Who Isn´t
In the above article, we have provided several examples of who is a covered entity under HIPAA and some examples of when entities you might expect to be covered by HIPAA are not – for example, employers. There are several other exceptions to who is a covered entity under HIPAA organizations should be aware of to ensure they do not unnecessarily withhold – or unintentionally disclose – Protected Health Information.
As mentioned above, healthcare providers that conduct electronic transactions for which HHS has published standards are Covered Entities. However, if a healthcare provider bills patients directly – and doesn´t use a Business Associate to conduct billing operations on its behalf – it is not a covered entity under HIPAA, although is likely subject to state privacy and security laws. An example of such as case would be a counselor that charges on a session-by-session basis.
Insurance companies that pay for healthcare treatment as part of a secondary service to an insurance product such as auto insurance are also not covered entities under HIPAA. Therefore, if a hospital requests an eligibility check before treating you following an accident, the information provided by the hospital to the auto insurance company is not protected by the Privacy or Security Rule. Additionally, you have no rights under HIPAA to review and correct the information.
Finally, banks, credit card companies, and payment processors such as PayPal are not covered entities under HIPAA. Although most financial institutions are governed by other privacy and security rules (i.e., Sarbanes-Oxley), not all are – and it is a good idea to explain the risks to patients of using payment processors such as PayPal that are known to share consumer data with third parties for advertising and marketing purposes.
How Do You Know if Your Organization is a HIPAA Covered Entity?
Because of the numerous gray areas pertaining to HIPAA and covered entities, an interactive tool has been developed by the Centers for Medicare & Medicaid Services which can help an organization determine if it is a covered HIPAA entity or not. It is also useful for HIPAA covered entities to conduct an annual HIPAA risk assessment.