HIPAA Covered Entity

What is a HIPAA Covered Entity? and everything you need to know about them.

Join our newsletter:

The term 'HIPAA Covered Entity' was not included in the original Healthcare Insurance Portability and Accountability Act when it became law in August 1996. Instead, it first appeared in the proposed HIPAA Privacy Rule put forth by the Department of Health and Human Services (HHS). This rule was made available for public comments in November 1999 and was officially published in December 2000 after amendments were made. The HIPAA Privacy Rule originated from the 'Administrative Simplification Rule' of the original legislation. This rule mandated the Secretary of the Department of Health & Human Services to establish a set of nationwide standards for safeguarding specific health information. These standards defined the scope of health information to be protected and identified the entities responsible for ensuring its protection - dubbed Covered Entities.

Defining Covered Entities under HIPAA Guidelines

Upon initial examination, the definition of a HIPAA Covered Entity seems clear-cut. According to the Privacy Rule, a Covered HIPAA Entity refers to health plans, healthcare clearinghouses, or healthcare providers that transmit Protected Health Information (PHI) electronically as per the Department of Health & Human Services' standards. However, delving deeper into the HIPAA Covered Entity definition reveals certain ambiguous aspects. For instance, despite handling personally identifiable information during the settlement of workers' compensation claims, insurance companies providing workers' compensation are not classified as health plans, which is typically associated with safeguarding such data.

There remains some ambiguity regarding the precise classification of a healthcare clearinghouse. Generally, a healthcare clearinghouse only handles protected health information (PHI) when fulfilling processing services for a health plan or healthcare provider. Consequently, a healthcare clearinghouse would likely be considered a Business Associate rather than a Covered HIPAA Entity, as defined in the HIPAA Covered Entity framework.

Does an Employer Qualify as a HIPAA Covered Entity?

If a healthcare clearinghouse qualifies as a Covered Entity under HIPAA, one might assume that the same applies to employers. Employers, particularly their HR departments, handle a significant amount of personally identifiable information that falls under the category of protected data. However, even when an employer sponsors a self-insured group health plan, it is generally not considered a HIPAA Covered Entity. This is because the self-insured group health plan is seen as a separate legal entity from the employer. Therefore, it is the group health plan, not the employer, that is deemed the Covered Entity under HIPAA, unless the employer is also the administrator of the group health plan and has more than fifty participants. This situation is uncommon, as large plans are usually administered by third-party entities acting as Business Associates to the group health plan. Nevertheless, since the employer receives PHI in the course of performing administrative functions on behalf of the group plan, certain conditions apply to the use and disclosure of this information. One such condition is that any information shared with the employer must remain protected in accordance with the HIPAA Privacy Rule and should not be used for employment-related purposes. In essence, although employers are not Covered Entities, there are circumstances in which they are compelled to adhere to the same regulations as a Covered HIPAA Entity.

Examples of Health Plans as HIPAA Covered Entities

HIPAA-covered health plans primarily provide coverage for medical, dental, vision, and prescription expenses. This category of health plans also encompasses other entities such as health maintenance organizations (HMOs), long-term healthcare insurers (excluding nursing home fixed-indemnity policies), as well as employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans.

Examining Examples of HIPAA Covered Entities: Healthcare Clearinghouses

Healthcare providers submit claims information to healthcare clearinghouses for processing in medical billing. These clearinghouses then diligently review the claims for any errors and ensure that the format of each claim is compatible with the software used by the payer. It is worth mentioning that healthcare clearinghouses, repricing companies, and community health management information systems fall under the classification of HIPAA Covered Entity examples. This classification is based on their sole involvement in handling protected health information (PHI), an important aspect to consider before delving into the comparison between 'HIPAA Covered Entity vs Business Associate'.

Healthcare Providers as Instances of HIPAA Covered Entities

The definition of a healthcare provider under the HIPAA Covered Entity has remained unchanged since 1999, despite significant advancements in the healthcare industry. As a result, the examples of healthcare providers under the HIPAA Covered Entity still include those who electronically submit HIPAA transactions. These transactions encompass various activities such as claims, benefit eligibility inquiries, referral authorization requests, and other transactions that adhere to the standards established by the HHS under the HIPAA Privacy or Security Rule.

Differentiating Between HIPAA Covered Entities and Business Associates

This article contains several references related to Business Associates, and it is important to understand the distinction between a HIPAA Covered Entity and a Business Associate. As mentioned earlier, a healthcare clearinghouse is considered a Covered Entity because its main function is related to Protected Health Information (PHI). On the other hand, a Business Associate is an entity whose primary role is not related to PHI, but who has access to it while providing services on behalf of a Covered HIPAA Entity. Since the implementation of the Final Omnibus Rule in 2013, Business Associates share equal responsibility with Covered Entities when it comes to the security of PHI. Before sharing PHI with a Business Associate, a Covered Entity should thoroughly assess the service provider and obtain a signed Business Associate Agreement that outlines the permissible uses of the PHI. However, even without an agreement in place, Business Associates can still be penalized if they are found liable for a breach of PHI. A similarity between a HIPAA Covered Entity and a Business Associate is that if a Business Associate subcontracts services involving the electronic exchange of PHI, they must also conduct due diligence on the subcontractor. The Business Associate is responsible for ensuring that the subcontractor complies with the Privacy and Security Rules and must sign a Business Associate Agreement with them, transferring the responsibility for a breach of PHI to the subcontractor.

When one HIPAA Covered Entity Works for Another HIPAA Covered Entity

The complexities of HIPAA legislation are particularly evident when it comes to the various scenarios that arise when a Covered Entity works for or provides services to another Covered Entity. According to the HIPAA Privacy Rule, there is no requirement for a Covered Entity to sign a Business Associate Agreement when sharing Protected Health Information (PHI) for treatment purposes. For example, if a radiologist interprets diagnostic images on behalf of a local physician, no agreement needs to be signed. However, if one hospital (Covered Entity A) seeks the help of another hospital (Covered Entity B) in training medical students, a Business Associate Agreement must be signed before Covered Entity A can disclose PHI to Covered Entity B. Similarly, if a healthcare clearinghouse cannot format a claim to be compatible with a payer's software, it must sign a Business Associate Agreement with a clearinghouse capable of formatting the claim. It's important to note that an employee of a Covered Entity or a Business Associate is considered separate from both entities according to the American Hospital Association. The definition of an employee includes anyone whose actions, while working for a Covered Entity, are under the direct control of that entity, regardless of whether they receive payment. This encompasses not only regular employees but also agency nurses, temporary workers, and volunteers.

Is Your Organization Considered a HIPAA Covered Entity?

Use the this Covered Entity Decision Tool to find out if your organization is a covered entity under the Administrative Simplification provisions of HIPAA


Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.