Share this article on:
The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-covered entities and their business associates, but what are covered entities under HIPAA, and what sort of companies are classed as business associates?
Covered Entities Under HIPAA
Covered entities under HIPAA are individuals or entities that transmit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103).
Transactions include transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization.
Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs.
Healthcare clearinghouses are organizations that process nonstandard health information and convert data into types that conform to the standards outlined in the HIPAA administrative simplification regulations.
Healthcare providers include hospitals, clinics, doctors, psychologists, dentists, chiropractors, nursing homes, pharmacies, home health agencies, and other providers of healthcare that transmit health information electronically.
HIPAA also applies to business associates of HIPAA-covered entities and their subcontractors.
What is a Business Associate?
A business associate can be an individual or company that provides services to a HIPAA-covered entity which requires them to have access to, store, use, or transmit protected health information. The list of business associates is long, and the range of companies included under the definition of business associate is diverse.
Business associates of HIPAA covered entities include third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms – electronic and physical records, EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and medical device manufacturers.
Prior to a business associate being given PHI, or access to systems containing PHI, they must enter into a HIPAA-compliant business associate agreement with the covered entity. A business associate agreement is a contract in which the responsibilities of the business associate with respect to HIPAA and PHI are described.
Penalties for Noncompliance with HIPAA Rules
Covered entities under HIPAA, and business associate that have signed a BAA with a covered entity, must comply with HIPAA Rules. The failure to comply with any aspect of HIPAA can result in financial penalties. The maximum penalty for a HIPAA violation is $50,000 per incident, up to a maximum of $1.5 million, per violation category, per year.
If HIPAA violations have been allowed to persist for several years, or if multiple violations of HIPAA Rules are discovered, multi-million-dollar fines are possible. Criminal penalties are also possible for certain HIPAA violations.