What Are Covered Entities Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-covered entities and their business associates, but what are covered entities under HIPAA, and what sort of companies are classed as business associates?

Covered Entities Under HIPAA

Covered entities under HIPAA are individuals or entities that transmit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103).

Transactions include transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization.

Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs.

Healthcare clearinghouses are organizations that process nonstandard health information and convert data into types that conform to the standards outlined in the HIPAA administrative simplification regulations.

Healthcare providers include hospitals, clinics, doctors, psychologists, dentists, chiropractors, nursing homes, pharmacies, home health agencies, and other providers of healthcare that transmit health information electronically.

HIPAA also applies to business associates of HIPAA-covered entities and their subcontractors.

What is a Business Associate?

A business associate can be an individual or company that provides services to a HIPAA-covered entity which requires them to have access to, store, use, or transmit protected health information. The list of business associates is long, and the range of companies included under the definition of business associate is diverse.

Business associates of HIPAA covered entities include third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms – electronic and physical records, EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and medical device manufacturers.

Prior to a business associate being given PHI, or access to systems containing PHI, they must enter into a HIPAA-compliant business associate agreement with the covered entity.  A business associate agreement is a contract in which the responsibilities of the business associate with respect to HIPAA and PHI are described.

Penalties for Noncompliance with HIPAA Rules

Covered entities under HIPAA, and business associates that have signed a BAA with a covered entity, must comply with HIPAA Rules. The failure to comply with any aspect of HIPAA can result in financial penalties. The penalties for HIPAA violations increase each year to account for inflation; and, as at April 2022, the maximum penalty for a HIPAA violation is $63,973 per incident, up to a maximum of $1,919,173 per violation category, per year.

If HIPAA violations have been allowed to persist for several years, or if multiple violations of HIPAA Rules are discovered, multi-million-dollar fines are possible. Criminal penalties are also possible for certain HIPAA violations.

Covered Entities under HIPAA FAQs

Is a school that provides healthcare services for students a HIPAA Covered Entity?

Although there are some cases in which higher education institutions can be “hybrid entities”, most public schools that provide healthcare services for students are not HIPAA Covered Entities because student health information is classified as “education records” under the Family Educational Rights and Privacy Act (FERPA). As FERPA pre-empts HIPAA, student health information is not Protected Health Information under HIPAA, and therefore schools are not HIPAA Covered Entities.

Are employers Covered Entities under HIPAA if they maintain employee health records?

Generally, employers are not Covered Entities under HIPAA because employee health records maintained by an employer are not used for HIPAA-covered transactions (i.e., a request to a health plan for payment in respect of the provision of healthcare). An employer could be regarded as a “partial entity” if it operates a self-insured health plan; and, in this case, the employer would have to implement safeguards to ensure PHI is not used for work-related operations and activities.

When might state laws affect who is a Covered Entity under HIPAA?

A Covered Entity will always be a Covered Entity under HIPAA, but some states have passed legislation which provides a different definition of a Covered Entity under the state law. The best example of this is in Texas, where the Medical Records Privacy Act classifies every organization or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits health information in any form as a Covered Entity – including schools and employers.

Does a Covered Entity have to sign a Business Associate Agreement to use Gmail?

A Covered Entity has to sign a Business Associate Agreement with every organization to whom PHI is disclosed. Therefore, if PHI is disclosed in an email sent from a Gmail account (not to a Gmail account), a Business Associate Agreement has to be in place. Most Covered Entities will not use Gmail as their email provider, but they may use other Google Workspace services (i.e., Drive, Chat, Sheets, etc.) for which a Business Associate Agreement will be necessary before PHI is disclosed.

When might a criminal penalty be imposed on a Covered Entity?

To date, the penalties imposed on Covered Entities have been civil penalties. The only criminal penalties for violations of HIPAA have been for the individuals responsible for the violations; and, although these are rare, there have been cases in which employees of Covered Entities have been sentenced to up to six years in jail. Nonetheless, in extreme circumstances of willful neglect, it is possible that the Office for Civil Rights refer a case to the Department of Justice.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.