Share this article on:
The term HIPAA Covered Entities is most often defined as health plans, healthcare clearinghouses, and healthcare providers that are required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. However, not all health plans and healthcare providers are Covered Entities, and – in some circumstances – entities beyond the definition of Covered Entities are required to comply with the HIPAA Rules.
Most health plans, healthcare clearinghouses, and healthcare providers that transmit Protected Health Information (PHI) electronically to carry out financial or administrative activities related to healthcare are required to comply with HIPAA. These are known as HIPAA Covered Entities, but there are exceptions to this definition.
Exceptions to the definition of HIPAA Covered Entities exist because some health plans are exempt from the HIPAA requirements (i.e., self-funded and self-administered employer health plans with fewer than 50 participants), and some healthcare providers do not transmit PHI electronically (i.e., rural ambulance services).
There are also times when other entities and third-party service providers are required to comply with HIPAA in some or all of their operations. Other entities include partial, hybrid, and certified entities, while third-party service providers with whom PHI is shared are more frequently known as Business Associates. To further complicate the definition, there are also Affiliated HIPAA Covered Entities.
Partial, Hybrid, and Certified Entities
Partial Covered Entities are organizations required to comply with a specific part – or specific parts – of HIPAA. An example of a partial Covered Entity is a prescription drug card sponsor who – under § 1860D-31 of the Medicare Prescription Drug, Improvement, and Modernization Act (MMA Act) – is required to comply with the Privacy Rule in respect of marketing activities.
A hybrid entity is an organization who activities include both covered and non-covered functions – for example, a university hospital that treats students (whose medical records are protected by FERPA) and non-students (whose medical records are protected by HIPAA). In this circumstance, there must be a separation between covered and non-covered functions.
The term certified entities most often applies to employers who administer self-insured health plans. Because the employer and the health plan are two separate legal entities, the employer is required to certify that PHI shared for the purpose of administrating the health plan will not be used for employment-related activities – i.e., denying an employee promotion.
HIPAA Business Associates
HIPAA Business Associates are individuals, organizations, or agencies who perform functions or activities on behalf of – or who provide services to – Covered Entities. When the functions, activities, or services involve the use or disclosure of PHI, Business Associates are required to comply with the Security and Breach Notification Rules and some sections of the Privacy Rule.
Business Associates are not necessarily individuals, organizations, or agencies that normally operate outside the health care industry (i.e., software vendors, accountants, attorneys, etc.). HIPAA Covered Entities can be Business Associates of other HIPAA Covered Entities – in which case it is necessary for both parties to sign a Business Associate Agreement.
It is important to be aware that, unlike most contracts, a Business Associate Agreement does not necessarily indemnify HIPAA Covered Entities for breaches of PHI attributable to the non-compliance of the Business Associate. If a Covered Entity fails to obtain “satisfactory assurances” that a Business Associate is HIPAA-compliant prior to entering into an agreement, and a breach of unsecured PHI subsequently occurs, the Covered Entity may be considered liable for the breach.
Affiliated HIPAA Covered Entities
In addition to partial, hybrid, and certified entities, it is also possible to have Affiliated Covered Entities. An Affiliated Covered Entity is a group of legally separate entities that are affiliated into a single HIPAA Covered Entity as a result of there being some common ownership or control of the legally separate entities. This has the advantages of:
- The group only needs to appoint one HIPAA Privacy Officer.
- The group only needs to appoint one HIPAA Security Officer.
- The group can use the same Notice of Privacy Practices.
- The group only has to develop one set of HIPAA policies.
- The group can provide the same training programs.
- The group shares one security risk analysis and risk management plan.
Affiliated HIPAA Covered Entities are similar to Organized Health Care Arrangements (OHCAs) inasmuch legally separate entities can benefit from group arrangements. The primary difference between the two is that an Affiliated HIPAA Covered Entity is under common ownership or control, while an OHCA is comprised of separately owned or controlled entities.